Sunday, July 24, 2016

Infosec angles on physical watering hole attack

If you're following the shooting at a Munich McDonalds, you may have heard that the attacker used a unique tactic to lure victims to the scene of the crime.  The attacker compromised the Facebook account of another user and posted under her account.  He lured people to the McDonalds at 4pm, offering that he would buy them some food as long as it wasn't too expensive.

At this point, it's unclear how many of the shooter's victims were lured by this offer as he did not show up himself until 6:30pm.  I suppose free McDonalds is a tantalizing offer to some, but it seems that two and a half hours of waiting is too long for even the most hopeful.  Currently nobody knows why the shooter was 2.5 hours late, but this is a good thing for Facebook.

Infosec angles?

There are at least two infosec angles here to consider.  The first is to use this event to educate users on watering hole attacks.  These attacks are often devastating to organizations - mostly because users have a really hard time detecting (or even understanding) them.  The second is to consider potential liability if you run a Facebook style service that offers the sort of messaging used by the attacker.

For user education, this is as real as watering hole attacks get. The basic premise we need to convey in user education is that when things appear out of place, we have to apply caution - even if you are in a supposedly safe place (like Facebook).  Basically this is a situational awareness issue.  The internet is not a safe place. When you are there, be careful regardless of the site you are on.

As for liability, this event should be a great conversation starter on potential liability you may suffer when a user utilizes your application.  In this case, there's little reason to believe that the attacker was successful in killing any victims due to the Facebook post.  But what if he had?  While IANAL (I am not a lawyer, you should talk to one), there seem to be some potential factors that might impact liability, including:

  1. Did the user's post contain obvious hate speech which could have been algorithmically detected and blocked?
  2. If the post contained an obvious threat, was there a way for other users to report this to your platform operations team?  What is their procedure for interacting with law enforcement?  What is their response time for responding to submissions of threats?
  3. Was the post created (as this one was) using a hacked account?
  4. Does your platform offer multi factor authentication to make hacking accounts harder?
  5. Does your platform have any way to detect hacked accounts?

There are probably a number of other questions that your legal counsel would direct you to consider, but as I said, IANAL.  At Rendition Infosec, we ask clients to consider how they would respond to threats that they see in the news.  After all, you are most likely to be impacted by the same attacks as others in your industry.  Also, if it's happened before you can't very convincingly say "we never considered that."

What constitutes a "messaging platform" for the purposes of considering liability?  I wouldn't just consider Facebook style applications.  Anything with a message board, forum, etc. could be used to facilitate this sort of watering hole attack.  If you have one of these (and most organizations do), talk to your internal counsel about your potential liability - and how you can take steps to reduce it.