A Hacker’s View: Social Media Protections in an Increasingly Connected World

I’m a professional hacker, or as we are referred to in the security industry, a penetration tester. As a penetration tester, I am hired by organizations to attack their systems, networks, applications, and employees in the same fashion that a malicious attacker would. It is my job to find and exploit weaknesses before malicious attackers can. These weaknesses include application and network-based attacks (exploiting a vulnerability in a company’s software or hardware), physical attacks (gaining unauthorized physical access to a company’s offices) and social engineering attacks (targeting a company’s employees via email (phishing), phone (vishing) or SMS (smishing) messages).

When performing a social engineering attack, social media is a godsend and often my first stop on any engagement. It should come as no surprise that, as the world becomes increasingly connected and social media plays a major part in the lives of the majority of the world’s population, the potential for over-sharing and putting one’s personal data at risk becomes exponentially greater.

One of the first steps for any social engineering attack is to properly identify targets. Identifying the targets often entails identifying employees that would have privileged access on the network, or access to others who would have that access, such as executive assistants. After identifying potential targets, the next step is to start performing reconnaissance on the targets, identifying their likes and dislikes, family members, personal and professional habits, important dates, etc. With this information, I can begin building custom password lists to be used for password spraying attacks (this is an attack where multiple passwords are “sprayed” against a users’ logins in the hopes of gaining access to their resources), as well as gathering information to craft targeted phishing/vishing/smishing campaign, unique to the target. This type of targeted phishing is often referred to as spear phishing.

Before social media, doing proper reconnaissance on a target could take days or weeks, while now it can be done in a matter of hours. With the multitude of social media options available, it is almost a given that an individual or organization that I’ve been tasked with assessing will have accounts on at least one of the popular platforms. I regularly review profiles on Facebook, Twitter, Instagram, TikTok and even some lesser-known platforms during assessments to identify useful data for my “attacks.”

The chronic oversharing that takes place on social media can be a significant risk for users who regularly and unknowingly provide data that attackers can leverage during common attacks: important dates, family member names, pet names, childhood memories, and things the target likes to spend their time doing. As explained above, this seemingly mundane data can be helpful for crafting password lists to be used in password spraying attacks. EXIF data (EXIF is metadata of an image file that can give location, camera used, shutter speed, date, etc.) can also be used to determine a user’s habits and tendencies, allowing the attacker to learn the user’s schedules and proclivities. Camera or phone data can be useful when creating targeted attacks, such as exploits targeting the phone the user is using. Knowing locations the target frequents can allow for more “physical” based attacks, where I can get close enough to the target, to clone their building access card using an RFID cloner or plant a malicious USB drive on their person or in an area where they are likely to pick it up and hopefully use it.

How do attackers take seemingly benign posts and learn the target’s deepest secrets? The answer to that is simple: every “quiz” or “get to know you” that’s filled out, every picture posted and every rant made gives an attacker more information with which to work. All this data is used to build a dossier on the target, that can then be used to attack the target, their loved ones, or one’s employer.

My targets are not in any actual danger, as my objective is to help their organization’s better secure sensitive data and access. A real-life attacker, however, may have much more sinister objectives in mind. Oversharing can have very real-world consequences such as identity theft and unauthorized banking access, but could also include threats of physical harm.

Fortunately, there are things that social media mavens can do to help protect themselves while still enjoying all that social media has to offer.

  1. Disable location services (GPS) on both cameras and social media apps. This avoids providing location information to an attacker who has gained access to social media profiles.
  2. Lock down social media profiles so that only friends can see posts. Properly vetting friend requests limits the audience to which information is shared.
  3. Always avoid sharing intimate details on public profiles. If it is necessary to post to public profiles or make a public post on an individual’s secured profile, avoid sharing intimate details about one’s self, workplace or loved ones.

As the workforce becomes more comfortable with social media, companies should consider the following:

  1. Companies should have social media policies, providing guidelines for how users share information pertaining to the company.
  2. Companies should provide security awareness training enforcing the principles outlined above, guiding employees on how they can safely use social media.

Following these guidelines can help protect critical personal data, while still allowing users to enjoy the benefits of social media.

To learn more about how our Attack and Penetration capabilities can help organizations protect employee data (and train employees to protect their personal data), contact us.

Uriah Robins

Senior Manager
Security and Privacy

Subscribe to Topics

As businesses compete for #quantum compute time, things can get complicated. @Strangeworks provides shorter queue times and cost and access control for customers. Join @KonstantHacker as he chats on this with Cesar Rodriguez from @Strangeworks. http://ow.ly/jERF50Gvo0W

Read this #SAP Blog to learn five considerations that have improved #ROI for our clients, highlight new ways of working and the art of the possible in the organization’s future #S4HANA system compared to ECC 6.x systems. http://ow.ly/WE5I50GuBRT

#ProtivitiTech #analytics #cloud

The intersection of #5G and #edgecomputing technologies will reinvent industries, change the way #security is implemented and revolutionize business operations. Learn in #Technology Insights why 5G and edge computing impacts approaches to security: http://ow.ly/hut750Gu2Um

Digitally transforming business with #Dynamics365 CE provides organizations with easy configuration and #integration with other #Microsoft products, fewer post-deployment issues and can be accessed anywhere. Read more in the #Technology Insights blog: http://ow.ly/AueX50GqQZs

In Protiviti's #cybersecurity #webinar series, learn insights from the effectiveness of crisis management response in #ransomware attacks to articulating core concepts of #zerotrust and the toolsets needed to architect zero trust. Explore sessions here: http://ow.ly/qVLp50Gi52T

Load More...