emPower
Information Security

Social Engineering Using Facebook

December 15, 2009

facebookBanning social network use DOESN’T prevent it being used for social engineering attacks.

An excellent article in Dark Reading describes how a security consulting company carried out an (authorized) social engineering attack on a client using information gleaned from Facebook. The client’s staff had posted information about what they did for the client (job titles, phone numbers, and email addresses) and personal data (appearance, height, weight, family background) – enough information for the consultant to create a bogus business card and then bluff his way into the client’s offices.

In fact, as the article says:

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client’s logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.

After reaching the goal of accessing the network, he departed at the end of the business day. Later that evening, he returned to the empty office building to conduct a late-night hacking session. As usual, numerous credentials and passwords were obtained from insider sources. Within a short period of time, he had accessed the company’s sensitive secrets.

Scary stuff. However (and I’m going to write this in bold because it’s so important) …

Banning social network use in the workplace would not have prevented this attack from being successful!

The important point to note about this (excellent) article is that banning social network use in the client’s workplace would probably have made very little difference since many of their employees – especially those expressing disaffection – would probably have continued to post the same information to Facebook from home.

Far better, surely, to engage the workforce and explain to them the dangers of social networks – whether used from a company system, or from home.

And one additional thing – if you’re responsible for an organization’s security, you really should be monitoring the social networking space at all times to detect:

  1. Inappropriate posting of information relating to your organization by your organization’s staff
  2. The fraudulent use of your organization’s name/identity
  3. Bogus accounts set up in the name of your organization’s staff

You may also like

Like this post? Subscribe to receive updates directly in your inbox.