The use of social media like Twitter, Facebook, Instagram, Tumblr, Google Plus, LinkedIn and others have been steadily growing. It is used not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, and even politicians with their constituents. Social media platforms have become a forum for sharing all manner of expression on all subjects.
Businesses need to take special care in their security training regarding all social media, however Twitter and LinkedIn are particularly fertile sources of information for hackers preparing for a social engineering attack. Both of these social media platforms have high adoption rates in a business setting.
By gathering benign information about a company and “name dropping” in a DM (direct message) conversation, attackers may build a level of trust with insiders and thereby gain secrets. Employees post seemingly innocuous information on Twitter that may be readily and easily gathered and assembled by an adversary. For example, photos of office space and co-workers, descriptions of work (My jerk of a boss makes me fill in his TPS report every Friday #ihateexcel), and names of customers or clients, all reveal enough information for an attack or to recruit unwitting accomplices.
This technique is often used in operational penetration testing. It goes something like this:
An employee receives a call from a person claiming to be a new guy from a different office, and then claims that their boss is yelling at him to give them a weekly TPS report. The person claims that they are having trouble with the macros. Finally, the person asks if the employee could please forward a copy so they could copy the formulas… The employee, feeling sorry for the person on the other end of the phone, sends the file and the mission has been successful.
Businesses should implement policies that are well-“socialized” around the office with the following components:
- Never use your work email address as your account ID for social networking services.
- Never use the same account name and password combination for multiple services.
- Websites often ask users the answers to “secret questions” like the high school you attended, or the street you grew up on. Don’t post these “answers” inadvertently on social media.
- Encourage employees to limit social media posts to personal interests, and not related to their work, office, or co-workers unless they have a legitimate business purpose for posting (corporate communications, marketing, etc).
- Never share company information with strangers, even long-time “connections” on LinkedIn or long-time connections that were made over social media. Many of which the person has never met face-to-face. Instead refer them to your corporate webpage, or say you will have someone get back to them.
- Always ask for a callback number or email address from anyone requesting information by phone, LinkedIn or Twitter, and forward the request to security or to marketing/PR.
- Remove references to places of employment from all Twitter profiles.
- LinkedIn profiles can be more complete, but only connect with people you actually know or who are personally introduced to you. Social Engineers create fake, legitimate-sounding profiles on LinkedIn and connect to hundreds of people in a particular industry to appear legitimate. Just because a person is connected to (or follows) many of the same people as you, does not mean that they are legit.
Twitter and LinkedIn are great tools for business, which, if used properly by well-informed employees, won’t be a gateway for hackers. Don’t let hackers exploit you via social media. Download the “Keep Them Puzzled” poster now.