Your status updates and tweets could be revealing more than you think
According to AllTwitter, every minute of the day more than 100,000 tweets are sent; 684,478 pieces of content are shared on Facebook; 48 hours of video are uploaded to YouTube; and 3,600 photos are shared on Instagram. It won’t be long, if it isn’t already, for an individual’s expertise and/or popularity to be measured purely by the number of ‘followers’ or ‘friends’ that they have. From the famous to the infamous, it seems everyone and anyone is happy to tell virtual strangers what they’ve had for dinner or where they’re going on holiday. The issue is, while many consider status updates a means to raise their profile, the sad truth is far too many users are oblivious to the intimate details they are innocently revealing via social media channels to friends and the bad guys too.
In September 2012, users of the popular photosharing website Pinterest began complaining about widespread account takeovers that spilled image spam onto adjoining social networks like Twitter and Facebook. Users who had linked their Pinterest account to adjacent social networks like Facebook and Twitter found that the spammers were quickly able to take advantage of that access, blasting out tweets and wall posts linking to the spam images.
Once Pinterest was notified of the attack, the site advised users to have a unique password for each social networking site – however it didn’t mention anything about refraining from linking Pinterest accounts with other social networking sites.
Users should be particularly careful when linking social networking sites. If a hacker is able to compromise one site they find it far easier to gain access to others. It is advisable that users look at the links between each of their social media accounts, identifying what information is connected and what could be of value to hackers.
The Pinterest example is just one of many that show how data we provide to social networking sites can be used in ways we didn’t intend. For instance, pictures sent over Twitter often contain metadata that reveals our location, allowing someone to potentially track our movements without our knowledge.
Opaque or transparent?
Many individuals are blissfully unaware of the security risks these public domains pose. While revealing who you are in contact with, and where you frequent, has obvious physical security implications, the risks run much deeper. And not just to the individual concerned but, for an employee, it can also leave the organisation they work for exposed to unnecessary risks.
The reality is that today’s criminal is busily scanning these public forums, researching their victims and collecting any personal information they can find that can be used to digitally attack the individual and/or their network of friends and peers. Using this intelligence, they craft messages that are highly customized and immediately gain the potential victims’ trust – known as spear phishing attacks.
Spear phishes encourage recipients to either open a malicious attachment, follow a false link that introduces malware to the user’s device, and the infrastructure to which it connects, or to disclose personal information that can be used by criminals fraudulently. This leaves the employee and his employer open to potentially massive security breaches, such as the loss of customer data, R&D information, system disruption – you name it.
Two pronged defence
Rather than reiterate the risks, let’s look at what can be done to mitigate these attacks.
For organisations, corporate policies can be used – especially in terms of offering guidelines and setting expectations. In particular, detailing what is, and isn’t acceptable behaviour for social media – for example around the use of privacy settings etc. available on forums such as Facebook. However, while that is acceptable for someone’s professional persona, it is increasingly difficult to dictate what someone can and can’t do online in their personal life.
This is where training bridges the gap. People need to be made aware of not only what they can and shouldn’t be doing, but also what to look out for and understand how they might be targeted.
For example, one social media avenue that phishers are exploiting is the use of shortened URLs. On Twitter a criminal can use bit.ly or a similar tool to disguise the true URL destination. Users need to be aware that clicking a link may not take them to paradise, but instead could lead them up a dark virtual alley. A simple solution is to use a browser ‘plug in’ which shows the underlying URL when the cursor hovers over a short link, unmasking the true destination.
It’s a brave new digital world – but it’s also fraught with dangers. Employees need to understand what their virtual profile says about them – both intentionally and unintentionally, if they’re to make sure they aren’t’ leaving themselves, and your company, vulnerable to attack.
About the Author:
Rohyt Belani | PhishMe CEO and co-founder
Prior to starting PhishMe, Rohyt served as Managing Director at Mandiant, Principle Consultant at Foundstone, and Researcher at the Software Engineering Institure. He is also an adjunct Professor at Carnegie Mellon University.
Rohyt is a regular speaker at various industry conferences including Black Hat, OWASP, Hack in the Box, InfoSec World, and several forums catering to the FBI, US Secret Service, and US military.
He has also written technical articles and columns for online publications and has been interviewed by CNBC, CNN, BBC, Forbes magazine, and other mainstream media.
PhishMe
PhishMe Inc is based in Northern Virginia, just outside of Washington DC, with additional offices in New York City. The company is a self-funded software firm that focuses on educating individuals in how to avoid the ever-increasing threat from phishing attacks.
The PhishMe product is an evolution of over 10 years of social engineering assessments we performed as consultants for customers. As our founding team looked at the results of the annual assessment model we implemented for clients, we realized that to effectively combat phishing attacks, our customers needed to combine compelling exercises with dynamic training
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.