Loose Lips Sink Ships, Part 2


Posted on by Dale "Woody" Wooden

Dale "Woody" Wooden illustrates security concepts through stories. His past posts discussed how attackers mine employees' social media accounts for information. This story picks up where we left off last time. 

 

If you read my last post, you already know our four travelers from Company X. They all used social media to discuss the trip to London they went on for the company. A hacking organization called Taking your Intellectual Property for fun (TIP4F) has been watching the information these employees shared on social media. They now plan on sending people to London to exploit Company X’s employees for valuable corporate secrets. They will use multiple techniques to do this. Let's observe what this group will do…

TIP4F has been watching the accounts of our travelers and has learned that Sara is a Project Manager at Company X. She has also been talking about how excited she is to be flying First Class on this London trip. TIP4F makes sure to have one of its members fly on First Class on the same flight. TIP4 selects a female about the same age as Sara and has her carry a bag with an Louisiana State University pin. Why? Because TIP4F has noticed from monitoring Sara's other social media postings that Sara is a diehard LSU fan. This will also increase the odds that Sara will initiate the conversation with this female member of TIP4F.

The flight to London is long enough to give this person plenty of time to find out Sara's plans in London, as well as do some shoulder surfing. TIP4 wants to know if Sara uses a password on her phone or laptop, and to try to discover what it is. Shoulder surfing is one of the first ways to gather information on a targets data.

The technique of wearing something that the target will be likely to comment upon is common practice.  It will also help gain Sara’s trust when she runs into her friend from the flight again while out and about in London.

Doug is with research and development at Company X. TIP4F has also been watching Doug’s social media accounts. He has been talking about his new project and hinting at a new piece of tech that is going to be all the rage soon. He is not actually saying what he is working on, but drops enough hints that TIP4F can tell he is the brain behind the project.

On his first night in London, Doug heads to the pub closest to the hotel for a pint. Sara, who happens to be Doug's supervisor, joins him. They see Sara’s new friend from the plane, who is solo in London for a few days because her colleagues' flights were delayed. She also seems to think Doug is the cutest guy in the place. After dinner, Sara leaves, but Doug and their new friend continue to enjoy the evening.

The new friend takes a selfie with Doug and shows him her social media page. When Doug does the same, she wants to know more about the mysterious page he mentions on his page. Doug wants to impress this girl, and figures since Sara knows her as well, it wouldn't hurt to tell her, right? This new friend is attractive, seems to like everything he likes and damn…she even understands technology. Homerun!!! Surely it would be okay to hang out with her until the rest of her group arrives.

The next night she stays over in Doug’s room. The next morning while Doug is in the shower, she uses a thumb drive to access his unencrypted laptop and copies the files labeled “research” and to install a key logger. During the night she had shoulder surfed Doug enough to know the swipe code for his phone. Not that the finger smudges didn’t give it away. She accesses his phone and downloads all his contacts and recent emails from work via Bluetooth. It doesn't take long at all, since she had spent that first night checking out what kinds of devices he had and was prepared.

What This Story Tells Us
This is a small example of how corporate data can be exploited. Is this scenario too far-fetched? What if the technology Doug is working on could be valued at hundreds of thousands of dollars? Or more?

Business is Business. Do not let your—or your employees—social life cross into the business side of a company trip. If you meet a stranger on a trip, remember that the person is still a stranger, no matter how much stuff you may have in common. Encrypt your devices, be mindful of someone shoulder surfing, and use alphanumeric passwords instead of swipe codes. If you’re suddenly the most attractive person in the bar, think carefully about what you are divulging.

If someone just appears to know you too well, maybe they do. Elicitation is an art and people practice it every day. If you’re good at your job, it’s because you work hard. Hackers, con artists and thieves are good through practice and hard work.  They try just as hard. It is how they make a living and they take just as much pride in their job as you take in yours. Don't make it easy for them to steal the fruits of your labor because you aren't paying attention to what you are saying.

Contributors
Dale "Woody" Wooden

, Weathered Security

Business Perspectives

security awareness

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs