Social networks and (in)security

The traditional mode of gathering credentials has been phishing attacks sent through email. But this method has been superseded by more effective social engineering attacks. I recently came across an article that described attacks using social networking sites such as MySpace and Facebook.

This article describes how social networking sites were used to gather enough information to launch attacks against targeted sites. As part of an authorized penetration test, security experts created a profile on Facebook claiming to be an employee of an energy company.

While it may be more difficult to get people to click on links sent in emails, people are more forthcoming with information when they feel that the other person also has something to share. This is one of the fundamental concepts of these networking sites. They are usually for people that feel that they have something to share and want to connect with other people with similar interests. A lot of people actually connect with the others at an emotional level. The problem here is that there is no way to verify the authenticity of people in this group.

I can claim to be anyone. This is actually been demonstrated by the fact that some celebrities actually use a surrogate to post to sites such as twitter. Anyway, the end result of this experiment with Facebook was that enough credentials and other information were obtained to be able to cause potentially significant damage.

Another problem with sites such as twitter is that some of what people post can reveal their general location. For example, there was this story on USAToday about a couple went on vacation and kept twittering their progress as they were driving to their destination. When they got back, they found that their house had been burglarized. While there is no way to say for certain that the thief or thieves got to know that the home owners were away from twitter, it is very possible.

It is imperative for organizations to educate employees on the “dos and donts” with regard to social network sites and the information that is shared on them.

Link to article referred in this post:
Social engineering your way around security with Facebook
Could Twittering about your vacation put your home at risk?