Living the meme

2012-02-01

David Harley

ESET, UK
Editor: Helen Martin

Abstract

‘Some security commentators suggest inventing answers to [security] questions rather than using real data.' David Harley.


Table of contents

One of my friends brought a pair of interesting Facebook memes [1] to my attention recently. They may not seem to have an immediate security connection, but I’ll come to that shortly.

Meme (1) involves the posting of a status update that reads something like ‘I’m going to live in Miami for 21 months’. Curiosity (or research, as it’s described in my job title) led me to discover that the meme relates to the poster’s birthday: 12 geographical locations represent each of the calendar months (e.g. Mexico = January, London = February, Miami = March), and the number of months for which the poster claims to be relocating represents the date of their birthday within that month. So in the example above, the poster’s birthday is 21st March. In another variant, the post reads ‘I’m [n] weeks in and craving [some kind of candy]’ where [n] represents the day and there is another list on which different types of candy represent different months of the year.

I gather that these games are played to raise awareness of breast cancer, though I don’t see how and if this kind of post fits usefully with other gender-oriented fund- and awareness-raising events such as Race For Life [2].

Meme (2) suggests that putting the last three digits of your cell phone number into a string like @[123:0] and adding it to a Facebook comment will return the name of the cell phone. In fact it has nothing to do with your cell phone, unless every device with a number ending in 123 (for example) is called Morgan Grice. The string format (sometimes) represents a numeric array associated with a Facebook account. It doesn’t even have to be a three-digit number: for example, @[4:0] returns ‘Mark Zuckerberg’ and @[21222:0] returns ‘DJ Vas Deferens’ (a shock jock, perhaps).

This is all very amusing, but I promised you some security content. Meme (1) is a pretty good way of letting those who are ‘in on the secret’ know when your birthday is – though your date of birth is likely to be of more use to an attacker when trying to access sensitive data via ‘secret questions’.

Meme (2) is less of an issue: only the most painstaking data aggregation attack will attempt to harvest cell phone numbers one triplet at a time. I’d be more concerned if the suggestion was to use a credit code or iGadget PIN. But nobody would fall for that, would they?

Well, the following is a meme flagged by Graham Cluley [3] around the time of the royal wedding in the UK in 2011, highlighting a security issue with posting details like this:

What’s your royal wedding guest name? 
Start with Lord or Lady. Your first name is one of your grandparent’s names. Your surname is the name 
of your first pet double-barrelled with the name of the street you grew up on.

Secret answers to security questions posed by banking sites and the like as a supplement to passwords, or for people who forget their passwords, are pretty stereotyped. Names of relatives, names of pets, first school, childhood address and so on are highly characteristic, so some security commentators suggest inventing answers to such questions rather than using real data. That’s a logical alternative to inventing your own challenge/response – which is rarely an option – and I’m all in favour of it, as long as it doesn’t contravene some legal or quasi-legal restriction.

Do people lie in their social networking profiles, or when offered a candy bar in exchange for a password? I’m not in favour of dishonesty in general, but if this were general practice, it would suggest a healthily cynical attitude towards organizations who regard us not as customers, but as sources of commoditized data. However, experience with hoaxes shows that when ‘good causes’ like cancer awareness or missing children are involved, scepticism dissolves. I don’t know if any of these memes originate in an attempt at data harvesting, but such attacks would dovetail all too comfortably with the social network’s vested interest in data sharing, and work to an imaginative attacker’s advantage.

Bibliography

[1] Meme: An idea, behaviour, style, or usage that spreads from person to person within a culture. http://www.merriam-webster.com/dictionary/meme.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

VB2019 paper: APT cases exploiting vulnerabilities in region‑specific software

Some APT attacks are carried out by exploiting vulnerabilities in region-specific software. Government agencies frequently use such localized software, and this tends to be the target of attackers. In Japan, there have been many cases where attacks…

Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

Web application vulnerabilities are an important entry vector for threat actors. In this paper researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting…

VB2019 paper: Cyber espionage in the Middle East: Unravelling OSX.WindTail

It’s no secret that many nation states possess offensive macOS cyber capabilities, though such capabilities are rarely publicly uncovered. However, when such tools are detected, they provide unparalleled insight into the operations and techniques…

VB2019 paper: 2,000 reactions to a malware attack – accidental study

This paper presents an analysis of 1,976 unsolicited answers received from the targets of a malicious email campaign, who were mostly unaware that they were not contacting the real sender of the malicious messages. Many of the victims were unaware…

VB2019 paper: Why companies need to focus on a problem they don't know they have

There is a type of crime, breach of company policy, misuse of company assets and security threat that is often overlooked: as one in 500 employees use their work computer to handle child sexual abuse material. This crime and misuse of company assets…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.