APM TechBlog

Social Engineering

Created: Thursday, 16 November 2017 00:42

Image Credit: Pexels
www.pexels.com

The internet has been around nearly 50 years and has helped produce so many innovative breakthroughs. While this may seem like a long time ago to many millennial's, the popularity of the internet did not start until the late 80’s early 90’s. Since then, so many things have changed, which has led our current adaptations. Nearly 3.2 billion people now have access to the internet, which is slightly less than half of the earth’s population.

The genesis of our ability to communicate electronically was E-mail. While it did not take long to understand the impact and importance of this type of electronic communication, it took years to develop norms of business email etiquette. Like a written letter, your communication was directed to a single person and was not accessible to the world. Written letters required creative development time, and there was even time to reconsider sending it while walking to the mailbox. With email, communications are sent in near real-time, with no time allotted to reconsideration after hitting the send button. We are finally to the point we recognize the impacts of proof-reading, or not sending your thoughts in the heat of the moment.

Similar to CB radio, chat rooms which gave us the ability to anonymously communicate to both those we know and those we do not know. The difference between the two mediums is that chat room communications are electronic. These technologies were still limited in scope because they were not accessible to everyone since not every home had a computer. Like email, chat rooms gave the ability communicate with multiple people quickly. Generally, these communications were not being archived or tracked, and it was still easy for something said electronically to disappear. If someone wanted to abuse the information they received, they would have to show up in person and be fearless enough to carry out their plans.

With the evolution of the internet, most communications placed in the public domain remain forever. Like other forms of communication, social media communications can hide behind a made up screen name with a face picture. This ability is more wide spread, with many devices now being internet connected. The accessibility to these devices and data by everyone has also increased the types of threats that people face. Adapting to these new threats means that users will have to conscious of the information they disseminate on an open platform.

In a recent NPR article, it was reported that there are 7.5 billion people on this planet. Of this 7.5 billion, 3.2 million people have access to the internet. This is a huge increase over the 4% that was recorded back in 1999. Most people now can have 4 or more IoT devices, ranging from your smartphone to the car you drive. All of these devices have the ability to record and track your activities. Some of these systems provide convenience, like the Amazon Echo. Others provide security, like your ADT system. While these devices may not directly post things to social media, devices like your cell phone, tablet, or laptop can synchronize all your data to the social site of your choice.

Social engineering is an attack vector that utilizes human interaction to gain information. These attacks can be accomplished in various ways, and can sometimes seem harmless. In a recent Verizon 2017 Data Breach Investigations Report, 43% of all breaches stem from social engineering, with 98% of these being phishing and pre-texting attacks. The people carrying out these attacks are very good at disguising their intentions and masking themselves behind a false identity. The goal of these attackers is to convince you to divulge any information that would aid them in gaining unauthorized entry into a system. This information could be as harmless as where you went to High School, to something alarming like your account number.

I have witnessed these types of attacks on others both inside and outside the workplace. A person close to me was called by what they believed was a large company offering them a job but needed their social security number and credit card number to validate their citizenship. What was interesting in this case was the fact that they were actively seeking employment, but did not recall submitting a resume to this company. When asked my thoughts on this situation, I replied that a company would not extend an offer without an interview and application process. Later, the applicant realized that their job hunt was posted all over social media, and their profile was open to the public. Fortune 500 companies do not typically send unsolicited emails or phone calls to fill their positions.

Social media is the best place to gather intelligence because people voluntarily provide all the information you need. People willingly tell the world where they are employed, where they went to school, and even what they are doing right now. Savvier users may even block their profiles from public view, but sometimes the threat can be within your immediate circle. How many people do you know have posted pictures while on vacation or information regarding being currently out to dinner? Social media aided in the arrest of a woman who thought it was a good idea to post a live video of herself drunk driving. The woman posted her actions on Periscope, and viewers of the live stream reported this to authorities. Although this video may have saved lives since police used the background scenery to locate and arrest her, some homeowners found themselves victims of home invasions due to their live streams or location tags.

A quick Google search of “social media used in home invasions” will return hundreds of examples of how criminals used social media to target their victims. Your social media friends may not all be upstanding citizens, and may use your post to exploit you. It was not that long ago, where the news reported a celebrity being robbed in Paris. The culprits escaped with several million dollars' worth of jewelry, and the prevailing belief is that social media helped track the victim. Taking pictures wearing expensive jewelry, geotagging, or posts stating your current location give thieves all the information they need.

A McAfee blog written back in 2014 outlined a few key points to protect you on social media. Expect that everything that is posted to social media is permanent and can be seen by all, even future employers. Content from websites are oftentimes cached and aggregated on other websites, so that they can be displayed based on keywords. Search engines are popular examples of this, but there are plenty of others that just archive other websites. Your privacy settings may reduce who views the information you post, but it doesn’t prevent that information from being re-posted by someone on your friends list. While you may be able to delete your post or profile, or anyone from sharing what you post.

Your privacy settings may reduce who views the information you post, but it doesn’t prevent that information from being re-posted by someone on your friends list. If you delete a post or even your entire profile, once something you posted is shared by others, it makes deleting more difficult. We all have to the freedom of speech, but that speech can have consequences. Most people are aware that posting personal identifiable information (PII) can have a damaging effect if posted in the public domain. What is often overlooked is the lasting impact of posting information about your children. While it may seem harmless on the surface, it could a lasting impact.

Privacy settings also do not change the fact that someone in your friends list may not be trustworthy. No one would expect for someone they have added to their friends list to cause them harm. It is impossible to know a person’s true intentions are, and waiting until something happens is too late. It is better to be cautious with the content you post and be safe, rather than expose yourself to potential harm from others. Many businesses understand these facts, and have adopted policies that dictate the types of information their employees are able to post. The idea behind this is to protect the employee and the interests of the business, and not to intrude into the personal lives of their employees. By not releasing information into the public domain, it reduces the probability of exploiting an employee and makes it harder for someone to circumvent the organization's defenses. In the McAfee blog, the 10 tips posted simply involve you being selective about what you say, who you friend, and scrutinize the privacy and GPS settings on your devices to optimize your security. Sun Tzu wrote in the “Art of War” that “Invincibility lies in defense.” In a digital world, the best defense is to be aware of what and when you post things to the public domain.