In his book Art of Deception, Kevin Mitnick, arguably one of the most notable criminal hackers in history, talks about how he used the phone, not the Internet, to con his way into various companies. Using social engineering, Mitnick was able to insert himself into the target company, often conveying up-to-the-minute information about managers and supervisors being on vacation in order for a subordinate to give him vital corporate information. Today, penetration testers, professional gray-hat hackers who attempt to break into sponsoring companies, use these same social tricks to see whether employees will divulge key information. Often they do so the old-fashioned gumshoe way of walking into a branch office and somehow finagling the company phone book or organization chart out of some hapless employee. Now, commercial spammers and phishers are starting to use social engineering. In what's known as spear-phishing, they can target an individual, sharing just enough personal information to earn their trust. But the individuals being spammed aren't always corporate execs, they include ordinary people. And the personal information the spammers are using can be harvested in just a few hours, just by scanning someone's Facebook or MySpace page.
Personal threats from social networks
I talked with Tod Beardsley, lead counterfraud engineer for TippingPoint, a provider of network-based intrusion prevention systems. TippingPoint monitors several Fortune 500 companies, but we talked about the growing influence of social networks in the corporate workplace. "I think the main threat that most people would associate with social networking is the threat of too much information," he said.
When you have these giant open sites that contain a lot of personal information or relationship information between people, it's suddenly a lot easier to replicate these Mitnick-style social engineering attacks with a lot less effort.
"The story with social networking is they ask you a bunch of questions about yourself and people will generally answer them. This includes things like name, age, where you live, and who your friends are. The threat comes from the fact that other people can harvest this information, and they can harvest it automatically." Beardsley said that Kevin Mitnick was able to reconstruct the organization chart in companies that he was targeting in order to insert himself into fake e-mail threads and more. "When you have these giant open sites that contain a lot of personal information or relationship information between people, it's suddenly a lot easier to replicate these Mitnick-style social engineering attacks with a lot less effort."
Companies do or do not allow it
So should companies allow access or not? Beardsley said the answer depends on corporate culture, how individual HR and IT departments feel about social networks. "Like instant messaging, people do this at work, and while they're at work they tend to be talking about work. So one of the problems that companies face now is: Are people populating their resumes with confidential information, information on a secret project they're working on--stuff like that."
Beardsley said that high-tech companies, companies that are government contractors, and even the government itself should probably monitor what their employees post to these sites. "There is this issue with employees giving away too much about how they do their jobs, and what they do at their jobs, and what their backgrounds are in. That can make it fairly easy for a hacker to collect this information and figure out who's worth targeting and that sort of thing."
Aside from spreading information, social networks are becoming targets for malware. Just as corporate e-mail was used to spread Melissa and ILoveYou, social networks are becoming enormously popular with malware writers. "If the user is uploading something malicious like, say, the Sami worm," Beardsley said, "and if you run pretty much everything that you get from MySpace, you'll get hit. Not just you, but millions of other people." He continued, "If you have a browser zero-day, you know that as soon as you can get it onto MySpace, you will instantaneously get millions of people to follow it, and that's the Internet, the entire Internet.
Beardsley continued, "If you have a browser zero-day, you know that as soon as you can get it onto MySpace, you will instantaneously get millions of people to follow it.
"The thing is that every time there's a bug in a Web browser, usually one of the mitigating factors is that you should only visit Web sites you trust and that you know. Well, with this trust relationship that you may have with Facebook or MySpace or LinkedIn, or any of these networking sites--that trust is not only with those particular corporate entities but all their users, all their advertisers, all the content-aggregating servers that they use, all of these guys inherit the supertrust that you have given these social networking sites."
Some dos and don'ts when using social networks
Beardsley said the best thing you can do is support your company's nondisclosure agreement. "When you got hired, you signed an NDA if you work in technology at all, or any kind of engineering, or biochemistry, or pharmaceuticals. There are all of these NDAs, so read them. Because when you write your resume or you tell people online what you do for a living, you may be violating it, and your HR department and your legal department can search these sites just as much as the bad guys. They can become your adversary in this scenario."
As for the IT side, Beardsley said, it's on a per-company, per-organization basis when deciding whether you want to allow social networking at work. "It would be naive to think there aren't vulnerabilities in them," he said. "So, for IT departments, they need to realize that this is an attack vector. It's not just fun. It's not just a productivity stealer."
Beardsley noted that the Better Business Bureau recently had a problem. While the problem wasn't directly related to Facebook, MySpace, or LinkedIn, criminals were able to view complaints made online to the BBB and then tailor a special spam campaign toward them. Like social networking attacks, the criminals were able to identify the recipient by name and some recent history, therefore conveying a sense of legitimacy and trust.
"The advice that people give for trying to identify phishing ... is that typically [spammers] don't address you by name. Typically they would address you as "dear valued customer" or "dear potential investor" or something like that. When someone addresses you by name, and they seem to know at least one detail about your recent history, people tend to trust that a lot more than the "dear valued investor" letters." This type of "spear-phishing" will become common in the near future, said Beardsley.
E-mail can be spoofed
We've lived with the fact that e-mail can be spoofed for years. While plans exist to make e-mail more easily authenticated, Beardsley said nobody's picking up on them. "I guess it's not that big of a deal yet.
"I have no idea what the percentage is of money lost to phishing campaigns, as opposed to money generated by the Internet. I suspect it's lower than most sales taxes. So it's probably not that big of a deal in the grand scheme of things. But if I lose $5,000 to a phishing campaign, that's a big deal for me." And probably for you as well.
You can hear more of my interview with Tod Beardsley about social networking threats in this week's Security Bites podcast.
Are you concerned about your MySpace or Facebook or LinkedIn profile someday being used in a personal attack? Talk back to me