Social Networks as a Platform for Distributed Dictionary ... - wseas.us

Recent Researches in Communications and IT

Social Networks as a Platform for Distributed Dictionary Attack E.V. SOROKA D.P. IRACLEOUS Computer Science Department University of Hertfordshire, IST College Pireos 72, Moschato 18346, Athens GREECE [email protected] Abstract: - The programming interface (API) for application developers associated with a social network has become a de-facto standard in the modern web development. These features can be exploited by a malicious user in order to trick common users of social networks into unknowingly performing various malicious tasks. This paper shows how a distributed dictionary attack can be performed in such manner. A proof of concept application for a real-world social network has been developed to illustrate this concept. During the application development only legitimate web technologies were used. However, the application execution results in an attack on a remote web server while the user of the application is unaware of its true nature. It is also illustrated how web technologies and JavaScript in particular can be used for distributed computing, a fairly new concept introduced in the past few years. The developed application distributes parts of the dictionary to its clients resulting in a faster attack rate as more users execute the application. Key-Words: - Social networks, distributed security, dictionary attack. The creation and use of botnets via malicious software is a well-known problem. It poses a constant security threat to any node connected to the Internet. The variety of tasks performed by botnets includes data stealing, e-mail spam, DDoS attacks and others. [7][8][9] The recent adaptation of social networking web-sites by a large amount of users [2] opened up new ways for cyber criminals to perform malicious tasks [10][11]. Until recently they were used either by other malicious software installed on a user’s computer or by a large amount of fake accounts. However the use of API offered by social networks allows the exploitation of users in a botnet manner. With the difference that the rogue apps use legitimate means and patterns often undetectable by any security software. [3][12] By creating a proof of concept rogue application for Facebook [13] social network it is shown that a set of simple client based scripting instructions may result in a potential malicious activity by an unaware user. It is also shows that such a botnet-like infrastructure containing application users may be used for another purpose besides DDoS and potentially in other malicious activities. The importance of this task lays in identifying current social network mechanisms as a security threat to its users or any other entity that may be a victim of malicious applications created with the use of APIs provided by social networks. Furthermore the created application adopts a distributed computing mechanism which allows parallelizing the task to a theoretically unlimited

1 Introduction The research on the matter of exploitation of the social networking web sites as attacking platforms has already been conducted. A group of researchers successfully performed a DDoS attack via a Facebook application [1]. Their research will be further discussed under related work section of this report. This work investigates the possibility of performing a different type of attack in a similar manner by exploiting a social networking web site user base via a rogue application. It will be investigated if such an attack would be successful in a variety of cases depending on both internal and external factors. Its efficiency will be measured accordingly to the gathered data. Based on the same data it will be estimated how the attack efficiency would be affected if some variables (e.g. number of client participants) will be changed. This research will also introduce another concept to the matter utilizing client based scripting for distributed computing. Some proof of concept applications introducing this idea has already been produced [5][6], however none of them have been applied to a real life task. This work will measure the efficiency of this approach and investigate its final effect on the undertaken task. Based on the gathered data it will estimate the suitability of the client based web technologies for distributed computing.

ISBN: 978-1-61804-018-3

101

Recent Researches in Communications and IT

connections, political or religious views, shared activities or interests. [14][17] The vast majority of social networking web sites made available APIs for the third-party developers for application creation. The main goal of these APIs is to provide the developers with the data affiliated with a certain user available through a web site. The application then gains access to a user’s personal data and his connections to other users. The security mechanisms usually include the possibility for a user to deny such access or grant limited access to his data. User’s privacy and availability of personal data has been a grown concern due to the fact that provided security mechanisms luck user control and awareness. [10] Due to their nature, social networks have attracted the interest of researchers who performed various studies regarding their analysis and measurement. According to some such studies may lead to new algorithms such as determining trusted users and address various issues such as e-mail spam. [14][11]

number of nodes. It is an important part of the research as the web based distributed computing has the potential to be used for legitimate purposes. The main advantages are that no software installation is required as the client node only needs a webbrowser to run an application and to start or end an application execution the end user only opens or closes the applicable web page. It is important to determine if this approach will be efficient when applied to a real life task.

2 Problem Formulation A number of studies present some common characteristic among social networking web sites and define them as web services that allow a user to produce and maintain some sort of online profile. A user then is able to define his connections to other users of the same web site forming a network with these users. Types of possible interconnections as well as their visibility to other users vary greatly in different social networks and sometimes even within the same web site. The ability to present connections to other users poses a unique feature of social networks allowing the possibility for making other connections that otherwise would not be possible or unlikely to be made. [15][16] Since the first social network SixDegrees was introduced in 1997 a large amount of social networks has been created, providing their users with a variety of connection possibilities. Accordingly to a study conducted in 2009, social networks have become the 4th most popular online activity at the corresponding year [2]. However this trend shows a constant growth with millions of daily users. A more recent study reveals that social networks dominate the US market by the time spent on an online activity [18]. Among the most popular social networking web sites are Facebook, MySpace, Twitter and LinkedIn. [19] As for technical abilities, social networks usually maintain some core features such as previously mentioned profile creation and interactions between users. Additional features may include photo and video uploading, blogging possibilities or other forms of content sharing. Some web sites may limit these possibilities or otherwise focus on them making content sharing the primary goal for a social network use. Major examples of such content sharing networks are YouTube for video, Flicker for photos and Twitter for microblogging. There is also a great variety of characteristics for connections between users. Networks may be organized around real world

ISBN: 978-1-61804-018-3

2.1 Dictionary attack Dictionary attack is an attack that targets authorization mechanisms by using sophisticated brute-force technique. [15] The attack uses an exhaustive list called dictionary. The provided in the list words are used as usernames, passwords or passphrases, depending on the target’s authorization method. During the attack every word in the dictionary is tried in order to determine successful credentials which will allow unauthorized access to the system. The main targets for this type of attack are systems that use passwords for their authorization method [16][17]. Systems using more sophisticated user identification and authentication techniques offer immunity from such attacks [20]. Distributed dictionary attacks are executed in the same manner with the same expected results. However the amount of work is distributed among participating nodes which allows faster attack execution. This approach has other advantages mostly in defeating protection mechanisms against this type of attack. [17] In its basic form the attack will allow distribution of parts of the dictionary to the participating nodes. However more sophisticated techniques of distributed architecture have been proposed. The described technique incorporates some nodes for dictionary list generation. [8] Distributed dictionary attacks are usually executed in a network environment either over LAN or WAN. They are also distinguished as online or

102

Recent Researches in Communications and IT

offline attacks and may be executed in both cases depending on the target. [8]

that might produce false authentication attempts are investigated in the following sub-chapters. The results also show a large difference in execution time between two conducted attacks. It is believed that the first attack was executed in a burst manner due to the novelty of the application and initial interest of the users. On the contrary the second attack was performed after the users have familiarized themselves with the application and indicates a normal use of an application with provided functionality. This shows that attack execution and it’s time efficiency is heavily dependent on users interest and investment. However this behaviour and nature of the results are satisfactory due to the fact that no special actions and measures were taken for promoting and propagating the application. It also allowed the comparison of the attacks performed under different circumstances and the final evaluation and efficiency estimation under the assumptions of both burst and normal behaviour.

3 Evaluation This chapter provides information about the conducted experiment and analyses the obtained results. It discusses the attack amplification over time as well as its geographical distribution. It analyses the effectiveness of participating nodes regarding requests to the victim server both on pernode basis and the overall results of the attacking infrastructure. Finally it evaluates the efficiency of the attack and provides corresponding estimations. Results Overview During the experiment distributed dictionary attacks were performed on the targeted server both resulting in a successful password discovery. The approximate amount of words contained in the dictionary file is 213 560 and the last word was set as the correct password to take the full advantage of the dictionary size. As the attack start time the first authentication attempt timestamp was recorded and the finish time corresponded to the last authentication attempt. It should be noted that the final attempt might not correspond to the successful authentication as each node has to finish its request cycle prior receiving notification from the coordinator that attack has been completed successfully. Such behaviour also resulted in differences between number of words in the dictionary and total authentication attempts of each attack. The first attack started at 11:23:10 and finished at 14:52:13 of the same day taking 03:29:03 to successfully complete the task. There were 23 participating nodes with total of 228 057 authentication attempts. Comparing to the first attack the second one took significantly larger amount of time and required 4 days 05:24:44 to complete the task. The amount of participating nodes was increased by 9 with total of 32 clients. The total number of requests performed was 224 861. As shown by the results none of the attacks completed with total amount of tries equal to the number of words in the dictionary. As it has already been mentioned the distributed system design allows false tries which not directly affect the attack performance as they may be performed after password discovery. The first attack indicated 14 497 redundant attempts while during the second run this number was decreased to 11 301. Other reasons

ISBN: 978-1-61804-018-3

Table 1: General statistics Attack Execution Attempts Time 1 2

03:29:03 4 days 05:24:44

228 057 224 861

Partici pants 23 32

Attack Magnitude After the execution start of the first attack 2199 requests were recorded for the first hour. The progression shows an immediate exponential growth reaching 84 169 requests for the second hour. The significant increase of the requests corresponds to the time when the application was propagated to a larger amount of users. The first hour of the attack recorded only 3 active participants increasing this number to 11 nodes at the second hour. It should be noted that each hour after that had a stable amount of 11 participating users. Despite the equal amount of active nodes the third hour showed a decrease in performed HTTP requests dropping the number by approximately 30 000 and keeping it at 55 690 request. The last hour of the attack reached a peak at 85 999 requests bypassing the second hour by 1830 requests. For the purposes of this work the hour of the attack with the largest amount of requests is called rush hour and further analysed in detail.

103

Recent Researches in Communications and IT

run and took 4 days to complete. Therefore the data is presented accordingly with Figure 3 showing the requests distribution per day. The first day of the attack recorded 56 576 requests in overall with the second day presenting almost twice as this number at 108 160 requests per day. After that the requests amount was increasingly dropping indicating a significant loss of performance with 37 958 and 22 167 requests accordingly for the third and fourth days of the attack execution. Despite lesser amount of requests the first day indicated the top amount of users with 18 active nodes. The number of participating clients was decreased to 11 the second day and was constantly dropping with 8 and 2 active nodes at the third and fourth days of the attack accordingly. Similarly to the rush hour of the previous run we further analyse the day which indicated the top amount of requests.

Fig. 1: Requests per hour as recorded for the first attack

The Fig. 2 presents the detailed analysis of the rush hour. During this time the number of requests was above 500 per minute dropping below this mark only in the last few minutes. Also the rush hour reached its peak at 3573 per minute which is also the top peak of the attack with the corresponding peaks of each hour shown in Table 3. Table 2: First Attack Hour 1 2 3 4

Requests 2199 84 169 55 690 85 999

Table 3: Top peak requests per hour Hour Requests per minute 1 2 3 4

Fig. 3: Requests per day as recorded for the second attack

500 3148 2514 3573

The most active day of the second attack indicates two points of interest that produced the majority of requests 7-8 hours and 12-13 hours accordingly. During this time at first point 38 890 requests were performed while the second point introduced 35 225 requests in total. This data indicates active use of the application during the morning and midday hours.

During the rush hour peak the attacking nodes were performing 80 requests per second while the average performance of the attack was 18 requests per second. The Figure 2 also shows the unequal nature of requests distribution for the time constant. The attack in overall however indicated a fairly similar distribution of requests per hour after the initial burst but dropping approximately 1/3 at the third hour.

Table 4: Second Attack Requests

1 2 3 4

56 576 108 160 37 958 22 167

The other hours proved to be far less active with number of requests below 10 000 per hour. The most effective hour during this day indicated 23 965 requests with 819 requests per minute. This amount also proved to be the highest during the second run of the application as shown in Table 5.

Fig. 2: Requests per minute as recorded for the peak hour of the first attack

Table 5: Top peak requests per day Day Requests per hour

The second run of the distributed dictionary attack did not execute in a burst manner similar to the first

ISBN: 978-1-61804-018-3

Day

104

Recent Researches in Communications and IT

1 2 3 4

15 488 23 965 12 357 12 483

The data gathered for this day shows unequal distribution of requests per hour with spontaneous burst of usage while at some points the application was idle and no requests were generated.

Fig. 5: First attack geo distribution

5 Conclusion The main purpose of the research conducted during this project was to investigate the possibility of exploiting social network users for a distributed dictionary attack using only legitimate web technologies and mechanisms offered by the selected social network. The secondary goal of the project was to incorporate a distributed architecture in order to create a scalable infrastructure using client side scripting technologies. Both research goals were met and successfully completed, producing satisfactory experimental results. After the necessary background research the project aim was to develop a proof of concept rogue application for Facebook social network. This objective was successfully completed in compliance with project requirements. A distributed architecture was utilized using JavaScript language for client component and PHP with MySQL backend for server component of the application. As expected the client nodes were able to participate in the attack independently from the time they joined the infrastructure and receive the according part of the dictionary. The application also had no visual indications of its true nature. During the application development a few minor drawbacks were encountered which are discussed in detail in the corresponding chapter of this report. However this didn’t affect the required functionality of the application as well as the experiment in overall. The application was successfully used for two cases of distributed dictionary attacks which both resulted in successful password discovery.

Fig. 4: Requests per hour as recorded for the peak day of the second attack To the contrary with the first run of the application the attack vector didn’t amplify. Both per day and per hour requests were generated in a major peaks manner producing high amount of requests at certain points while generating low amounts at others. Attack Distribution The previous sub-chapter presented the attack distribution over time based on requests in overall without taking in the account their origins. This subchapter discusses the physical distribution of participating nodes based on their geographical location. For the purposes of this project each unique IP is treated as a unique node of the attack. The fact that users are able to mask their IP with anonymizing techniques, such as by using a proxy server, or have multiple IPs is ignored. This approach is taken for the purposes of determining the origins of requests and not the users themselves. In order to map the IP to a certain country geoiptool [18] was used as well as another service hostip [19] for verification purposes. Despite the fairly low amount of unique participants the first run of the application showed a high geographical distribution with requests originating from 7 different countries. The majority of unique requests originated from Russian Federation and Greece. Fig. 5 displays the percentage of nodes per country.

ISBN: 978-1-61804-018-3

References [1] Athanasopoulos, E., Makridakis, A., Antonatos, S., Antoniades, D., Ioannidis, S., Anagnostakis, K., G., Markatos, E., P., 2008. Antisocial Networks: Turning a Social Network into a Botnet. Proceedings of the 11th international conference on Information Security. Taipei, Taiwan, 2008. pp. 146-160. [2] Merelo, J.J., Garcia, A.M., Laredo, J.L.J., Lupi´on, J., Tricas, F., 2007. Browser-based distributed evolutionary computation:

105

Recent Researches in Communications and IT

performance and scaling behavior. In: GECCO ’07: Proceedings of the 2007 GECCO conference companion on Genetic and evolutionary computation, New York, USA, ACM Press (2007), pp. 2851–2858. [3] Z. Zhu, G. Lu, Y. Chen, Z. Fu, P. Roberts, and K. Han, 2008. Botnet research survey. In: COMPSAC '08. 32nd Annual IEEE International Computer Software and Applications. Aug. 2008, pp. 967–972. [4] Michael Bailey, Evan Cooke, Farnam Jahanian, Yunjing Xu, Manish Karir, 2009. A Survey of Botnet Technology and Defenses. In: Cybersecurity Applications & Technology Conference for Homeland Security. 03- 04 March 2009. [5] V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. Puppetnets: misusing web browsers as a distributed attack infrastructure. In CCS ’06: Proceedings of the 13th ACM conference on Computer and communications security, pp. 221–234. [6] Blaise E. Ur and Vinod Ganapathy, 2009. Evaluating Attack Amplification in Online Social Networks. In W2SP 2009: Web 2.0 Security and Privacy. [7] Mislove, A., Marcon, M., Gummadi, K., Druschel, P., Bhattacharjee, B., Measurement and analysis of online social networks. Internet Measurement Conference. San Diego, California, USA, 2007. pp. 29-42. [8] Kumar, R., Novak, J., Tomkins, A., Structure and evolution of online social networks. International Conference on Knowledge Discovery and Data Mining. Philadelphia, PA, USA, 2006. pp. 611-617. [9] Minas Gjoka, Michael Sirivianos , Athina Markopoulou, Xiaowei Yang. Poking Facebook: characterization of OSN applications. Proc. of the first workshop on Online social networks, 2008, WA, USA. [10] Ralph Gross, Alessandro Acquisti , H. John Heinz, 2005. Information revelation and privacy in online social networks. Proc. of the 2005 ACM workshop on Privacy in the electronic society, 2005, VA, USA. [11] M. R. Faghani and H. Saidi, 2009. Malware propagation in online social networks. In: Proceedings of the 4th IEEE International Conference on Malicious and Unwanted Software. Montreal, Canada. [12] V. Goyala, V. Kumara, M. Singha, A. Abrahamb, S. Sanyalc, 2006. A new protocol to counter online dictionary attacks. Computers & Security. 25(2), pp. 114–120.

ISBN: 978-1-61804-018-3

[13] Bernaschi, M., Bisson, M., Gabrielli, E., Tacconi, S., 2009. An Architecture for Distributed Dictionary Attacks to Cryptosystems. Journal of Computers. 4(5), pp. 378-386. [14] Jan Vykopal, Tomas Plesnik, Pavel Minarik, 2009. Network-Based Dictionary Attack Detection. International Conference on Future Networks. Bangkok, Thailand 07-09 March 2009. [15] Jan Vykopal, Tomas Plesnık, and Pavel Minarık, 2009. Validation of the Networkbased Dictionary Attack Detection. Security and Protection of Information, Proceeding of the Conference. Brno, Czech Republic, 2009. University of Defense. [16] Florian Alt, Albrecht Schmidt, Richard Atterer and Paul Holleis, 2009. Bringing Web 2.0 to the Old Web: A Platform for Parasitic Applications. Lecture Notes in Computer Science. Vol 5726, pp. 405-418. [17] Trevor Jim , Nikhil Swamy , Michael Hicks. Defeating script injection attacks with browserenforced embedded policies. Proceedings of the 16th international conference on World Wide Web. Banff, Alberta, Canada 08-12 May 2007. [18] M. Johns, 2008. On JavaScript malware and related threats. Journal in Computer Virology, 4(3), pp. 161–178. [19] M. Baker, R. Buyya, and D. Laforenza, 2002. Grids and Grid Technologies for Wide-Area DistributedComputing. International Journal of Software: Practice and Experience (SPE), 32 (15), pp. 1437–1466. [20] N. G. Bardis, O. Markovskyi and N. Doukas. Fast subscriber identification based on the zero knowledge principle for multimedia content distribution. In International Journal of Multimedia Intelligence and Security, 2010

106