Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Using Facebook to Social Engineer Your Way Around Security



 By: Brian Prince
2009-04-07
Article Rating:starstarstarstarstar / 5


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A penetration test by Netragard at an energy company highlights how hackers can use Facebook, LinkedIn and other social networking sites as part of phishing schemes. In the test, Netragard used social engineering to get its hands on information that could have been used to compromise critical systems at the company. Addressing this security issue means having smart policies about what employees can and cannot do on the Web.

The most important part of an attack isn't always a vulnerability; sometimes it's the user's trust.

This was certainly the case during an authorized penetration test at an energy company conducted by security vendor Netragard. Looking for a way inside the customer's defenses, the vendor turned to Facebook. Testers built a profile claiming to be of an employee of that company, bolstered it with information on work experiences taken from actual employees of the energy company and began "friending."

What the Facebook "friends" didn't know was that this was all part of a long cona bit of social engineering used to lull the employees into giving up their credentials more easily. The simulated attack underscores both the importance of having sound policies on employee use of sites like Facebook, LinkedIn and MySpace and the challenges of authenticating users on the Web.

"Before the advent of social networks, criminals were able to access your employees through things like spam, or maybe they could call them up and social-engineer them," said Adriel Desautels, CTO of Netragard. "But sites like Facebook and MySpace and LinkedIn and all these different sites [give] criminals the ability to bypass just about any security technology you have in place and gain direct social access to your employees."

Resource Library:

Trust is the name of the game when it comes to phishing. For Netragard, that meant doing a bit of reconnaissance. It turned out that a little more than 900 of the customer's employees were using Facebook. Since most were men between the ages of 20 and 40, Netragard chose the picture of an attractive 28-year-old female for its profile and began building up a list of friends.

The next step was to make use of a cross-site scripting bug on the customer's Web site to deliver a payload that would render a legitimate-looking HTTPS-secured Web page that appeared to be part of the customer's Website. After conversing with real employees on the site for three days, Netragard posted on the Facebook profile a link to the rogue Web page with a message claiming the customer's site may have been hacked.

Users who visited the page were asked to verify their employee credentialswhich were promptly sent to www.netragard.com and extracted via an automated tool the company created. The bounty included credentials that would have allowed Netragard to access the majority of systems on the network, including the Active Directory server, the mainframe and the pump control systems.

"If your employees are using Facebook you want to know how susceptible they are to being conned into doing something that could put your business at risk," Desautels said.

There is no simple answer to the issue of verifying identity on social networking sites, as security researchers have demonstrated repeatedly at conferences such as Black Hat and ShmooCon.

"In this case, what we need is reliable user reputation," said Forrester Research analyst Chenxi Wang. "Companies like Purewire are working on a vision to provide universal user reputation, but we still have a ways to go before universal reputation becomes a reality."

Still, several analysts agreed blocking social networking sites simply isn't practical given their popularity. Companies with policies that are too restrictive run the risk that employees will turn to Web proxies, blinding the enterprises to Web traffic. There also may be legitimate reasons for marketing, human resources or other departments to access social networks. At the end of the day, it comes down to striking a balance between security and the needs of users.

"Maybe you want to ask employees not to list their employer on their profile or mention the company by name (or in any other way that would easily identify it) in postings," suggested Paul Roberts, an analyst with The 451 Group. "You might articulate a policy that discourages employees from posting from work and couple that rule with some good education about social networking hygiene."

Finally, Roberts advised, wait a month or two and perform an audit to see whether employees are following company guidelines and use the results to fine-tune the policy.

"Faced with what seem like arbitrary or overly strict policies on Web access, I've seen even the most technologically clueless employees figure their way around a Web gateway in no time so they can get to the content they want," he said. "It's kind of eerie, actually."





  Reader Comments: Social Engineering Your Way Around Security With Facebook
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}r8s;iW1ŋKm)XTFh)ئHIVO 7]hɗ%L!H@ggOD]ݴ1p͙M55|zg`HRsgޅ-34 @oRQP ĠxnwݶN`P'~ > \?g3U;Y|b(áh] ]( ѼeMGQR`N Cw*Nul9 Q6RV2/Fӽ<t[h  #k|E=x:Q/M+l}~@kNmW ȓ׌ڭAx)B(!bB]߂KCI%߼q@ؓ&thmub'b#Q^]õ]&Z.R͌eCwt=PzOMҳBCLH6}~8IZQOK.m4ZIfOl+qtR8E[5'0m_k|uv3< 3~3 CoZe؄j%ozcnć!LjZ L|:j/EӝF3l˸-:4 PS+}(Z_+{1ك;ho>|+UUew9*GA nkp[I^׵Sq9}r>?'7;A: o$&W ZDTQRp& Rc@G${/@B oVS7B-hZIArija[E4b‰EU}$N"?Zڗu&u}X6&ZiCA+WtWe`9=y\toz{MNڟ:gw:Rڟ+̊k*~k p6O{uH0`kh`cR^ٗ¯H ?td[W;Ǥ MXO'gs`HםBi۲ܾ,BKEka(7fhXӀ?$eR2-L9X@.@שS 04'hhV筱J+҄& )B:A`̺kR$9(8ȟk4R\ 9jbsvfM)o fzCUCZ9nVĨ9USAEI7CD r23yB(&PHQ>Ly%Ku}7p@e-}rlNVڒ1Wb{gH .Cuv}BzW^?]{68^%glh|X.B2iK1QW5MGVOLG_@r /*r[h 2ud8İ1nґ>âx tSOC|>56㤞F!|emxq=Z.3+ԍEXn`NtH Qx٭lE%H_¤< ) FA=H:}m`~5$ǎ@ Ls'09 ښB"QފС4a vhiqppyY?0»g{`閭-L<ħ̠>xԁ!~9.Wb&;A/""D%  h4AGEBEN@@wgw$]Vi+Raz"ʦBICvn +=*%nqR%e 3ʬ$&vφaZLbo7], Sl3-Mus֪%6ʋzhNCơǽ3yjmS#U^ğ.;*tXgF8,?Aw)?ǘ{ۣeXLST2q)( f+7TuRԟȦ5SsGZtfLAuߝ2h Jd@`Wvg.GpoKeҳ%}?HJ/N $50*g; A&rG|增5 Jx0?s\eDfkx# d\46(V,'`#sUzag²읶ה]%ϥ/hvpފ:fkDxF3fԑeӀP=:Ŀuouj15՝5  i܏9&"_G5 k^˧6Wȵm>3躢΍9XZ1B.,g@?aR5> 5 T !EX+LT׃RUah[s5/*wxFp+\sW["LJ}wYвJu6$T]Rj(3DZ(6A`eLq^xxOCMY 1H$6/`k .`@B% &@S^a\FkZCbPFܔwц.[P,',PУGk]W9ë#߬0pp@X&ޯ7Xfe^: ~^J3;|d*,p |,yl ȗaE*ӅZTNP!+ȣCY V MUpnp{E~t=GqDNԀH 5^Fl.W*ٝ'(U2~-p;_>Z=-h0 %l"?崰Y ML`(Dka43~Sb_@7T_/=4xE0q-"fdaD4Dw=bC-YM~pߎXA mҚk+sD ü |32Jј<`*=:^6AP,4ϼ"ymU ҕ&21wYG{S+1~9XD)uljy 0:g|}+ZQFnyu[w@1 /jS>/"CW5 ƗɈBÜ"+>aLL:w׍30UfSfyr;ïW`ju 2 \E ̓Oa*r1_?M= [LFzɖ0'`{' Yn:ajAyIxP.-W4Giwṛ: ߀&\qc`a#2"ߋ~Ǎp5)VRQXu@VI^A ұg /@C׳@g.jLQXGTUe@5yģT1Cy $v=.EZЋv}cj&lĦOmXojnW۫ItaOQ區^9 us)d}=^C|sٖҽNW's5B AHFW!zۭlfS k3d8) xdqH/=^q@ښ ҽ>i_sb녨kNZ _k=WE.7(aF`9²VXHE`&|7$T0r(`$X*XU2ӻ:o}sgen/rm D78S*PW"2EH%iAFN' <=9hDuHo9j ~_!c&8~ ѶPx,Ub:ntD{Nbp lwz`ycrg!,-D3_{w jE5PXIR"9oũ-xOӆO\fax!ul q%ӝr* BٸEO[ ,jm-̑s SѤ4 AgJȄfye5a5R!MLCYOC/$$a;kB6zs giMO6mn3jt.o6DrFL`ql)LZQ"A|J| 9nG@)RpG[(#}@J^KKHeW:BZ 0>'c1! zNhs) = cm:;@FP$w"BkGVɍeiX:멏UkͰ"K#3CӝꖃCL.I߾&3 #Aɼ}g7omT=e>d>IАYc=ty8!-[^:ݷ͆ؓ̆{_Jǻoc$Ǯv'ۻw}Zؖ[q*ApC<Ҁ#I1$ZQP**s攤˞vCȌXNG&b`@Ɍ7#Gҁ;&-3(m3F-߸2{K#7K}{U"㛟t?h2n~JM݅icVD)]s"ǵ"vKJIymzSDm֗Fݽ]޿wVȿ5LĬxBwdO1\jѼc)輳2 [a[CVo lKG scx2HC%6˶˷Fp7*gcc3/F#xgϖ(6-l@|Pp/h(0iajcZop8|#؈fo_O4oNƂ1f̙ʈ1gcRΟ_S;XR|  .i{\nEa>xQx7e\ڊ]aKn~ 'Vv/wYnp8qR76ו ;y"swQؿT0&fo jwwwRG .,l`2WѶr7)# ޝw2@ a `Lcv({P6Iғ.Ox(`BlAWAg^ML R]n!1OiS2PI <; ) \;]1($!qo1]{ζTY~nOӚ,3fP:X)bjj\Kv@4)]y%.<KBxqUIz?A,l &u3 nިR/$E2=Ɛބo_: Kɠ9vyNLR즖%bwk42xzr'^@z}FY, 猓\ʼ ShM^&W+gE3tݢI#~$= ,BHll $<蛯;Pj[(C @[Nm5#AŤR0!Q^ Kf Y$4gf,gH/1(c@]RIGA: :t[-V|JJH D[ǏpHD4=kD lV"a-ZљIBG@{FMo14 / q^UQ׻7(0$U9#3rr\9ƄR + 3#4E*9",$ˠ g 6CnnQ 4mJC 4akgNC‰t'A[s( '&%+P\ b0dl4dT$)_ /,sʒv Mv(.K&}L+wzl,] 2mt®ܓjT"MlaD MlaH 4QS7%Ke;^/I,˥H#_Ұ7B*u Sd{jfRŴQB1˾@\`*~I!>FDF lK b}eEx{6υ5_ڔ/&_uηm}(A}wfL$L#DIkW5}%Ou_SZ)`TG(f r-'˗| ܤ \½cjȷ(L #)P3}RJɕ% X.AGw7럇DN> ' @Rõ3^tƃ.Dg9ߝߝߝߝ_ߙ^S鉼zyz696U#|tx$ԅ?<+3nZ43߭= S r> Ϣ>I_oamjua0BZ@mHk4>DY(f la0L{0<HOxx<ﰀ h򞀕_ݐ^w{< h Fb(}\¤isFvx1D6:}8860%_!Vޞ_ݐʯ\2]nрk%ה{+WŁbll"I9Cp$ 54W^@t3GY&MMcRl]/njnZM--5ūɸ?&D4b[[6;7n,..@_elHկp4M!(KHr@*ԟG-oEp+4ֆbnh wA%$u^t hΓ&3¹te돬)bD'LK~;Z 9H{y$wWwWwWwW<ùgP h:*c,.r{6Xu_˻94ˇ#`Q77}y(@>BFaQ /X+ Əx+*Atw1? mq-_<%lsҗR KX$Oi''$@><)f[࠹Em˱4%/[|:u\lL$:32w3)(dCLġÛYw 7.s?6|*SXV7>%3z%,6A4I@'|ۏCz,dMj}mf|HIU$4[R&Er*RTMkX?֝(le-M %I2 hx#@͘Kf%!i>Zgf)J\" iMI.,Rɷy,"徯YZ.`Z=?{c~B2o%hj֢_fXV0j%"Q0M٫v#cqX糂o;Xz"QTK)ztM@{9Ms- jSJ5l.^"6:򩾺oM`H2&c˶뿓$}vv`'VM~)fF<ƏLvh;b!>VںǬqwz2Ko^;C'knVurC[wnWcOnH pvBc,1v7o,KL[K`63OR!g@%UX5\ 0>u:-l,Y/ժsZE=4!Cu_ZהV/`ePPeZ#x]5ep ,T_HF=yԱ8nd##Tr^͌9Ra *zd Cߚ @Y鳏bi+TJ M&?;-I|At" @xl9 sXdMw=;8y'F;(]Ljb7|o5Aoq{m >:bL3':R"s^ai*pM[d{=y-h<#Թ|A+G^o.9gF.F{aްN_-&Yqoͳ.0VMcbhߦsr;c{±\~ :Iϣjg~R߈uX0oaddd㍨=+JU!TPavLjjGh-hdti25SxcDU<11t#PγjNT]OpY}XC3 #L^\}ĭRA+oS[ZS_D_t[6KwiS< 웮@MLSt #?)){ڞUޒϞܐq48zڀkcEl~%:xdK6ɝ2Md.4q9}5h= roEVIv# ,@gIE슍Bc˩" p77V\oz~}C@,ܝ^n<8Xs>zQJatGas~_.+JAW d  [zqeL\C~!W>)sSx- rH(G}8F}+% cDTw.sOaHP=SˁbX"ojZ1ֈQ(Vpx ~1&IE< ,iMPs6@א0H4aloEg@qbZ#v3$`"1a9=c1;my^ʤWn_<8'OccZ|E,{xǙ;fSZ,Ws ҃PB=*H'UΌ]-( o$H)[PXP؟S?pk2TJLmn$>9!,a4`yn F"O-c8; ܕkQ6N3kzy 6t(QS=1U& g cR[7eIE^~|NR] $Bq0Ӝhp6GE:߰|cm|?뽉e2'{xbRWkJ%zuweX zMxqkwy;Ue" =Mɕ@*ZȈq/w4 }:\ݹ1CG39^9nIQst/Q{}&ZGݪ;Gݓݫϧu_hZ>hbv>4m+Lxte$AN/[mf(NT3\H^Eǒ<^;KwEGcqq^ ~wIw`JT /!jb\ձ2MPl+st=vc+t?gg:^_,fyPM-ǭ}hj5=V0Sn&&~oonr/$)GAy+ZWpz~;29)G9R{WKӜ}(ϑgUsVnVa{j{^W su=I+ťfW*7yKxM}%k{[Z1iu ba/ KPe^ٛLGP/<,Y}Mʱ 4rk 7[y@YII{2}tEOi>r𞫫qLwe<ߔ[nNJ>s\ ȜHǣqiPB916FUs"\5½q>eybAZ̥-c8 v+d{zMtsn \v7v3}gax&@_]?737z.pqk;O΋kwՕq@AfПb 5y?&OtVfw 4;) vbi3q*ˡ7ýEy278 k-'`4[`Z namzםg4`/[烫6{̦d󰡲iʪ)N(ѴP7Ejnrh s!` ݘPx+`oQF.h ď;cv@7ma IP5ZUj;_5"o#O1Q5YUdN*jUeRL3DAyg l]fʈLZCO4 DX)f⸇Ln[&.<tlW2&dofE:Raw8a+h;rI,?@,"(vY\IdblO]CfCVyx; Vhc 61dѮ51|gu̿z6ePR5ǭa&r2@6h#xqn9SGהa NuOȅs`" >oњ^\gN*K Y-4C k`Yϙerc2O5U&w|w`ȼ<"٫_0HRhfX( 9s]^HA$q2Mb "n#q"W[qۀ3[/`51lta%&]c7]bvf^3&2E7'B0~Gm :oEF3G3x7X05:%xr(1K̶h&~%6$xE3|v@-\;^ƶp1d`6gG|םۈufpɯ RO^ێ s=q02^ڂg|1Q:༓_`HL1/亂mKwdX.*KY܇Д0\r,){+1¢_Ju;WdԦu"vHϵg 98X0EcrVF^-@Q)xރs/W3v,=GIkg_5 B3q< Y8V"zGmôz)LJ)@BoEYR%:Tun}k;c<~ăHz!$k0Dt+R1= {H|c,XoOD %^Πob_wv7eŁ&PL1)ŽccW%r$rnR'K;"%=oPmJO=.X2">m<'6}Fu;H"@"xrtPŗ-;waS)fGVFp)hFNE}2\Hxkyf#%S+~`[wt%(5x>;v͆LVe؋(| _b[0~X+mKbA<\n2?>%i3~@ =( of4,{ QIbVB#q좢U.nD,lp/>cwϏp` 3﮳zNN7pA}+\ȏ,,d[Z']ZDQhXrE"O q~ mf$fY1[Rj8gIn~ӧ4pRaL (b[и9-z0 L\OkÔpa#fS {߂ ixv4<@Tf_E@KI7dUĄ& BZJGnrmmc{JT>d3aC7Dj0Brӱd[Hڅu&vck/cYT~11 <99/@$NSP_X1]̑?q&'\ƕEXq٩8\o?)Z_,{ٗN[<|;XYt0yҎ3Jbq')iwޟVwϻ XںqKZ_w?^HQEyiNђu',!ջjt.ߧ+}=;`on3g>p7*Ѡ,jU{' l5 nEgl(3W'J^^۝wz"f/F)SذM*i29J{) qm˕bmTʩIrlǝlr n!%c'nMvbes/