social networking - an ethical hacker's view
DESCRIPTION
People gossip because they like gossiping together. It’s in the make-up of the creature: humans are sociable gossiping animals. We can't change those core characteristics of our natures.TRANSCRIPT
Social Networking
An Ethical Hackers’ View
Peter WoodChief Executive Officer
First•Base Technologies LLP
Slide 2 © First Base Technologies 2011
Who is Peter Wood?
Worked in computers & electronics since 1969
Founded First•Base in 1989 (one of the first ethical hacking firms)
CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’
Chair of Advisory Board at CSA UK & IrelandVice Chair of BCS Information Risk Management and Audit GroupDirector UK/Europe Global Institute for Cyber Security + ResearchMember of ISACA London Security Advisory GroupCorporate Executive Programme Expert
FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa
Slide 3 © First Base Technologies 2011
Information leakage
Slide 4 © First Base Technologies 2011
Social technologies
• Blogs and Wikis• Social networking• Instant Messaging• Web conferencing• VoIP• P2P• IPTV
Slide 5 © First Base Technologies 2011
Yada yada yada
• People have always talked about work to their friends
• What has changed is the nature of how we interact
• We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work we're doing
• What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity
• A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities
Bruce Schneier
Slide 6 © First Base Technologies 2011
Putting it all together
Slide 7 © First Base Technologies 2011
Information harvesting
• Identity theft- Both personal & business
• Corporate hierarchy (social engineering)• E-mail addresses (spam, social engineering,
malware)• Phone numbers (sales calls, social
engineering)• Technical infrastructure (hacker
footprinting)• Business plans (industrial espionage)• Sensitive information (legal, contractual
penalties)
Slide 8 © First Base Technologies 2011
A hacker’s perspective
• “It's the easiest way passively to gain intelligence on the largest groups of society and nearly every walk of life”
Robert Hansen, aka RSnake, founder of SecTheory LLC
• Social networking sites by nature aren't secure• They typically don’t authenticate new members - you
can’t always be sure that your online friend is who she says she is - and attackers can easily exploit and capitalize on the “trusted” culture within the social network
• Users often don't deploy the security and privacy options that some of these sites offer, either
Kelly Jackson Higgins, DarkReading
Slide 9 © First Base Technologies 2011
Twitter from a hacker’s perspective
• Twitter introduces a whole other element to social networking security - physical security ... leading to burglary, stalking, etc.
• “I never talk about where I am, who I'm with, where I'm going, or any other specific details, but that doesn't stop anyone else who knows that same information from doing that behind my back - maliciously or not.”
Robert Hansen, aka RSnake, founder of SecTheory LLC
Slide 10 © First Base Technologies 2011
Please burgle my house
A survey of >2,000 social media users in UK:• 38% posted status updates detailing their holiday plans• 33% posted that they are away for the weekend
Legal & General’s Digital Criminal Report
"We were saying, 'This has been the best vacation we ever had'," Claudette McCubbin said about her recent vacation to Florida.Unfortunately, all the relaxation was lost when they arrived back to Knoxville Wednesday. The family room and bedrooms in the West Knoxville house were all trashed. Thousands of dollars in electronics were missing.Claudette posted messages stating when the family was leaving and how much fun they were having when they arrived in Florida. "I wanted to share with our friends everything that we were doing. We know a lot of people. We have a really good support group. Who would've thought that one of them [a thief] saw that or maybe a friend of a friend. That was a huge mistake," Claudette said.
WBIR.com 02/04/2010
Slide 11 © First Base Technologies 2011
LinkedIn from a hacker’s perspective
• Hamiel and Moyer demonstrated at Black Hat USA and Defcon 16 that you don’t even have to have a social networking profile to be targeted
• They were able to easily impersonate Marcus Ranum (with his permission) on LinkedIn
• Ranum didn’t have an account, so they lifted Ranum’s photo off the Internet and gathered information on him online and built a convincing phony Ranum profile.
Slide 12 © First Base Technologies 2011
SPAM and Trojans on social sites
• Attackers hijacked some Facebook accounts
• Posed as members and sent messages to their friends to dupe them into viewing a video clip link
• In fact it was a Trojan that downloaded malware onto their machines once they opened the link
http://news.cnet.com/8301-1009_3-10246536-83.html
Slide 13 © First Base Technologies 2011
• Users don’t always realize that third-party apps for Facebook, for example, aren’t written by Facebook
• Some collect more information than necessary or safe
• Others have been written specifically to install adware or generate revenue
• “Secret Crush” on Facebook spread spyware
• Victims received an invitation to find out who has a secret “crush” on them, lured them into installing the Secret Crush app, which spread spyware via an iFrame
• The attack became worm-like when it required the victim to invite at least five friends before learning who their “crush” was
Widgets and apps
Kelly Jackson Higgins, DarkReading
Slide 14 © First Base Technologies 2011
Some key problems
• Impersonation and targeted personal attacks
• Identity theft
• Spam and bot infections
• Crossover of personal to professional online presence
• Data Leakage
• Corporate espionage
Slide 15 © First Base Technologies 2011
Tips to minimise exposure
• Don’t reveal personal or sensitive information in social networking sites or blogs
• Set the privacy options in social networking sites
• Don’t discuss confidential information online
• Don’t ‘friend’ people (or accept invitations from people) you don’t know
• Don’t post anything you wouldn’t want everyone to see
• … and remember: what goes on the Internet, stays on the Internet!
Slide 16 © First Base Technologies 2011
The social media attack
Slide 17 © First Base Technologies 2011
Mr Bloggs is away from the
office on holiday and will
return on 5th May
“It’s great to be away from the office with no
interruptions!”Mr Bloggs
“I’m a new boy at Fine Widgets and I report to Mr Bloggs”
“Please connect with me!”
“Be my friend!”
“Be my friend!” “Be my
friend!”
“Be my friend!”
“Be my friend!”
“Be my friend!”
“Be my friend!”
“Be my friend!”
Help Deskperson
Help Deskperson
“Hello Harry, this is Andy the new boy – we met on LinkedIn. I need an email account and a Windows
account please!”
“Hello Andy. I’m sorry but I need
authorisation from your manager before
I can set up any accounts for you”
“My manager, Mr Bloggs, is on holiday, but he sent an email authorising this –
I’ll send you a copy!”(Forwards fake email from
personal mail account)
“Well, since you have an email from your manager, and as I
know you from LinkedIn … I’ll set up your accounts for you
now.”
“Now I have a valid email account, everyone will believe I work
here!”
“With a valid Windows account, I can get access to all that sensitive
data!”
Peter WoodChief Executive Officer
First•Base Technologies LLP
http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com
Blog: fpws.blogspot.comTwitter: peterwoodx
Need more information?