Social Engineering has existed since “grandsons” have send “friends” to “lend” money from “their” grandmothers. These scammers can identify potential victims simply by watching and following them on the street.
In the guise of chain letters and spam, the digital version of the Social Engineering trick has been around for a few decades, and it is creeping full-on into businesses: Now that we are all “socially networked” at home and at work, there is less to none separation between business and private life, and (in extension) internal and public company info.
Why would your company bother about your private posts on social networks, who you “friend”, or which links click-jack you?
Let’s look at a few recent examples: Scammers can today…
- … identify the security admin (etc) of a company simply by adding up public info from all networks he is on.
Are there people listing security skills on Linkedin or Xing, without disclosing their employers? Do they (i.e. someone with the same name in the same city) mention security conferences and identifyable company events on their private blogs or on facebook?
- … set up fake social network accounts, befriend friends of potentially security-relevant employees, and work their way up from impersonating friends to befriending those employees themselves (and getting access to their shared private info).
“Sorry, pal, not having a Facebook account is now also a security risk to your colleagues, you wouldn’t want someone to create an account in your name and friend them, would you?”
- … circumvent password reset questions with publicly available info, and then take over your twitter feed or private email account.
“What about this work mail that I forwarded to my private address… Did it include the collapsed quoted conversation and attachments…?”
- … determine the home address and daily schedule of security-relevant staff by looking at location-based services.
“No, I’d never use these services that track me… My bicycle’s GPS only shares my daily bike trip data on twitter, including the start/end locations (i.e. home) and start/end time (home possibly unwatched)…”
- … determine which internal security a company has in place simply by looking at their employees’ public skills (on linkedin, xing, forum posts).
“Gee, these guys sure ask lots of question about this version of that internally used software…”
- … tell when the security admin is out of office because their partner is posting vacation pictures of them on facebook.
“No, honey, it doesn’t help to put a black bar over my eyes if you also TIMESTAMP and TAG me in EACH friggin’ photo!”
- … trick employees by mentioning real colleagues and real interests in unsolicited messages that prompt them to install a trojan horse or other malware.
“Why is suddenly everyone sending me those click-jacking links since I friended the admin…?”
There are even automated tools for some of these attacks, that send friend requests to targeted accounts, and make backups of all their publicly available info for later browsing, in case the targets become suspicious (“No, I didn’t contact you, I’m not even on facebook!”) and unfriend the scammer the same day.
I don’t have a simple solution for this. It’s impossible to stay fully anonymous in either your private or work-related internet persona to keep them apart. It’s impossible to forbid your friends and family to tag you. And it’s getting more and more impossible to keep your facebook account separate from work, since many companies ask their employees to like their posts or to reply to customers’ wall posts.
Facebook does not officially allow you to create two accounts (one identity for work, one personal) however. What if they would offer to link two accounts internally (and still show you the same ads)? Both personas’ “likes” would count as one (and only the last one shows, so you can choose whether your work or private persona “likes” this post, depending on who’s logged on), but otherwise keep the personas separated to other users…? That would solve many of the problems — unless you post your party pics as the wrong persona. :-D
Source (in German): Soziale Netzwerke und ihre Auswirkungen auf die Unternehmenssicherheit