Trapped into a social network
Productivity killer of a panacea for interpersonal communication on the Internet? For each one, they are something different, maybe that is why they’re so popular. And not only for facilitating relationships and sharing information online – many people use them for business because of the extremely rapid access to a specific audience.
But this is not an advertising for social networks …
Whatever be the social network for people in your company, we look at one aspect of which certainly we have not thought before, but which is of great importance when talking about IT security, data protection and protection against social engineering. Will tell one sample (not fictional) story of how a security of a company can be compromised through social networks.
To imagine that we are a group received a task to enter in Company X, and obtain information about the latest developments, is still undergoing phase of design and initial tests. Instead of using noisy method of penetration through the protective walls of compromising servers and etc., choose to use social engineering attack and direct employees of the company.
What do we need for a successful attack?
1. Goal – in this case, to infiltrate the social circle of an organization and, if possible – to steal data
2. Medium – the employees using a social network – such as Twitter, Facebook, Myspace, etc. These people are our open door through which we can go and get whatever information we need from the company …
3. Technical resources – in our case, a vulnerable site visited by officials of the company (or created by us and sent through the already established earlier relationships in the social network)
Pass the objective, it explains itself. The Medium is certainly present – if you have workers between 18 and 50 years using the Internet, the likelihood that any of them to participate in various forms of social networking web is quite large, even in Bulgaria. The active Facebook users in Bulgaria are more than 200 000 – given the huge number of people not enjoying the computer in your daily life in our small country, we can boldly to assume that almost everyone using a computer is also using social networks.
Technical resources – we need a vulnerable site where we could deploy our malicious code or a site which we create specifically for this purpose, a Facebook account and a certain dose of creativity.
After some information gathering on what kind of people are working in the company, possibly discovering names and email addresses, telephone numbers, positions, we proceed to create our fake account – of course, this is a young, attractive woman between 25 and 30 years. Finding suitable pictures is not a problem – simulating an open, friendly personality is easy. We will the account personal details with things such as “Single” and “Works in company X”. We find other people working in company X, add them to your list of friends. Rapidly receive confirmation from them, and in turn all their friends see the new user, perhaps their colleague whom they still do not know … Can one miss the chance to add her to his list of friends and try to establish a contact? Hardly. After less than a month, the employees of company X have adopted our fake account as part of their group, their company and have confidence in her. We chat with our new friends, mainly on topics related to work – learn more about the company, this allows us to speak about internal matters and learn more and more confidential information … in time the amount of information we have about the processes in the company and its people give us such freedom of action that can be present ourselves as a participant in teams who develop new, still unrepresented products and to obtain information about these products which no employee would share with an outsider! Some of them are too attached, and are willing to trust without a shred of doubt any link sent by the attractive blonde / brunette … And this is if we create just one fake profile! And if we had created 2? 10? How complex patterns of relationships can be created only by 1 person, if he wants to compromise your security?
So we have gained the confidence of the employees in company X, we can send them links. Send a link to their site, that wants a username and password to access the corporate “intranet” – the site has the logo of the company’s external appearance very accurately imitating the corporate image … 30% of consumers who received a link automatically fill the information requested from them. This link may tell them that their password has expired and they must renew it, or that the access is confidential and they must enter the username and password you use to access your computer daily… If we’re lucky, we will find vulnerabilities in the website of the company itself, allowing us to add your own code to it – which will increase the success of the attack to nearly 90 percent. These usernames and passwords in many cases are sufficient to access the VPN access points of the company and reading corporate e-mail and access to the domain. The game ends … if you want to stop here. We can continue by sending viruses written especially for this case, Trojan horses, botnet clients, whatever we need to achieve our goals. Antivirus products will not catch them, the percentage of users who doubt and not open them very small compared to the case of e-mail spam.
Countermeasures
Technical methods such as blocking access to social networking sites are a potential solution. Disable JavaScript and graphics in these sites – that will make them safer, while awkward to use, and will act in the same manner as chilli meat wokrs dogs in training – after time, they refuse to accept food from strangers. Sad thing is, that if you use technical methods there will always be a smart guy to bypass them and tell all his colleagues how to do it. Therefore, besides technical solutions, we need a more creative approach.
Training, training, training … Information security is a permanent war in which every participant needs to be trained continuously. The rules do not work – one thing is to tell someone “do not violate the rules, another is to explain as in the illustration above, what happens if one violates the corporate security policies .. examples you can give people are endless, as are endless and the methods by which they may be attacked – in this case it is important to give them basic knowledge about what is allowed, what not, and why. If they know 3 ways that can be attacked, they will be alert to the unknown fourth. Much better than simply tell them “Be alert!” – Unknown in the early scare, then the rules will simply be ignored. If your people know what kind of access will they provide to an attacker by only giving him their username/password, they will be much more careful online (and offline). Having responsibility to protect these resources, and not just the password will make them much more active in defending their company’s information security.