Dale "Woody" Wooden illustrates security concepts through stories. This story looks at how attackers monitor employee social media accounts. There is also a Part 2.
One of the largest threats facing any corporation is the leak of critical information and the ease at which it can be monitored by criminals and terrorists. Few organizations properly train their employees how to protect themselves at home, to stay safe while traveling, or to censor corporate information on social media. The first step in education is focusing on cyber-hygiene when traveling as well on social media.
Here is a common scenario: Company X is sending four people to England to meet with a group about a new project the company is investing in. The group consists of a division project manager, her personal assistant, one person from research and development, and someone from finance. This team will check the status of the project and meet with counterparts in the London office. The trip was planned six weeks out.
Within 24 hours of the trip being scheduled the four people going began discussing their excitement of visiting London and all the extra things they plan to do during the trip. They only posted about which sites to see and special events that will be happening on their own social media pages and on a few friends' pages. Nothing about work is mentioned. Friends posted back, asking about hotel plans and trip schedule. All of these questions are gleefully answered. Seems completely harmless, right?
What This Story Tells Us
The problem is…Company X is on a watch list by a group of criminals and hackers. They use advanced searches to track users who claim to work for company X on Facebook and/or LinkedIn. They also have searches that flag posts anytime keywords about traveling are mentioned. This group now knows that Company X has four employees who all began talking about London at roughly the same time. They then employ a few social engineering tricks and use some advanced graph search terms to bypass security features on LinkedIn and Facebook and discover more details. They can discover what each of the four do at Company X, where they are staying, their interests, arrival/ departure dates and what extracurricular events they plan to be attend. They also find out the Twitter and Instagram handles of each and know that two of them geo-tag all posts.
Hacking and stealing corporate data is a business for criminal enterprises. And as with any business there is a budget. They now have four targets who may possibly possess financial information, research and development data, ongoing projects and other sensitive corporate data. Is the juice worth the squeeze? In this case, would it be worth sending someone to London to attempt to get on the group's phones, laptops, and/or launch man-in-the-middle attacks? Let’s not forget good old elicitation (remember we know what they like and where they will be). The answer is probably yes.
The point is, these groups have to make a profit. They address the same equations you use before sending people on a trip. If Company X continually leaks who, where, when and why their people travel, it’s easy for a group like this to set a travel budget. This is compounded by the fact Company X uses weak password protocols, no encryption on employee phones, laptops, thumb drives, and hard drives, and employees on the road always log onto the hotel network. They represent low-hanging fruit and are ripe for the hacking.
Corporations must start training their travelers about cyberhygiene on social media and their devices. It’s not just inside your firewall that you’re in danger. In fact, that’s the last place some would hunt you. It’s often their desire to hunt where you are weakest--in your homes with the router setup by a 3rd party contractor from your cable company, or when you’re traveling to a new city and just want to relax and meet new people.
After reading this, ask yourself two simple questions. Does your CEO use WEP, WPA or WPA2 on their home router? Do your travelers post corporate travel information on social media?
I would like to thank Michael Bazzell for his assistance with my development in learning the open source side of research.