Exploiting the social
By Bruce Cowper
Open Source intelligence (OSINT) used to be something that only journalists and spies did.
By Bruce Cowper
A rarified practice, it involved mining publicly available information sources to find out everything you could about a target.
Operatives would scour newspapers, then TV and radio broadcasts, and then digital data sets that were hard to find. It took talent and hard work.
Then, social media happened. Now, anyone can be an OSINT operative — including your next online attacker. They may already be mining your employees’ social media accounts for useful information, and when they find it, they’ll put it together with other publicly available data, and use it against you. The security consequences can be calamitous.
Mining professional social networks
Even those employees who use social media responsibly can make it easier for attackers to find attack points in your company. In professional social networks, the relationship metadata alone makes it easier for an attacker to reconnoiter your company and find soft targets.
Attackers like to profile more than just your company’s technical infrastructure because open network ports are not the only attack points. People are soft targets, and social graphs provide a clear picture of your company’s personnel. It’s like an organizational chart in a box.
Not all social networks list a person’s relationships for everyone to see. LinkedIn only makes a person’s relationships visible to their direct contacts. Nevertheless, fake accounts (known as “sock puppets”) can be a great tool for attackers wanting to probe this information.
Attack groups have used LinkedIn sock puppets with surprising success. F-Secure highlighted one such incident in 2015, where attackers used fake LinkedIn profiles to target infosecurity professionals. The fake account, Jennifer White, worked for a bogus company, and all her connections were other fake employees, so this was pretty easy to see through.
A more sophisticated LinkedIn OSINT operation came from “TG-2889,” a group identified by SecureWorks as an Iran-based operation that regularly uses LinkedIn for reconnaissance. Its sock puppetry was more convincing, with two layers.
The first layer consisted of “persona” accounts, with extensive histories, claiming employment at known companies in the security sector such as Northrop Grumman. These were backed by a larger number of less fully-developed secondary accounts that were used to bolster the persona accounts with endorsements. TG-2889 would regularly change the names and photos on its persona accounts, presumably in preparation to hit new targets.
These accounts were used to target infosecurity professionals, some of whom ended up connecting with the fake accounts. If it works on these supposedly hardened individuals, the chances are it will work on your employees, too.
Combining social media information with publicly available data
Consumer social networks are even worse than professional networks in many ways, because they’re an emotional playground and people often switch off their internal filters when posting. People put all kinds of personal information on Facebook that they wouldn’t dream of putting on LinkedIn. That makes them vulnerable, which can make their employers vulnerable.
Social media information doesn’t have to be embarrassing or incriminating to be useful, though, especially when combined with broader OSINT techniques. The hallmark of a good OSINT attack is to find seemingly innocuous information and use it in innovative ways to achieve greater goals. Data becomes information when it has context. Information becomes intelligence when it turns into something you can use.
It all starts with simple data points that can be mined from social media.
Recently, U.K.-based fraud prevention non-profit CIFAS staged a stunt in a coffee shop. Customers were offered free coffee to like the shop’s Facebook page. When they ordered their coffee, the barista asked for their first name. In the time the coffee was made, staff in a van nearby looked up their full name from the Facebook page, and swept online sources for more information. By the time the customer got their coffee, the barista had written their details all over it: addresses, ages, job titles, and more. All from a single Facebook like.
Attackers can begin building a profile of a person from these small data nuggets in a relatively short time period. Cross-referencing to other social media sites can be relatively straightforward using many sites like Pipl, or (for U.S. users) Spokeo.
Searching posts in industry forums can turn up nicknames. If an attacker sees them using a handle on an industry discussion or support forum, he can search for it on Checkusernames to cross-reference other social media sites they may be using.
Because all of this information is available online, searches are disturbingly easy to automate. Chris Maddalena, a security consultant who spoke at SecTor 2016 in Toronto earlier this year, frequently runs sanctioned OSINT operations on his clients to test their security. He even created his own tool to automate OSINT searches.
Automated OSINT can be devastating, especially for targets in countries where more public data is available. If you live in the U.S., then I can find out not only your address, but the tax information on your property. Some states and countries make electoral lists public, which provides yet another reference point for attackers looking to leverage social media data. Others, like Mexico, just accidentally publish them online.
Thinking outside the box
The available information isn’t just textual. One of the attractions of social media is its ability to relay rich information. Shared images and video are the language of social media, and they can often reveal more than you’d expect to a trained eye. Sites like Instagram enable their users to flag accounts or images as private, but many don’t know or care.
Searching employee accounts, or searching by company name or location may yield data from public accounts that can reveal useful things.
One security consultant known to SecTor uses Iconosquare to search for images across social media accounts including Instagram, using hashtags like #myjob. Match this with location and keyword searching, and some workplace shots may pop up. That goofy office pic may show a password written on the wall, or something on a screen. Or maybe just finding out that they all use Macs in that office is enough.
The greater an employee’s attack surface, the more likely an attacker is to find out useful pieces of information that can then be parlayed into intelligence. So, social media can be used as a starting point for further OSINT investigations, but don’t assume that all the information will be accurate. A successful attacker will cross-reference information from multiple sites to sanity-check what they’re finding and weed out extraneous information that a site may have gathered from another account.
Tools are making it easier to gather this information than ever before, but it still takes effort. What would someone use it for? Successful reconnaissance can fuel a range of attacks on a target.
Social engineering is the most obvious attack. It can be difficult to persuade someone who doesn’t know you to open an infected file, but it gets far easier if you know a few things about them. Slipping a few things into a conversation while posing as a customer or someone from tech support can be fruitful. Have they been on holiday recently? Do you know who their immediate boss is, or an ex-lover or old school friend? All of these things can be used in a well-crafted email message.
Impersonation is an oft-overlooked attack. Registering an account with the target’s handle on a social network that they don’t use enables the attacker to impersonate them to others. That could be particularly useful when trying to discredit the target or take advantage of the trust that other individuals have in them. Perhaps an attacker might send an infected link to the target’s work colleague from that account to try and gain a foothold on the corporate network. Sometimes, all an attacker needs are a few pieces of information — just enough to answer the personal security questions on their target’s account. The answer to Sarah Palin’s Yahoo security question was found from information from a simple Google search, and the answers to celebs’ security questions were equally easy to find for those hacking nude photos from their Apple accounts. A target’s social media account will often get an attacker what they need to reset an account.
How to protect yourself
Companies that can be targeted via their employees have a duty to protect themselves by policing social media use and having a policy about what corporate information can and can’t be posted.
Not posting corporate information is a no-brainer, but ultimately these accounts are the property of the individual, and the attack points are beyond the company’s control.
The bottom line is this: Social media is a demilitarized zone. You can’t control what explicit or implicit information is gleaned from it. But you can act to protect yourself against the attacks that this intelligence is used for through a mixture of technical protection and employee education.
As part of your social engineering and security awareness training (you are doing that, aren’t you?) include a section on social media. A lot of the steps are common sense, but it takes mindfulness to avoid slipups. In a social world, vigilance is key.
Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America. In his day job, Bruce works for Microsoft helping to deliver cloud security and compliance.