Skip Links

Social engineering via Social networking

Security Strategies Alert By M. E. Kabay, Network World
October 04, 2010 12:05 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

In this second of two parts, friend and colleague Jan S. Buitron, MSIA, CISSP, MCSE, continues her analysis of security and social networking. The rest of today's column is entirely her work with minor edits.

* * *

Pictures from a picnic

Facebook affords opportunities for Internet thieves to invade businesses. In an example provided by network infrastructure provider Terramark (with the victim company and employee names anonymized), hackers hijacked a Facebook account belonging to "Bob," a male employee at a financial institution, and sent a link to an unsuspecting female employee named "Alice" at the same firm. There had been a company picnic the previous weekend, and the e-mail from the hijacked account belonging to Bob promised pictures from the recent picnic. Alice clicked the link, expecting to see pictures of the company picnic. It appeared that nothing happened, but she had downloaded a keylogger onto her company laptop. The thieves then obtained the female employee's remote company login and proceeded to breach a vulnerable, unpatched server inside the financial services company network.

Fortunately for the financial institution, the thieves were not adept at hiding their activities. More than one person in the company had received the fake link and complained to the corporate administrator that the link to the pictures was not working. The administrator got suspicious and found the breach after closely examining corporate system event logs. It had all started with an employee using Facebook on a company laptop.

I strongly recommend that government agencies and businesses avoid using social-networking sites to post internal operating information. It is a dubious exercise, at best. At worst, organizations are exposing themselves to considerable risk of security breaches.

Casually posting detailed information (for example through tweets) from high-security personnel – especially about absences from work such as their whereabouts on vacation or at conferences – may give industrial spies valuable information for penetration through social engineering. 

Recently Thomas Ryan, co founder of Private Security, carried out what is now called the "Robin Sage Experiment" by posting a fictitious female character as a "cyber threat analyst" who is 25 years old with 10 years information security experience (why did no one notice this?). He added a flirty picture of "a cute girl from an adult website" and in less than a month, "she" had over 200 contacts in the military and intelligence communities. Worst of all, those contacts revealed national secrets readily to their new contact.

Readers with an investigative streak will quickly establish that I do use LinkedIn, the professionals' social-networking site. I feel confident about the safety of using LinkedIn because numerous members of the cybersecurity community use LinkedIn. LinkedIn is designed for the business and privacy-minded. A member of LinkedIn has greater command over what others see in their public profile. LinkedIn has granular controls, allowing users to block specific details of their profiles from public view. You can choose to show or not show your picture, your location or even your last name. 

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News