Sunday, March 16, 2008

Six Degrees of E-Separation

If you've ever played the game "Six Degrees of Kevin Bacon," you know there's a lot of truth to it. It's based on the notion that any actor can be linked through his or her film roles to Mr. Bacon.
And if you've ever spent some significant time on social networking sites, it's pretty easy to see how this game can be applied to you or your friend's real connections.
So, it should come as no surprise that the same dynamic may work amongst victims of computer viruses.

I came up with the nutty idea for this experiment after stumbling upon a trove of data stolen by a single keystroke logger, which appeared to be in operation between June and September of 2007, according to the time- and date-stamped records. During that time, the criminal(s) responsible for distributing that keylogger ensnared some 10,000 victims, stealing more than 20 gigabytes worth of stored user names and passwords, as well as credentials passed when victims logged in to any sites that required credentials.

Security Fix has mined these types of data troves in previous posts, examining everything from the types of credit cards stolen to compromised businesses to mapping out victims by geographic region. In an effort to look at this data in a different light, I choose this time around to look at the relationships between all victims who had accounts with LinkedIn, a social networking site that caters to executives and the business community.

Out of those 10,000 victims, I was able to confirm that at least 100 were LinkedIn users. That is, only about 100 had either stored their LinkedIn credentials in Internet Explorer or had logged into their LinkedIn account while the keylogger resided on their PC. I was unable to positively identify about one-quarter of the 100 LinkedIn users in this set, most likely for one or more of the following reasons: their full name wasn't included in the rest of the stolen data; the victim's last name had changed since the data was stolen; they had closed their LinkedIn account since the data was stolen. [...]

Read more ...
Brian Krebs on Computer Security. The Washington Post Company.

No comments: