Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


REVIEW: SocialPET Lures End Users into Exposing Security Ignorance



 By: Jim Rapoza
2009-09-20
Article Rating:starstarstarstarstar / 2


There are 3 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
SocialPET is a SAAS application that tests end users' ability to discern dangerous e-mails by sending fake phishing messages and reporting on users' actions. The app is useful for pointing to security weak links, but it is currently pretty bare-boned.

When it comes to securing a companys infrastructure, there are many different problems to deal withfrom unpatched servers to poorly secured networking hardware to security applications that dont address all potential threats.

But probably the biggest problem is the companys employees. Despite training and common awareness of viruses, worms, spam and phishing e-mails after years and years of horror stories, there are some people who will continue to trust anyone who sends them an e-mail, obliviously clicking on every attachment and link that comes their way.

In a column I wrote several years ago, I called these people security idiots and opined that it might not be a bad idea to shame them into finally learning how to practice good Internet security. At the time, several companies wrote to me about systems they had put in place to send fake virus and phishing e-mails to their own employees to identify the idiotser, I mean employeesin need of further training.

I thought this was a good idea and that it wouldnt be too hard to do, by either setting up a fake Website or using e-mail scripts. But now its even easier to test your own employees to find the security weak links.

A new SAAS (software as a service) product from Jetmetrica security tools vendor spun off from Redspinlets administrators, in just a few short steps, send fake phishing e-mails to selected employees to determine which ones know enough to ignore the messages and which dontposing a threat to company security.

The product, called SocialPET (Policy Evaluation Tool), allowed me to send out a number of different security tests and view reports on the results of those tests.

Resource Library:

For images of SocialPET in action, click here. 

Getting started with SocialPET was simple. Once signed up for the service, I simply logged in with my browser and began entering the names and e-mail addresses of users I wanted to test. I could also select a fake e-mail address that the message would appear to come from (for example, itperson@yourcompanyname.com).

The next step was to choose the type of test I wanted to conduct. SocialPET includes templates for sending users to a fake offsite e-mail or a fake patch site, and will generate an e-mail message (complete with standard phishing mail misspellings and bad grammar). It was a simple matter to edit these templates.

Among the Website pages that SocialPET can send users to are fake Microsoft Outlook and Novell Groupware Web mail logins, a fake Symantec anti-virus download, a Microsoft patch page and Google Apps.

Once I had all my parameters set, I simply hit Run Job and sent the phishing e-mails to my victimser, test employees.

The user can ignore the phishing e-mail (smart user), click through in an attempt to get to the Website (not-so-smart user), or click through and attempt to carry out an action such as downloading a patch or entering a company username and password (ignorant user).

If a user clicks to download or enters a login and password, the page simply refreshes, which may lead some users to continue trying other usernames and passwords. But the page isnt just refreshing; it is also sending information back to SocialPET on users actions.

The reports that SocialPET generates are fairly basic. A graph displays a letter grade for the performance of the subjects in your test. The report also tells you how your organizations users performed compared with users at other organizations that have conducted similar testing.

A more detailed technical report shows the test sent, the e-mails sent to each subject and what each subject did (clicked through, downloaded or entered credentials). There is also an option to generate a PDF report that includes both the graphs and the technical report.

Thats pretty much all there is to SocialPETat least right now. Like many other SAAS applications, while SocialPET is open for use and is charging customers, it is still considered a beta.

The "beta" label is appropriate, as the application could be much better.

For example, the link site in SocialPET phishing e-mails is always the same root site, and there is currently no way to choose a different domain name. In addition, the reports could use more detail, such as how many times a user entered usernames and passwords and even which ones they entered. (So you could determine, for example, whether users exposed every single one of their company usernames and passwords.)

But SocialPET is still useful for finding out which of your employees could become a threat to your corporate security infrastructure.

A free trial of SocialPET provides all core features but allows tests of only 10 users or fewer and doesnt save historical reports. An enterprise subscription that lets you test an unlimited number of users and provides historical reporting is priced at $99 per month.

For more information on SocialPET and to check out the trial, go to www.jetmetric.com.

Chief Technology Analyst Jim Rapoza can be reached at jrapoza@eweek.com.






  Reader Comments: REVIEW: SocialPET Lures End Users into Exposing Security Ignorance
>>> Post your comment now!
A user comment on this article
I think you can do quite a bit with a domain name, user name and password. And for the enterprising hacker... try that user name and password on some...
Posted At: 11-19-09
By: Anonymous
Not much, probably....
Since they'd have no idea what email or network servers to log into... a user name and a password would be pretty useless.
Posted At: 10-14-09
By: Debi
A user comment on this article
So what does SocialPET do with all that login information they're collecting from your employees????
Posted At: 10-06-09
By: Anonymous
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Jim Rapoza
 


x}r㶲s\@♵M푦dKkeyYSHHbLZ$KreoВ/gq2D th4?y$3W7-gL:9)ٝGo,zIû@BeZNULrJԶnL7n[c3P/W?`W᳙(,Q  tjGt0]2xԴ;k:&gvek/cߨ[:`&`1ZlR!j 9i?i-'@IR(CѺ(Dߵ-m: \'|7*UnSp{ca_ʞ0HQIM"h4"j>vn3gd3#L=x:a/M˟ڮq 4]b'*cO^3lcㅰ A-c9p= vt#7J;v9"ScO$աUNIp+0Q#@ڮS.HVfFԲ;guGgbGMҳG(&$g v?ĭ?Q If% aSK k0~b[>4I :]Uh?BWuomzVucϝ;{I̖%X䄍ER6'>6O( |@ɤ:!ZdQ-}9e̛f4öCٰ5TתrXJqy/^Z,Yp﯍ZޙRV5MQ;Eu7ںs m)km>'}r:;{'W ;Aڼ+ N7Rߙ0QT&*rp8M2A 1q,{BrM7JQ߹p~q)ڡVP]F[<," J1~̢>2QuoOyuyqHu|ztn |g)̠V*PFfЊ%+2Zu\49Ut/I}!+|q!5M0\ܱ:֪׷V1?x7 |kh2`cRZڗ{dŧ1I|U8fIuCj ݖyB_ȻX_wKŗG)H73ǚ -=0ɔSHu t:99~mE>oU:^&T7o`2 4 M-w a4ZALt&h)5?&yϚb.L2o<|)=mR—U/(AK/ 5|*(If(΀/3A.r)# 6=aL+^뻹(4l.k\G֛esJVt];5Eя0-*<OZV..~zƇLqJjpX.B2iKB0pjꛛZ_)Ab/*rkh2ud8԰:AGAticšhO@7&h`C}ҍ:L[ݣn]=&tnYXŞ+LRVi`I l"&q}s)к`ya2C?FlEP>X^0 vjq3*~s=w= } wA;k 6G~[>l0sz7N\IQ M2(%E2{ 4.gP)AH = \99 |?#!bTLZ'9Tt{B#T+΍gR1eb -d[b~Il eV&vφaZLboD6], S m-Mus6 z`N&ǽSyje Q#U^?ww4-vF΍`?[^0&1 7R'~Xz /,ÂIc̦uS=L["z [q37/j7ab##Ylweٜi8SA0>A̞P,j\p>r|>I8%o5+=;dp3 yW*ܼ? b>Ȝ 8C_gM Y!Q OzBnehJJ*$,4)ŠpdjKݼ^`";hqNNRНB#@9zQ=/OJb-yhֽ Uv/:A']օVPK=o@xC dX{K/,è+AJK_ji tsaŰ,Bl6kp6X"@@7wL)mT.mT^̇'Χޱ;i6E7[{\MM|tf:s?&نdpg׏Ф0V2PaBSbg`m1JЀap‘"=jA4>\Pbr>+ eT6)5*IMym"P/?ˇ%Ŵ谢zԘ{}Qː 0gted-> IR-ʪZJss??]et4? 9pG#~y~?90?_Sc`9g䋲?W^`3|x ߙ[aeƘ]H?`׊._k軏WbL['ʂX hO7`sm'k=0ECڷV0! H*7hІ{egjړt_ twPJ |~CZhIkdENԲG**5P6>*0{nG=֌H+ c4}5:*jAe/yYXY :چHi3 9& ~gӭH5ysV9y]%fZ+a1o,*=8^6AP$2gy3iqSnU ֕/&ec<MxS3͓i54=_@HpbGi }䯦gPcM8^&&>ˣ*񨫚VJۂe2&0ƒF5c;[LY2RL5sݿyji==#ݸ,YEn;&+㧐gsC/ ܒ; k@X'V-(7O40p2^=us6,헳fO14D|\D"p-nōapzGdD"9zB*>_;k F+$ _9ݎi\~h/~wϺ!9kdcxx\MC R?!hSHV2<fShmƛ&akC2Ȱ Z_ƥ{l]rfꅰjZ ^Ok5W&'27e8\F`6~Y_aݪ,d"0.&WtzȃyE9ǀzB*l._i%$C( `E/Щ cAHFrI'zRG>egq/PAS):(9Q{0[LӷoHWY;GD_q-5sz4~ \1Z9nl&ݳ=B2^'68=h)IB"a]Zinu zu@&iR'DZ3pu*d hw H-@F޼=FoQp]9Qz AC~cl3rnnהŞa4 }Fp?wOJowҽ{ᧅ}ErWt3VTsb;I6ӱ$BUUk ۻʾ\EVe.tޓNt*<>rg ,FJfzӼ4hAhl3O7C]j`l]s!T7?_eҰKw= =z .+-R!EkEwWUK OgʢE'%:m֗Fݽ];+!bi4V;Tf{ts̷kD>dO#@/lvm鼳2O> AYC؞qnbLpx2F'Feuw#S''Sc3HF#%cOS˱6mF @|Րg;ar*|b \<e/&qFL>>bF_/LOn/2+2ݔiJiɰ%/_G*xORUIbn>ggLJ\/5`ҁ`} /`@H  x]L1ޱ-!Mkn;K)Q",>5=(h2,\0X$^!,G"׷~e PiS<;_X`BM c%[+_K]GP!,R4,+*"bgo tuH:.{rzԟȶ[:e)\;Le5Tq2" ~~~~~{jTO5WZv WUhKc%"(ϺFF6ZʟHbeao` [ a aP߿|n"y<]~uC{~/F},9^ R#@6}cXHXDH"("@gkljȏH6dKO^-ǟ{T5=̮zc"R=̱I`{ٌ!H" 1h^?Q? yB'邪k-TSsqOaf>>scHR|?$<&{fq:3va`ۑԘ8,gגH=7/bgka4#muMmc~DֱI%mg}Ӛ)4{`ͤPqj˿ёr\Y B x\+^FA}q5_ 6?wA'}Н~UDoaoH 1+֎  >̨;)xni2M׊6X|cLYڥ?1LtYG_N,&lq$ƘHoi}Êڥa~z~ґA@ 2{_&A7qå[936v㬳~DCϋ^ͨ>! 6Eaŵ0%Hx;w\}g^h\yחW9zJN+m(9rfNY( rφ7DQ\qu;mO05p3_f'5sa`n{ MwP!J jNk1Z[ȚLHj~6}A˽=V4), mX[`8NċX[O`YmZۈYޣS.%'{U2uZZ$r4M ܃y{¡YKj|ubM$t86?43VD)2J6/5uh` n),'?=@5.&X3h΍ko(S/Z^,63A3su` 2]ö뿓$y9k1 /A1DKb@/j sߐ]fPCnx./~4o*xg]-G?ص=eO) x}--Ӫ=F(ǗhF!;OIclP`@) ^tE'y{Hd8f D)S3[ ?(op/oc䭼7d?܉nM!?"  UI?I5?O:$%dQ?(p7Oi[q'H|!D<[*wD,Q/+F]{N9- T 2n?mLPG~_(%-%8=BYWP&48!?%9pgذmj~rmzwK>(V8E$;*96)%&Ǯ$Jjad4$ƽtyϽeLGlG꨺XI[a0ߴ1V&GBA8AXJo,"xa/quQ%Ǥ@FpxAҲzZ1lsh*b4 B-'+5}L1RR쫫%>% Zk^YR+Ȉz֘1h*B UٜA5.]cRU BI9h@Qͧ58sM<؜>7-iM13x`Óy?VzZ3ZOk]P;Xif[yb+n'-浻sx"(ͪND~`h*g{ 1z1[TvXj? 1%6l,.@JRb\[Kx6_j~R.gI* ] 065loV-TsZ.Wgz`NFe_ZՔV-`{dz2Kgķs '}^pYXk:Rga^1wTҊj9yK{0n|Ra )zd|y`dy}TK[TI`o2הo$q3c@O `ƖC/0Ÿ^o44ȱb4襃ڵϔH`1_Q_`׍kd w2IND]%FR)tg)@P\/0ƏļX\snOa.=HY`̏iͬͱ-j%!F㬤]FRx3'; ˍ7IoF1?_J m#Q^D~x#nO5q%Y^<5ŤiUh9!MF(qbix^U;92S/ L%& H!4w#\CP |,S7OR(iUeab+;Y kb^,<ҁS+qܒ:x n4`~+}^MM .o ^j$ׅp >< Pm̼ϴ@GBSx&㗶Gd.$qq5D; roEVIz# ,@Eꊍ\DQZB p[WGFzg~uC@ LG0 wM~q}ܐ}9OS5`/_ $UL]N*@`'*!Lz)%n67p>9/,a,/( Yej xpƧx}:; jܕeV!5:0 09Y:ovN*' P=:ςQغ9P/vκWx2 Zѷptԭsm~9^|9i..}L/0 Kyl2/*˙͓Q99otZNSʩ~gT5ɘfU,xgY^J>MSGQ=@)Qe3ʋ Q~4ab_1o4^O˦V\k!h<@Vʼnt,Z3rZOm鞷rФo%uggcFW(Q~ ˏ.w3ʑ˛@f+ʏח}N2!>A\͌r_;igC?2ʿ@g,>vNtNɂdзdЧw2v2O ?CS(?(#坌r=9ϐsBf.n~ x"K  {/>_?/)>Crs~~3wWYW{_ewɹN2!(odYNOoT8G\(_JeYW@a u~Q@yJ2,c/2\. e{%;[?_fr]!,.5PUZk3/Y[Sݲq  u"[~|^YlفGh O WY-Jbġ$лzxg _}#xC/+/g5>赎?]_Һ&m\ʠaC7ao/XbKZ;c`\;o}!Ip@4ǭaƹr0o@Y<@c d߻A!0%1<:,e`Nϒ 0 hJ/.ӡxQKQ,Vp0W1:՞/{n:aKƈ DMKIn_!gmo_.c˃a?[`>sR:=bՇ.*" (luy9M"l9X?apN$^y1Ά`}<on`$-K?X v;i\pص瘃#XWUK gi3A ~Xm o1I45~ɑf (W kDF(t#byܞ0,' ܔ0bpa`Oj:\l8=;t؆"ʮnǝ)Z+`Dœj@@rĶ/TlZ1LO=[RxY~1û'C$Ҵ)KˌK`!4n_O3˙߱hdl}0D=aϖ$]ހ)1 ?&lIk0Cerh`=F(aOIϐR(K)PمuY{N6 )4qs7EXI% ij3鱽$0\d~\g;eXv 3&R,`+''H2Gd!᳤c*5S3m-(E.ir};{,gIo=G}c_VeńK!l;F>_;@Bo&!#R.ܐOF{/)0{4<p2I>0 n9iSD:9Am'{';*lٹeNUhJl[:ƥh2- kc'pg! X0 n=ձ]w `7@#>Ƌrd{Ko.o1$+nvGD '7>6'كl2p~}ρ!XsCQ%W` =ݻ[5HJ @ O.x*@FWD0;"6im.KE%cC~sf_-r xgsU@DqD'Pyml<^|:ym놮E{Ofuݎfm/x,q++$~Il=bu-Wrcd+{f:ePEXl+!Rх+Kei$Vi. >n)ZF,c5ԭ<P0_C~C.vjmnJQXƺa#Qa[:6n ۊuy˷DL\7難me#FP1W ?$Il} ralX ^|޹+o=Љe6;3Gahl,eH&}+qd.DI qk.-wvua4,Lb9"[^QI(`жX3|"@a)5gn~ӧf<˜4W6IĶqyntµ-˱;gy/|gvC{%=\s.&tĵa=rC*gꙺU7z>!2D!6xVi`Eq{ş׼qeyS +(K- Q{lA0}ElHVzv`ݯos gq7*Р~o,jez'1l5mEgl3W'JZR۝wD^8%܆mJPU&s)# MW\e\)MS9Q2kFs+q>tgLp -ͱeRZ`l/Zwy)