Security in the Modern Web Part 1: Sybil Attacks and Harassment

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

Edited By thatpinguino  Staff

The past couple of weeks have been about as rough as I can remember when it comes to personal privacy violations on the Internet. First there were multiple reported cases of doxing, personal site hacking, and email/Skype account infiltration surrounding the gamergate kerfuffle. Meanwhile, the whole celebrity hacking fiasco was unfolding as well. We tend to think of both of these events as singular explosions of hacks targeted at large public figures with large public presences. We don’t often think of celebrities of any variety as ordinary people with ordinary Gmail and Facebook accounts that are subject to the same flawed security provisions as everyone else. However, both of these events were likely precipitated by many small security violations and oversights on both the part of the victims and the institutions they relied upon. These high-profile hacks bespeak a larger societal issue with how we view computer security. There is a fundamental disconnect between how secure we feel on the web and how secure we actually are. In order to shed some light on this subject I figured I could offer some of the lessons I learned during some computer security courses I took during college. I also interviewed one of my college professors, who just so happens to be a computer security expert. Neither of us is privy to the nitty gritty details of all of the attacks; however, we can speak generally to how people should approach the topic of Internet security.

It is a visual AND mechanical metaphor! Bonus points!
It is a visual AND mechanical metaphor! Bonus points!

The first topic I would like to cover is that of Twitter and social network harassment. These forms of attack can be the work of an actual angry mob of Twitter users, or they can be the product of something called a Sybil Attack. This brand of attacks is named after a woman who suffered from multiple personality disorder, and as such a Sybil Attack is when one person utilizes several different accounts to create the illusion of a consensus among multiple users. In social networks these dummy accounts are known as Sockpuppets, and the damage they can do is very real. Sybil attacks can be used to manipulate any number of systems that rely on a 1-1 user to account ratio. Attackers can do things like drive down review scores on sites like Metacritic or Amazon, as well as attack people on social networking sites like Twitter and Facebook. The trouble of these attacks is that they are incredibly simple to perform and maintain. All you need are multiple email addresses in most cases, and perhaps some IP routing to disguise your location. One person with enough time and energy can easily control their own personal mob in a bottle. On top of the ease of use, Sockpuppet accounts are also disposable and easily replaced. As a result, a person launching a Sybil attack can behave like a hydra, regenerating a new account whenever one gets cut down.

Truthfully, if you are in the sights of a Sybil attack, there is not much recourse beyond contacting the particular service provider in question and moderating your feed using the tools available. You would need to have some major technical skills to track down your own attackers if they disguise their tracks at all. I’m talking IP packet capturing and tracing levels of skill. It certainly isn’t impossible to catch a harasser, but it is far from simple. Regardless of your own Internet sleuthing skills, reporting harassment to the proper authorities is definitely the first step to getting help.

If you happen to be a bystander and you see an Internet mob forming, the best thing to do at first is to look into who the participants are before joining the discussion. If you see a bunch of fresh or relatively unused accounts suddenly hounding one user, you are likely witnessing a Sybil attack. Therefore, take the discussion with a grain of salt. It is entirely possible that the mob is just one person with a lot of free time.

I hope this helps shed some light on one of the most common forms of Internet attack. I will be writing more about Internet security in the near future based on my interview with my teacher and on some of the topics of the day. I’m going to spread the topics across multiple posts in the hopes that they will be a bit easier to digest if they are served piece-meal.

Avatar image for spraynardtatum
spraynardtatum

4384

Forum Posts

0

Wiki Points

0

Followers

Reviews: 1

User Lists: 1

Great post. I had never heard of a Sybil attack. That sounds like a good(bad) way to harass someone online. It also sounds like a good (bad) tool for fabricating support for an agenda.

Avatar image for fisk0
fisk0

7320

Forum Posts

74197

Wiki Points

0

Followers

Reviews: 0

User Lists: 75

#2 fisk0  Moderator

Yeah, great post. I have seen it in use before, but didn't know it was so common that it had a name.

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#3 thatpinguino  Staff

@spraynardtatum: Yeah Sybil attacks get even more complex when the attackers control both sides of an attack: both the victim and the attacker. You can engineer a controversy out of thin air if you try hard enough. Never assume that every account is controlled by a unique individual unless you can definitively prove it.

Avatar image for themanwithnoplan
TheManWithNoPlan

7843

Forum Posts

103

Wiki Points

0

Followers

Reviews: 1

User Lists: 14

#4  Edited By TheManWithNoPlan

That was very enlightening. The lengths some people will go to support their own twisted personal causes is scary.

Avatar image for spoonman671
Spoonman671

5874

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

You explained the concept of a Sybil attack much better than Wikipedia does. Although the name illustrates the idea pretty well on its own.

P.S. You don't know how to make a thread without a picture of a Magic: The Gathering card do you?

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#6 thatpinguino  Staff

@spoonman671: Thanks! I figured that the particular MTG card I picked was a nice visual and mechanical metaphor for a Sybil attack. Also it is a dope-ass plant hydra! Who doesn't like plant hydras? (To be fair most of my posts with MTG cards in them are posts about MTG... most of them)

Avatar image for zedman
zedman

151

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

cool post never knew this kind of thing had a name.

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#8 thatpinguino  Staff

@zedman: Yeah comp sci people love naming stuff. My personal favorite is the man in the middle attack.

Avatar image for slag
Slag

8308

Forum Posts

15965

Wiki Points

0

Followers

Reviews: 8

User Lists: 45

I just always assumed this was called a sockpuppet attack, this name is better.

Thanks thatpinguino, that was interesting!

Avatar image for bollard
Bollard

8298

Forum Posts

118

Wiki Points

0

Followers

Reviews: 3

User Lists: 12

This is both an enlightening and interesting blog! Also, I approve wholly of the use of Magic cards as an example.

Avatar image for sweep
sweep

10886

Forum Posts

3660

Wiki Points

0

Followers

Reviews: 4

User Lists: 14

#11 sweep  Moderator

We have systems in place to catch such accounts on Giant Bomb, and while no system is perfect we're getting pretty good at catching people out.

We've had people make alternate accounts for the weirdest stuff, like roleplaying conversations with themselves about the most trivial nonsense. It can definitely be harmful when used to bully or attack other users though, and we take steps to prevent that from happening.

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#12 thatpinguino  Staff

@sweep: Yeah I've noticed that even the biggest lightning rod threads here don't seem to have many sockpuppets. Even when some seem to spring up they tend to disappear right quick. It must be fascinating to have the tools to pick out dummy accounts on a site wide level.

Avatar image for thunderslash
ThunderSlash

2606

Forum Posts

630

Wiki Points

0

Followers

Reviews: 0

User Lists: 2

#13  Edited By ThunderSlash

@sweep: I wish I was there to see some of the roleplaying stuff.

Great informative blog. I've seen a few instances of this happening in other forums. It's always super obvious when it happens though. Someone would have to be really dedicated to make it all convincing, which does happen from time to time.

Avatar image for subwayd
SubwayD

927

Forum Posts

123

Wiki Points

0

Followers

Reviews: 0

User Lists: 27

#14  Edited By SubwayD

Not going to lie, when I saw the title, my first thought was that someone had been going after Cybill Shepherd on the internet.

Avatar image for ottorostock
OttoRostock

33

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

These attacks, as you call 'em, are so petty and generic... I wonder how one is capable of taking them seriously.

Avatar image for deactivated-64bc6edfbd9ee
deactivated-64bc6edfbd9ee

827

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

@ottorostock: because not everyone knows it's a thing. Plus, when you have an angry "internet mob" on you it's hard to think about it I guess.

Avatar image for sweep
sweep

10886

Forum Posts

3660

Wiki Points

0

Followers

Reviews: 4

User Lists: 14

#17 sweep  Moderator

These attacks, as you call 'em, are so petty and generic... I wonder how one is capable of taking them seriously.

If many "people" apply pressure then it can be overwhelming. Surely you can appreciate how the illusion of a crowd can be very intimidating? It's far easier to simply fabricate the extra voices that compliment your own, instead of only claiming they exist and that you speak on their behalf, even though these tactics are essentially the same.

Avatar image for sweep
sweep

10886

Forum Posts

3660

Wiki Points

0

Followers

Reviews: 4

User Lists: 14

#19  Edited By sweep  Moderator

@ottorostock :

look at that Wu affair that's circulating gb mainpage

There's a reason the Brianna Wu article has been temporarily locked and this one hasn't. While hypothetical discussion of this topic is permitted, specifics pertaining to gamergate are currently being limited to that discussion, as they deserve full staff consideration and right now all the staff are asleep.

Thanks.

Avatar image for ottorostock
OttoRostock

33

Forum Posts

0

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#20  Edited By OttoRostock

@sweep: I am not discussing on it specifically, I could mention any other such case in its stead and it would not change it much. I am but referencing to it as an example of futility of harassment over the internet. However, seeing your point, I will abstain from discussing this further.

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#22 thatpinguino  Staff

These attacks, as you call 'em, are so petty and generic... I wonder how one is capable of taking them seriously.

There can be a number of ill effects beyond emotionally hurting the target of a Sybil attack. A victim can completely understand what is going on and attempt to disregard their harassment; but, if enough bystanders think that a Sybil attack is actually a real angry mob with valid complaints, then the victim can suffer a ton of reputation damage anyway. You can end up with a real mob on top of the fabricated one. Also this technique can swing things like user reviews and consumer scores that are intended to be cursory scores that people just glance at without digging deep. Those kinds of attacks can really hurt a product's sales.

Avatar image for thatpinguino
thatpinguino

2988

Forum Posts

602

Wiki Points

0

Followers

Reviews: 0

User Lists: 0

#23 thatpinguino  Staff

@thunderslash: Yeah the really nasty cases come up when people have the time to cover their tracks a little better or when they attack on sites that don't display user info in a meaningful way. Like on GB you can see when an account was created and the number of posts an account has made very easily. No one has the time to read every profile connected to a user review on a Metacritic page. The more hidden the user can be the worse the potential abuse.

@bollard: Glad I got some backup! Plant hydras fo life!