An interesting read came across my Twitter feed this morning, called “Looking Inside Your Screenshots.” The theory is simple: Blizzard is applying watermarks to your screenshots storing “personal” information. In this case, the author states that your account ID, a timestamp, and your server IP are captured.
Part of me was intrigued, and I did some reading on the discussion (get your tinfoil hats ready), and part of me shook my head. This blog post is around the thoughts that sprung to mind as I watched the commentary fly by about the whole topic, and my thoughts as I read the post.
Who Are You Really?
One of the fascinating things about the internet is that you can be anyone you want to be. I say that with a casual attitude, and only some succeed at it, but let’s walk through this.
Most people, WoW players, guild mates, even Twitter pals, exist as you know them. They are male, they are female, they are tall, they are short. You may know this because you’ve heard their voices in chat, you may know what they look like because of a picture thread on your guild forums, or maybe you’ve even met them in person! You may know if they are married, or if they have kids. What their pets look like, what their favorite pair of shoes is. You can learn a lot about a person, or even people, if you just step back and listen.
But there are other people; individuals who go to great lengths to hide their identities. They may only provide their voice in chat, but you know nothing about them. Some people choose to not even speak. They could be a stranger you see at the bus stop each morning on your way to work. They could be the classmate sitting beside you in lecture.
But you really don’t know, because they don’t want you to know.
I’ve been told I share a lot with the world. In the grand scheme, I probably do. That said, there is much that I don’t share. I shape a personality, an image, that I want you to perceive when you think about me. But who I really am, most people will never know. I can smoke screen through a lot of things–the only people who can truly see through it are the people who play the same mental games I do.
Social Engineering 101
Social Engineering, as defined by Wikipedia:
Social Engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.
And it’s so easy to do.
Wiki’s definition is a bit too tight for me. I’d paint it a touch broader that social engineering is the art of manipulating people to gain information or perform actions which they might not be inclined to do otherwise.
I was going to use Twitter as a prime example, but I think that it would hit too close to home for many, so I’m choosing to shy away from it. It’s a rabbit hole that if I went down would probably make people a touch uncomfortable around me, but it’s how my mind works…
The long and short of it is that I don’t need much information to build a picture about my Twitter followers. You’ve given me a lot of information, and with just a few nuggets, I can do some digging and build a complete picture that you probably don’t even realize.
Social engineering is, to put it bluntly, “creative use of real life mechanics.” It’s taking bits of information and seeding the rest to gather what you need. It’s asking very basic questions about a topic of interest, about your personal life, and then taking that information back into (in some cases) readily accessible tools to learn about someone.
Let’s take a step back in time in Miri’s life. I shared this in a very early blog post, but I’m going to flesh it out to give perspective on how easy it is to manipulate people. In this case, I manipulated my peers for my own success…
Social Engineering in Action
One of the courses I was required to take for my degree was in Information Warfare (my degree is in NetSec). The course description:
This course will examine and assess the role of information technology as a tool of warfare. Topics will be discussed from both a defensive and offensive perspective and will include: physical attacks, cyber-terrorism, espionage, psyops, biometrics, Network Centric Warfare, and applications of encryption technology.
Our final project was an information war, where we picked sides and were told about our alignments with other groups (enemies and allies).
My team took the challenge a touch further. We were, after all, the hackers. Loyal to no one, but hell bent on our own desire to win. But how were we going to defeat the other 10-11 teams? We sat together one day in the atrium at school, our laptops balanced in our laps, our cans of soda on the tables beside us, as we argued and debated our points to win. And then one of our teammates spoke. “What if we turned each team against each other? What if we played the ultimate war game?” Intrigued, we all leaned in. At that moment, we had decided to take one hell of a giant step, sidestepping the line of ethics, a scheme beginning to flesh itself out.
My teammate proposed an idea, and we began to weave the fabric that would completely change the game. We would pretend to be our professor, the current Assistant Dean of our school. We would communicate with our fellow classmates, planting seeds of misinformation to spin the game in our favor.
We had months of email communication from our professor. We knew her writing style, her greeting and her closing methods, her sentence structure. So we began drafting our communications, our misinformation. We knew who was on each team–their email addresses were published in an a course tool that everyone had access to. We sat on the school network, and spoofed our professor’s email address. We sent out email after email, each a touch different than the first, updating other players in the “war.”
Time passed, and we continued to develop our battle plan. We composed the final documents to present to our classmates, and showed up to class, completely calm, and more than a little curious to see if we actually succeeded in our game.
We chose to be the last team to present, and we watched as each team went to the front of the room, and pulled up their PowerPoint decks. We listened as they presented their list of allies, and their list of enemies. And we watched as they wove in our “information”–stating how they changed their allies and enemies list based on additional information that was provided to them during the course of the battle.
We watched our professor’s face contort into a frown, but she never spoke. The presentations continued, each one building on the last.
And then it was our turn.
I took center stage in the front of the room, and displayed the following image on the screen:
I watched the class’s facial expressions change. First they were confused, and I’ll admit, I smirked. My team’s ultimate goal had succeeded.
And then I spoke. I stated that we had no allies, and that everyone was an enemy. And I thanked them for their participation in our little scheme.
And the looks of confusion turned to anger.
I took a casual posture, leaning up against a table at the front of the room, my arms crossed in front of my chest, my face only illuminated by the projector showing the image behind me.
I asked my classmates who sent them the emails with the “additional information.” I asked that they point to the sender.
And I waited.
My classmates shifted in their seats and pointed to our professor, who looked even more confused. My fellow students studied our instructor as their looks turned to horror as they faced me once again.
I changed slides and sat back on the table, my legs crossed at the ankle, my hands casually resting on the table as I leaned forward to impart my final words of wisdom.
“You just spent a semester learning how wars can be fought online. You learned the ways that social engineering can be used to manipulate outcomes. And yet, you fell for everything you were taught to watch out for. Let this be a lesson–that things aren’t always what they seem.”
And with those final words, I blanked the screen and walked back to my seat.
Once my professor was able to get over her shock–her realization that we had completely manipulated a project she had assigned us, she polled the class on who won the war.
What You’ve Given Blizzard…
I got to watch people go “OMG my privacies!” about this whole watermarking scenario. I’ve watched people wave the BS flag, and I’ve watched people step back and wait for more findings.
My stance on the whole thing was “I don’t really care.”
If you are so worried about what’s in your screenshot, then take the time to step back and think about what you’ve given Blizzard.
Here’s a quickly compiled list:
- Name (Real or not, hope you never have to recover your account)
- Email Address
- Mailing Address
- Credit Card w/ expiration and secure code
- Buying history
- IP Address
- Computer specifications
When you’re logged into Blizzard’s servers, they have records of everything. A quick list, once again:
- Your IP
- Your character’s location in their world
- What’s in your bags/bank/mail
- Your addons
- Your conversations
If Blizzard wants information, they don’t need to store it in a screenshot; you’ve already given it to them when you sign on to their realms.
They didn’t need to socially engineer you for that information–you gave it readily.
So how do you protect yourself in light of this “finding”?
According to the author of the screenshots post, they think that “someone could use this to identify which account holds which characters and perhaps stalk and annoy its user, or help perpetrators choose their phishing victims with a more targeted approach.”
Some things I’d like to note:
- The account ID that is shown is not your Battle.net account ID, nor is it your BattleTag. It’s apparently the name that your account started with (think before we merged into Battle.net). The only person who knows that is the person who signs into the account (if you have multiple accounts and have to select which account to sign in).
- A time stamp. Well, in my screenshots, my clock is showing. You can see the HH:MM in my lower right hand corner if you care. And if you want to look at a screenshot where I hid my UI? Please let me know what time I took it in case I can’t find it again.
- My realm IP. As was noted to me earlier, it could be a dozen different IPs on any given night. Your realm IP, your dungeon server IP (remember, dungeons are on a different server), your raid server IP. And let’s not even open the can of worms that is CRZ–you’re bouncing to (or from) various realms all night now if you’re in low level zones. Have at it Blizzard. If anything, it would be intriguing for me to learn what the dungeon/raid server IPs are.
If you can go to the Armory, you can figure out what realm I’m on. Hell, it’s in my blog header. It’s on my Twitter account. I publish that information so people can find me.
If someone wants to exert the effort to extract that information from a picture, have at it.
There’s a lot of information already available thanks to search engines, standard “friendly” commentary, and ourselves.
Protect yourself by limiting what you say and share. You can help control the amount of information that the world can use against you.
But you have to make intelligent decisions to protect yourself. Don’t expect anyone else to do it for you.
Your safety and security starts with you.