Friday 26 June 2015

Linked(in)-Engineering

Social Engineering is the term associated with security since the early 1800’s one of the most iconic personal was Samuel Williams who used to con people of their personal valuables by simply asking to keep it with him. He was termed as the “confidence man” by the tabloids in that era, another such example is of Joseph Weil who ran various scams with help of social engineering and one of his famous scam was to con the great Benito Mussolini for over $ 2 Million.  In today's world movies such as “Catch me if you can” & “Identity Theft” highlight the damage that is possible via such attacks and are great examples of what is information is to be kept private & what information to be kept public.

With the passage of time the tools for information gathering/engineering have changed drastically, while one might say technology has come a long way in dealing with such attacks but there is also other side of it. In this age of information sharing with likes of Facebook, Instagram, Whatsapp, Twitter, Linkedin etc. the art of social engineering has gone to a different level. There is tremendous amount of personal information that is shared with the world on such websites & applications. It has become now much easier for people to perform identity theft as private information of personals is right at their fingertips.  Such information is quite a threat to an individual as well to an organization one such example is the recent security breach that happened at RSA. RSA claims that phishing emails were sent to a group of few targeted employees to gain access into the company’s network. This breach put a question on the RSA- Two factor authentication token algorithm as confidential information regarding it was compromised. It not only affected RSA but several other companies who were using RSA authentication infrastructure/mechanism, it cost them over $ 70 million to recover from this attack.

Social Engineering Simplified

Among these information sharing, networking platforms one such popular platform is Linkedin.  Linkedin is professional networking platform with over 350 million users. It is widely used by industry professional to connect with other and exchange informative data.  From a attackers perspective this can be quite a useful platform to mine important information. It can be also used to attack or target a specific individual or an organization.  Keeping this in mind we did a bit of sniffing among our own Linkedin network & about 15 mins of sniffing were astonished with the results that we got. 

 Profile of Chief of Staff


Information Security Professionals Sharing Their Personal Info

Higher Authority at World Bank Sharing Family Pictures


 The above images are just a small highlight of the heap of information that we could gather. One could collect information regarding the Office of President, decision makers at World Bank sharing their private family pictures , people at various levels in different organizations sharing their personal contact details , there are discussions in groups were people are discussing/sharing confidential company information or issues. All this put togather can be very useful intel and can cause serious damage to individual or an organization ,personally as well as professionally.

Most of you by now would be thinking that your organization has specific training & guidelines put into place which stops such vital information from being shared i.e. where PRIVACY is addressed. Well hold your horses right there well don’t you think the president’s office,world bank etc. wouldn’t have such guidelines or training in place? Most of the organizations around the world have some or other training program or guidelines for their employees which address the issues of information sharing & privacy, but the problem comes with regular evaluation. Only a handful of organizations undertake the task of evaluating the information shared by its employees at regular intervals or rather evaluating their learning from the training or guidelines provided to them. If such regular evaluation process is put into practice it will be very difficult for an attacker to carry out social engineering attacks as well as individual & organizational privacy will be maintained.

Note: This blog post is not targeted against any individual or organization and is strictly for informational purposes. If you find any offensive or objectionable material relating yourself/organization kindly write to us info@securitytheorem.com. And we shall take necessary steps. 

No comments:

Post a Comment