Speaking of profound misunderstandings, this:
BitDefender created a "test profile" of a nonexistent, 21-year-old woman described as a "fair-haired" and "very, very naïve interlocutor" -- basically a hot rube who was just trying to "figure out how this whole social networking thing worked" by asking a bunch of seemingly innocent, fact-finding questions.Posted by iang at September 1, 2010 09:46 PM | TrackBackWith the avatar created, the fictitious person then sent out 2,000 "friendship requests," relying on the bogus description and made-up interests as the presumptive lure. Of the 2,000 social networks pinged with a "friendship" request, a stunning 1,872 accepted the invitation. And the vast majority (81 percent) of them did it without asking any questions at all. Others asked a question or two, presumably like, "Who are you?" or "How do I know you?" before eventually adding this new "friend."
...
But it gets worse. An astonishing 86 percent of those who accepted the bogus profile's "friendship" request identified themselves as working in the IT industry. Even worse, 31 percent said they worked in some capacity in IT security.
@ Iang,
Was her real name "Rosa Kleb Jnr."
It makes you think why on earth do the APT people worry about shutting the stable door when the "IT stallions" are not only out of the paddock but compleatly off the farm...
However the flip side is are geeks so lonely they will have anybody as a friend...
The thing is the same IT stallions also post meatspace contact details in amongst their online activities and have been for ages.
As an old example,
More than a few years ago I was having a few problems with a bit of network kit not doing things they way it was supposed to. So after looking through the manuals etc I did a google on the kit name and a keyword or two. The result was pulling up comments from people on mail lists where a search on their name usually also pulled up their "holiday message" with not only all their contact details but those of their colleagues. This information could then be googled in turn to get a lot of meatspace info. I did this to find someone who appeared to be very knowledgable on the problem and gave them a phone call. They where very surprised but very obligingly helped me out (as their postal address was not to far I later bought them a beer to say thanks).
For those that doubt about just how easy this is...
Google the following phone number 905-940-1814
You will see part way down the resulting page a holiday message automatialy sent by Paul Oh's email server to a mail list (unix.derkeiler.com/Mailing-List...). This gives the phone number and a colleauges name but no company or address info.
However you don't need to pick up the phone to get that info,
If you look at other entries on the google page you will find that he work(s/ed) for a Canadian company (Find Mid-Range Computer Brokers Inc) the address (34 Riviera Dr, Markham, ON) freephone number (800 668-6470) Fax number (905 940 1809) as well as other relevant info.
All of which can be used for further google searches to elicit further information.
I deliberatly used this old (and now out of date) enumeration method to show how easy it is to do. Whilst holiday messages on maillists is now something that hardly happens the modern equivalent does (and I leave that as an exercise to the reader).
The simple fact is even after 15 odd years the IT staff who should know, have not wised up to this sort of simple enumeration, it still happens via the likes of social networking such as blogs, twitter, linkedin, Monster jobs etc. So what on earth do we expect from other staff where security knowledge is not part of the job spec...
So I'm not surprised at the findings just saddened by the lack of progress.
Posted by: Clive Robinson at September 2, 2010 07:31 AM