Social
Media Awareness
‘Tis the season to be
merry and enjoy family, stuff our faces with food and for those legally able
to, drink some eggnog or whatever concoction we cherish. It’s certainly the
age of ‘selfies’, hashtags (#), tweeting and checking in. The movie Home Alone
was one of my favorite movies. The burglars waited till the home owners left
for vacation and then tried to break in. Of course the movie has them fail
miserably at this but the point is, before technology, cat burglars had to
physically scope a target. We do this job for them by publicly sharing this
information without hesitation.
Social
media is a great tool to have personally and even as a business as it can be
used as a ‘free’ marketing tool. I stay in touch with my family and friends who
are thousands of miles away via Facebook. They post photos and I post photos
and we like each other’s photos; the cycle goes on and on. The downside with
social media sites is that they make money off of having as many users as
possible share information; Privacy and Security are a second thought. The more
connected they can get their users the better for them. How does someone have
over 1,000 friends? How do you keep up with all these relationships? If you
post a picture, not only does the 1,000 friends have access to these pictures
but also their 1,000 friends (if you haven’t locked down your account). That
means about a million ‘strangers’ could potentially view that picture you just
posted. In terms of marketing this is great, because if you like a product and
share it, potentially a million people will view it and there’s a chance that a
sale may come out of this. As an individual though, would you like to have a
million eyes staring at your body since you decided to flaunt your new body
ink?
“Data shows 93%
of hiring managers will review a candidate’s social profile before making a
hiring decision. And that review matters: 55% have reconsidered a candidate
based on what they find, with most (61%) of those double-takes being negative.”
(Davidson, 2014)
So not only should we be worried about sharing
personal pictures and information to strangers but this can also hurt our
careers.
How
can social media be used to propagate an attack?
Let’s walk through some basic
information gathering (recon) and possible spear phishing based on a ‘fictional’
post that was posted by the HR manager at company ABC. On her social media page
she posted a picture of a soccer game and stated #GoBruins #MyDaughterRocks. Typical stuff that any proud parent
would post on social media. No harm there. As the Human Resources manager, Jane
Doe has some information posted on her social media about page stating her
title at company ABC and her privacy settings are not that strict, friends of
friends can view her profile page. Her LinkedIn page is also tied back to her
other social media accounts like Facebook and Twitter.
While doing recon on company ABC, bad-guy Joe used Metagoofil. (Information gathering tool designed for extracting metadata of public
documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. Metagoofil
will perform a search in Google to identify and download the documents to local
disk and then will extract the metadata with different libraries like Hachoir,
PdfMiner? and others. With the results it will generate a report with
usernames, software versions and servers or machine names that will help
Penetration testers in the information gathering phase.)
The HR manager stood out to him based on the access she
would have to personal employee information (PII) within the targeted company. Through
online stalking, bad-guy comes across the post talked about earlier. By copying
the image and using metapicz, some information
is gathered like the date the picture was taken. Images usually contain information
(metadata) like the camera used, what application was used, even location the
picture was taken.
Bad-guy Joe also used Google reverse image search
capability to get some more information about this picture. Using this,
bad-guy Joe can see that the soccer match was played at Tranquility Park. (See
figure 1.1)
Note
that there are other powerful metadata extraction tools like ExifTool that can
be used to pull even more information.
 |
| Figure 1.1 |
 |
| Figure 1.2 |
Now that bad-guy Joe has this information, it’s time
to craft a targeted email (spear phishing email) that can deliver a malicious
payload. Before the email is crafted though, to ensure the exploit has a higher
chance of success, bad-guy Joe scans through Jane Doe’s social media page again
and runs into a post talking about the Internet browser and computer that she
uses (IE 11 and she is running Windows 10 – See figure 1.2)
Now the email can be sent with a ‘legitimate’ message
and the embedded exploit is specific to the Operating System Jane Doe uses.
 |
| Figure 1.3 |
How
to stay safe on social media
Is it time to pull out the Kodak and order some film?
Not necessarily, social media is here to stay and as
much as staying away from it entirely would be the best way to avoid its
pitfalls, there are basic steps that we can take to avoid sharing too much.
- Configure your privacy and security settings. Lock down your social media accounts as much as possible. You really don’t have all those friends, it’s probably time to cut back on the attention.
- Question before you post. Ask yourself what you would lose if you posted that picture or tweeted that post. Think about it before sharing. Yes, now you can edit posts and even deleted pictures but are you 100% positive someone did not already take a screenshot!!?
- Less is more. The whole world does not need to know about your day to day life we have TMZ and the gossip magazines to keep us busy. The less information you share the less likely someone can map out your life.
- Mirages are real. Approach everything with caution and doubt, yes that single lady on christianmingle.com may not be so Christian after all. Online profiles can be sprung up and made to be whatever you fancy. Be careful what you trust on the net. Pictures of friends and family can be used to create fake profiles to dupe you.
- Security through obscurity. There are no rules that say you have to use your real name out there. Sometimes using aliases may help keep that CEO out of the social media limelight.
As we enjoy family and friends, we need to be vigilant
and aware of what we are posting online.
I will borrow a leaf from the National Cyber Security
Awareness Month (NCSAM) – celebrated every October – they highlighted the campaign
theme STOP. THINK. CONNECT and the
capstone concepts of the campaign are:
- Keep a Clean Machine
- Protect Your Personal Information
- Connect With Care
- Be Web Wise
- Be a Good Online Citizen
References
Tutorial: Metadata Analysis. (n.d.).
Retrieved December 9, 2015, from http://fotoforensics.com/tutorial-meta.php
Davidson, J. (2014, October 16). The
7 Social Media Mistakes Most Likely to Cost You a Job. Retrieved December 9,
2015, from
http://time.com/money/3510967/jobvite-social-media-profiles-job-applicants/
Quite informative
ReplyDelete