Six Degrees of E-Separation

If you've ever played the game "Six Degrees of Kevin Bacon," you know there's a lot of truth to it. It's based on the notion that any actor can be linked through his or her film roles to Mr. Bacon.

And if you've ever spent some significant time on social networking sites, it's pretty easy to see how this game can be applied to you or your friend's real connections.

So, it should come as no surprise that the same dynamic may work amongst victims of computer viruses.

I came up with the nutty idea for this experiment after stumbling upon a trove of data stolen by a single keystroke logger, which appeared to be in operation between June and September of 2007, according to the time- and date-stamped records. During that time, the criminal(s) responsible for distributing that keylogger ensnared some 10,000 victims, stealing more than 20 gigabytes worth of stored user names and passwords, as well as credentials passed when victims logged in to any sites that required credentials.

Security Fix has mined these types of data troves in previous posts, examining everything from the types of credit cards stolen to compromised businesses to mapping out victims by geographic region. In an effort to look at this data in a different light, I choose this time around to look at the relationships between all victims who had accounts with LinkedIn, a social networking site that caters to executives and the business community.

Out of those 10,000 victims, I was able to confirm that at least 100 were LinkedIn users. That is, only about 100 had either stored their LinkedIn credentials in Internet Explorer or had logged into their LinkedIn account while the keylogger resided on their PC. I was unable to positively identify about one-quarter of the 100 LinkedIn users in this set, most likely for one or more of the following reasons: their full name wasn't included in the rest of the stolen data; the victim's last name had changed since the data was stolen; they had closed their LinkedIn account since the data was stolen.

Of the remaining 75 people, I discovered that about 30 were within my relatively close circle of acquaintances - that is, within three degrees of separation (the free LinkedIn membership -- which I have -- doesn't appear to let you search past three degrees of separation). Anyway, you can see my rather sorry attempt at mapping this information in the Microsoft Visio graph to the right. Note that only a subset of the victims I contacted are shown in that graph.

But that left me to wonder - well, what about the other 45 users? So, I began contacting the LinkedIn users who were within my network, and asked the 10 or so users who responded to search their network for all of the remaining LinkedIn users that I'd identified.

The result? All of the remaining victims were within three degrees of separation from at least one or more of those users. Many of the LinkedIn users in my direct circle of contacts had links to more than half of the 6th-degree contacts, while others had only a few. Regardless, all of the victims I'd identified were within six degrees of separation from me.

Now that I've completed this project, I'm still not entirely sure what it all means, beyond offering evidence to suggest that the Kevin Bacon game extends to at least one corner of the online social networking sphere. I'd love to hear your thoughts, Security Fix readers.

But I want to strongly emphasize that this experiment should not be viewed in any way as an indictment of LinkedIn's security. The LinkedIn credentials were just one tiny subset of data stolen by a keylogger whose instructions were to steal all of the victim's personal and financial credentials.

That said, LinkedIn strikes me as one of the more powerful, open-source tools on the Web today for finding professionals. Presumably those who sign up for LinkedIn did so because they want to be found by potential employers and colleagues. But by way of comparison, I tried to conduct a similar experiment with nearly 2,000 stolen MySpace.com credentials in this cache, hoping to enlist the help of the folks at lococitato.com, which features a great MySpace friend mapping tool. I quickly found Myspace to be relatively more restrictive when searching for members' personal page or other information, even when I already had their full name, e-mail address and other identifying information.

One final note: Examining this data did expose some obvious but strong biases, principally that the victims I contacted were nearly all white collar professionals whose information was stolen from laptops given to them by their employers. In addition, a number of the victims I corresponded with said their employer or anti-virus software had recently scrubbed the machine of a virus or keylogger, but hardly any of those I spoke with had thought to change the passwords for any of the accounts they regularly accessed with those machines.

By Brian Krebs |  March 12, 2008; 5:23 PM ET Fraud , From the Bunker , Misc.
Previous: Microsoft Patches 12 Office Security Holes | Next: Ukrainian CyberCrime Boss Leads Political Party

Posted by: adam | March 12, 2008 8:29 PM

Posted by: Bk | March 12, 2008 8:51 PM

Posted by: adam | March 13, 2008 12:16 AM

Posted by: David Bradley | March 13, 2008 6:08 AM

Posted by: claudio | March 13, 2008 9:21 AM

Posted by: Chris | March 13, 2008 10:53 AM

Posted by: Bk | March 13, 2008 11:15 AM

Posted by: | March 22, 2008 3:20 AM

Name:

Comments: