BEWARE THE SHARE – WHEN SOCIAL MEDIA GETS TOO SOCIAL
Posted on May 21, 2018, by Lucy Leaper
Whether you’re a social media user or not, there’s no doubt that many of your staff will be. From communicating with friends to posting their latest holiday snaps, people are getting more comfortable with sharing every aspect of their lives with the online world.
But, by sharing so much of our personal and professional lives, are we potentially playing into the hands of hackers and cyber criminals? Providing them the information they need to target not only us as individuals, but the organisations we work for.
It may sound farfetched, but those determined to breach an organisation can find a treasure trove of information through an active social media profile. All it takes is one piece of information and hackers can utilise this to steal passwords, gain access to organisational networks, and potentially cause widespread disruption within a company.
So, what do you need to be wary of when it comes to being overly social?
A picture really can speak a thousand words
Everyone loves sharing a great picture via social media, from what you had for dinner to your latest office social event. But a picture really does speak a thousand words, and an image which seems relatively innocent can give away more information than you think, especially when it’s related to work.
If someone takes a picture at their desk and shares it, what could it show a potential hacker? Can you see the office layout? Are there any screens showing operating systems or the software you are using? Can you see post-it notes in the background with usernames and/or passwords on them? Are employee names or email addresses visible? Even something as seemingly innocuous as celebrating an employee’s birthday can give away vital personal info, like date of birth. It’s amazing what you can find out from just from a picture.
Keeping tabs on your location
Imagine someone was following you, tracking your every move and understanding your daily habits. Discovering where you like to go, even where you’ve visited in the last few days. Sounds pretty scary. But people are following you all the time, socially speaking, they know all about you and where you like to go.
Whether you’re ‘checking in’ to work, tagging yourself in a picture at the local bar, or sharing a recent running route. We are constantly giving away a host information about our movements just through our social posts.
To bring it back to a ‘physical’ world example, you wouldn’t tell a burglar that you’re going on holiday for two weeks, but yet we’re happy to advertise this sort of information, and more, on social media for everyone to see.
Location information, while seemingly harmless, can act as a small piece of a puzzle and when put together with other social information it can give a potential hacker the ammunition they need to launch a credible attack.
For example, location information could tell hackers which restaurants you like to visit, which gym you may be a member of or even where you like go on holiday. This information can then be used to launch a convincing spear-phishing attack.
Who’s listening in?
Ok, it’s not strictly social media, but we’ve all overheard conversations whilst sitting on a train or in a coffee shop. These are usually mundane, chatting about the latest TV series or what time they are going to get home, but sometimes it’s far more interesting, especially from a hacker’s point of view.
It’s not uncommon to hear conference calls, complaints about work, feedback from the latest client meeting, and names of the people involved too. You can learn a lot about a company and its inner workings from these overheard conversations.
Now, imagine you’re an opportunistic hacker listening in. This could be an information gold mine, giving you everything from employee names, mobile phone numbers and email addresses, to information about the latest business deals or projects. And all you had to do was sit in a coffee shop near a company office.
How would a hacker really use this information?
As we mentioned, all it takes is one small piece of personal information and hackers can use this to launch an attack. But how would they do?
Social engineering, that’s how. So, let’s start to think like a hacker……
- Step 1: Choose your target company and employees
First, it starts with a target organisation and their employees. LinkedIn is the perfect resource to find out who works where, as well as their job titles, you can also get a list from people ‘checking in’ via social media.
Once you have your list of employees, you can start to shortlist those you believe to be less security conscious. If their Facebook is locked down then it’s likely they are thinking about security; their job title may also help and a CISO is more likely to be on the ball when it comes to a potential hack.
- Step 2: Find their email
Now you have a shortlist you need to find their email address. Company emails are usually easy to guess, chances are it’s firstname.lastname@example.org or email@example.com. Even if it’s a bit more complex, the likelihood is you can find it by doing a quick search. Even easier, the person might have put their email address on their LinkedIn profile.
- Step 3: Try to guess their password
With the email address you could try to force entry using common passwords, you never know you could get lucky with ‘Password123’. Alternatively, you could take a look at a password dump from a previous data breach, such as LinkedIn.
- Step 4: If that doesn’t work…..
Scam the person into giving away their password details. To do this you’ll need a realistic sting. Social media can again help set this up. Is the person an active member of a online group or community, have they got any particular interests, have they exposed what companies they do business with, do they visit a certain restaurant frequently, do they like a certain sports team, have they mentioned a piece of software they use at work?
With a nugget of information, you can now craft a convincing spear phishing email. Offer them money off coupons for their favourite restaurant, win free tickets to the football by signing up, say that an urgent software update is needed which they need to login to obtain. By choosing something relevant to them you increase your chances of obtaining the information you need.
- Step 5: What else are they using that password for?
Now you’ve got a password there’s a good chance the victim will be using the same details to login to other services, maybe even for their work network. If this is the case, you can now access an organisation’s network, using this as the starting point of your attack on the company.
Protecting yourself and your business
Now you know about the dangers of oversharing and how you can be exposed, how do you go about ensuring your company remains protected from a cyber-attack?
- Training and education
It’s essential that your staff know about the potential threats and are shown real world examples of how hackers can use simple social information to launch an attack. This will help them think more like a hacker, and they will be more considered when it comes to what they share.
However, this is not a silver bullet and phishing campaigns are becoming ever more sophisticated. Even the experts can find it difficult to tell the identify phishing emails, social posts and texts.
Supporting your security efforts
Despite the potential security concerns when it comes to social sharing, your people can remain your greatest strength if they have the right information and the right training.
Education is a key aspect of your security improvement efforts, but it’s only a small part. To be truly effective a wider cultural shift needs to take place, one where a security mindset is adopted across your organisation. This shift needs to come from the top down and by adopting this type of thinking you ensure that security happens at every stage, not as an afterthought.
At Secarma, we’re here to support these security improvement efforts, helping you to develop your security culture and to help you to start to think like the hackers. Whether that’s through our educational blogs, our cybersecurity training courses, or the security testing we conduct on behalf of our clients.