Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Using Facebook to Social Engineer Your Way Around Security



 By: Brian Prince
2009-04-07
Article Rating:starstarstarstarstar / 5


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A penetration test by Netragard at an energy company highlights how hackers can use Facebook, LinkedIn and other social networking sites as part of phishing schemes. In the test, Netragard used social engineering to get its hands on information that could have been used to compromise critical systems at the company. Addressing this security issue means having smart policies about what employees can and cannot do on the Web.

The most important part of an attack isn't always a vulnerability; sometimes it's the user's trust.

This was certainly the case during an authorized penetration test at an energy company conducted by security vendor Netragard. Looking for a way inside the customer's defenses, the vendor turned to Facebook. Testers built a profile claiming to be of an employee of that company, bolstered it with information on work experiences taken from actual employees of the energy company and began "friending."

What the Facebook "friends" didn't know was that this was all part of a long cona bit of social engineering used to lull the employees into giving up their credentials more easily. The simulated attack underscores both the importance of having sound policies on employee use of sites like Facebook, LinkedIn and MySpace and the challenges of authenticating users on the Web.

"Before the advent of social networks, criminals were able to access your employees through things like spam, or maybe they could call them up and social-engineer them," said Adriel Desautels, CTO of Netragard. "But sites like Facebook and MySpace and LinkedIn and all these different sites [give] criminals the ability to bypass just about any security technology you have in place and gain direct social access to your employees."

Resource Library:

Trust is the name of the game when it comes to phishing. For Netragard, that meant doing a bit of reconnaissance. It turned out that a little more than 900 of the customer's employees were using Facebook. Since most were men between the ages of 20 and 40, Netragard chose the picture of an attractive 28-year-old female for its profile and began building up a list of friends.

The next step was to make use of a cross-site scripting bug on the customer's Web site to deliver a payload that would render a legitimate-looking HTTPS-secured Web page that appeared to be part of the customer's Website. After conversing with real employees on the site for three days, Netragard posted on the Facebook profile a link to the rogue Web page with a message claiming the customer's site may have been hacked.

Users who visited the page were asked to verify their employee credentialswhich were promptly sent to www.netragard.com and extracted via an automated tool the company created. The bounty included credentials that would have allowed Netragard to access the majority of systems on the network, including the Active Directory server, the mainframe and the pump control systems.

"If your employees are using Facebook you want to know how susceptible they are to being conned into doing something that could put your business at risk," Desautels said.

There is no simple answer to the issue of verifying identity on social networking sites, as security researchers have demonstrated repeatedly at conferences such as Black Hat and ShmooCon.

"In this case, what we need is reliable user reputation," said Forrester Research analyst Chenxi Wang. "Companies like Purewire are working on a vision to provide universal user reputation, but we still have a ways to go before universal reputation becomes a reality."

Still, several analysts agreed blocking social networking sites simply isn't practical given their popularity. Companies with policies that are too restrictive run the risk that employees will turn to Web proxies, blinding the enterprises to Web traffic. There also may be legitimate reasons for marketing, human resources or other departments to access social networks. At the end of the day, it comes down to striking a balance between security and the needs of users.

"Maybe you want to ask employees not to list their employer on their profile or mention the company by name (or in any other way that would easily identify it) in postings," suggested Paul Roberts, an analyst with The 451 Group. "You might articulate a policy that discourages employees from posting from work and couple that rule with some good education about social networking hygiene."

Finally, Roberts advised, wait a month or two and perform an audit to see whether employees are following company guidelines and use the results to fine-tune the policy.

"Faced with what seem like arbitrary or overly strict policies on Web access, I've seen even the most technologically clueless employees figure their way around a Web gateway in no time so they can get to the content they want," he said. "It's kind of eerie, actually."





  Reader Comments: Social Engineering Your Way Around Security With Facebook
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r8s;iW1ŋKm)XTFh)ئHIVO 7]hɗ%L!H@ggOD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3U;Y|b(áh] ]( ѼeMGQR`N Cw*Nul9 Q6RV2/Fӽ<t[h  #k|E=x:Q/M+l}~@kNmW ȓ׌ڭAx)B(!bB]߂KCI%߼q@ؓ&thmub'b#Q^]õ]&Z.R͌eCwt=PzOMҳBCLH6}~8IZQOK.m4ZIfOl+qtR8E[5'0m_k|uv3< 3~3 CoZe؄j%ozcnć!LjZ L|:j/EӝF3l˸-:4 PS+}(Z_+{1ك;ho>|+UUew9*GA nkp[I^׵Sq9}r>?'7;A: o$&W ZDTQRp& Rc@G${/@B oVS7B-hZIArija[E4b‰EU}$N"?Zڗu&u}X6&ZiCA+WtWe`9=y\toz{MNڟ:gw:Rڟ+̊k*~k p6O{uH0`kh`cR^ٗ¯H ?td[W;Ǥ MXO'gs`HםBi۲ܾ,BKEka(7fhXӀ?$eR2-L9X@.@שS 04'hhV筱J+҄& )B:A`̺kR$9(8ȟk4R\ 9jbsvfM)o fzCUCZ9nVĨ9USAEI7CD r23yB(&PHQ>Ly%Ku}7p@e-}rlNVڒ1Wb{gH .Cuv}BzW^?]{68^%glh|X.B2iK1QW5MGVOLG_@r /*r[h 2ud8İ1nґ>âx tSOC|>56㤞F!|emxq=Z.3+ԍEXn`NtH Qx٭lE%H_¤< ) FA=H:}m`~5$ǎ@ Ls'09 ښB"QފС4a vhiqppyY?0»g{`閭-L<ħ̠>xԁ!~9.Wb&;A/""D%  h4AGEBEN@@wgw$]Vi+Raz"ʦBICvn +=*%nqR%e 3ʬ$&vφaZLbo7], Sl3-Mus֪%6ʋzhNCơǽ3yjmS#U^ğ.;*tXgF8,?Aw)?ǘ{ۣeXLST2q)( f+7TuRԟȦ5SsGZtfLAuߝ2h Jd@`Wvg.GpoKeҳ%}?HJ/N $50*g; A&rG|增5 Jx0?s\eDfkx# d\46(V,'`#sUzag²읶ה]%ϥ/hvpފ:fkDxF3fԑeӀP=:Ŀuouj15՝5  i܏9&"_G5 k^˧6Wȵm>3躢΍9XZ1B.,g@?aR5> 5 T !EX+LT׃RUah[s5/*wxFp+\sW["LJ}wYвJu6$T]Rj(3DZ(6A`eLq^xxOCMY 1H$6/`k .`@B% &@S^a\FkZCbPFܔwц.[P,',PУGk]W9ë#߬0pp@X&ޯ7Xfe^: ~^J3;|d*,p |,yl ȗaE*ӅZTNP!+ȣCY V MUpnp{E~t=GqDNԀH 5^Fl.W*ٝ'(U2~-p;_>Z=-h0 %l"?崰Y ML`(Dka43~Sb_@7T_/=4xE0q-"fdaD4Dw=bC-YM~pߎXA mҚk+sD ü |32Jј<`*=:^6AP,4ϼ"ymU ҕ&21wYG{S+1~9XD)uljy 0:g|}+ZQFnyu[w@1 /jS>/"CW5 ƗɈBÜ"+>aLL:w׍30UfSfyr;ïW`ju 2 \E ̓Oa*r1_?M= [LFzɖ0'`{' Yn:ajAyIxP.-W4Giwṛ: ߀&\qc`a#2"ߋ~Ǎp5)VRQXu@VI^A ұg /@C׳@g.jLQXGTUe@5yģT1Cy $v=.EZЋv}cj&lĦOmXoi/.: st'_u{~{y@Dмy֏S %<jE\q@*V%_w?^H6?MF&{fB, 8oIvI!ͧ^Y{{:9\;lѳi?`yAz+G~{!\w.ŗlk~Jw.R ~JdF!MuyyU8)Dyu~|ly\3amF '%L_=80<4+H[3 BX'kN,SVXKS!}>#mP5õhL؆ԿvVos_,ĨChpF1xc|.A-6ԾJ9 4SJd"8Q%;)~ڰ{, /D=:dSNSQ(ia-uyjdJ9#S"\' 6L P,OҴy=#lQ1 i(K"ih$lbTȆJoNwպ6<5ަm晿BƗHȣ,P-I+JB$/CiA0;ǭHR#EhqeP>Xki)i[YUH+?vbƇ'%qbLyx*=$ $Jr@Ί~\A=?$=ݝ:F`푎cɅ`p'#9ʼS3`( GW .[ vgNأ&k{?dͥ=`L8M\gwhNPD(Vp)c24,`*h 5nWeKoNu!I\vuo_arJs dނ>3ᛷ 6n2'|2KO$hבּ~QOtGov/zfCY f=f/ݷ?vcW};Ǎ>--8tQCTiωɘNBARTUukln(rY9sJeOV ;c+NE Qd1 0dƛ'q=Kf}#uooo=ȥ ֛ݥq=*A'w5GGpww6{eQJW=q-@jjejR-3xL 6;x4o :l0̠@ b@V՛3.B)iqp~vƘ@lll41Rhp٦p 0\f>m`1 \FDF lK b}eEx{6υ5_ڔ/&_uηm}(9}wfL$DYiW5}%Ou_SZ)`SH G(r-'˗|ڤ \½cjȷ(L #)P3}RJɕ% X.A(w7럇DN> ' @3õ3^tƃ.Dg9ߝߝߝߝ_ߙ^鉼zyz65U#||xW$ԅ?<}+3nZ43߭= %L n> Ϣ>I_oamjua0BZ@mHk4>DY(f la0L{0<HOxx< h򞀕_ݐ^܈: h Fb(}\¬hsFvx1D6:}8860%_!Vޞ_ݐʯ\2]nрk%ה{+WŁbll"I9Cp$ 54W^@t3GY&MMcLCl]/njnZM--5ŻǸ?&D4b[[6K7n,..@_elHկp4M!(KH?r ϣGҢ ^OykCz174f:xqF}Ktbz{M 4UItx˙Y\G1L&`%G P@zID-Sq|?=<w5%w5=b@S&QOcq۳z4^ i$oצA_>lIC7zzPx^Q}-M0~ēA pˉ?yl8}ؖhn(a ݿcXb&xZ_O;)>A $B8xDiOA7$W-*mok^]צA(ᅠcǜЩKMfd"^' OA!b"l꽾3TϴXFpu 9S²,ѧ-=.a I:ٟKctE@cQ"<\rl35a̔) js2mHOF~ėsқ`!F&nnRk{0CJ"f4)ҕPIj5޻uDa+kiBU,)HAc h^7C0/QN :3MQ⊼aN ͝}%gMm\vl!^ pʃV ]Rş /{/疿-!p ]Bx/[Zǃ20lf8Rp3h~_ Nm.gy6.ZxM_ o&`ljVVgEqF{L [GVatGH+eIY -}-&"XwӢكy,DS2ĚQ+i錂qn ޥiSƚe<l~u)@=ܬ>8XBO}kҽ:u])5h Νko(jSJ5ln^"6:򩾺oM`H2&c˶뿓$}vv`'VM~)fF<ƏLvh;b!>VںǬqwz2Ko^;C'knVurC[wnWcOnH pvBc,1v7o,KL[K`63OR!g@%UX5\ 0>u:-l,Y/ժsZE=4!Cu_ZהV/`ePPeZ#x]5ep ,T_HF=yԱ8nd##Tr^͌9Ra *zd Cߚ @Y鳏bi+TJ M&?;-I|At" @xl9 sXdMw=;8y'F;(]Ljb7|o5Aoq{m >:bL3':R"s^ai*pM[d{=y-h<#Թ|A+G^o.9gF.F{aްN_-&Yqoͳ.0VMcbhߦsr;c{±\~ :Iϣjg~R߈uX0oaddd㍨=+JU!TPavLjjGh-hdti25SxcDU<11t#PγjNT]OpY}XC3 #L^\}ĭRA+oS[ZS_D_t[6KwiS< 웮@MLSt #?)){ڞUޒϞܐq48zڀkcEl~%:xdK6ɝ2Md.4q9}5h= roEVIv# ,@gIE슍Bc˩" p77V\oz~}C@,ܝ^n<8Xs>zQJatGas~_.+JAW d  [zqeL\C~!W>)sSx- rH(G}8F}+% cDTw.sOaHP=SˁbX"ojZ1ֈQ(Vpx ~1&IE< ,iMPs6@א0H4aloEg@qbZ#v3$`"1a9=c1;my^ʤWn_<8'OccZ|E,{xǙ;fSZ,Ws ҃PB=*H'UΌ]-( o$H)[PXP؟S?pk2TJLmn$>9!,a4`yn F"O-c8; ܕkQ6N3kzy 6t(QS=1U& g cR[7eIE^~|NR] $Bq0Ӝhp6GE:߰|cm|?뽉e2'{xbRWkJ%zuweX zTkwy;Ue" =Mɕ@*ZȈq/w4 }:\ݹ1CG39^9nIQst/Q{}&ZGݪ;Gݓݫϧu_hZ>hbv>4m+Lxte$AN/[mf(NT3\H^Eǒ<^;KwEGcqq^ ~wIw`JT /!jb\ձ2MPl+st=vc+t?gg:^_,fyPM-ǭ}hj5=V0Sn&&~oonr/$)GAy+ZWpz~;29)G9R{WKӜ}(ϑgUsVnVa{j{^W su=I+ťfW*7yKxM}%k{[Z1iu ba/ KPe^ٛLGP/<,Y}Mʱ 4rk 7[y@YII{2}tEOi>r𞫫qLwe<ߔ[nNJ>s\ ȜHǣqiPB916FUs"\5½q>eybAZ̥-c8 v+d{zMtsn \v7v3}gax&@_]?737z.pqk;O΋kwՕq@AfПb 5y?&OtVfw 4;) vbi3q*ˡ7ýEy278 k-'`4[`Z namzםg4`/[烫6{̦d󰡲iʪ)N(ѴP7Ejnrh s!螉W >fpOh{A3fts`4H jYj ~ZV-#\#Jp=bUUEVrp` VU+D`I9CTx|Feiګ,91C=b{h8[閾P=^?AO^w q//cA6of!3^ ~*_v:i(G<)21 1@͝eN&u1*j6d%q<``>&\ʠaC7ao/XbKZ;cp\;l=2 gj Y(}dy0\9Khw e`Mz4z<8J);ҰVH'ՃoB 0 hJ/.ݳx KQ,Vk! 5t0@2nu–1*F;B;NDkUErby{ dg/X)43G+qDxaw./ ] }mc5&s8+&-c mtR-HZ}vw63.1X Ӯ'kL!IU?I"6T#iZc#͙P<bՍP /Dc[820tճNWmbnU]ݎ:3'/Հ`m[G{b9g8xolBS|(pIi/ 0Sdq?ibr]6M b ه%?13{`y߻ l !"q0uNcc? `vwj9c˖) Mm+#84#>ślQF޺%qm.;+C]@1֪TU|>cx nj}.C2~ d|$_Oxƪ~SQxr=G=gsxM-IS`oA}^n ")1 <&`Eߟ2"L)ԦLSw)+],by Y3r&g0|B e ȑ(lyI͜GK@WJP'jdVw(̛ m+~HױQĶ`:=Vږ*yD1e~}J<3g(uo",@zPhPTyX^c 0,*09G5-E6<]܈x~{ݾŀ gkOUx.X=lۉR#nȅ-`jkDmYtẉA,O)h<˜4W6QĶqytc~ږ10#ŸrzsgbCu*aZ!%׫rulC"f@Xjv?|rZ$0$a1+>c-hw͙!׆)0ѕDM1F(ͦ,1f Ax& =`#hxb "nh1 d'k%I )}fbnԌaBcv L$Fg8% 3^೐b,/A,xr&r*]xWI"cXMb0#:L+  +Sq|>o/]SXi/.:xH%D}Sw= aF']f*FRqOR|?(>w3u㖗?~<6Ҝ%!tOY B*Ew:9\OWzv S&ȕ/g2f#|oUAYfCժZ-Nj~ӷۊ#iQf8&rYOrѥ;7 D^R꧰a9TUd%r R⊫+4>S!aa؄;66BJ:6L]_X P /