We are constantly told to be cybersecurity aware, to lock our workstations (control-alt-delete), have a clear desk, not put sensitive information near windows and especially be careful what we post online. These messages are drummed into us fairly often – but rarely are we told the reasons behind them or, better still, shown the real-life implications.
Dark Reading speculating that veterans are being targeted because of their military history being listed on LinkedIn, social media users should be more careful. It is very likely all spear-phishing attacks start off with recon on social media - just see what PhishLabs think.
With spear-phishing – a targeted phishing attack – so prevalent and the main way into organisations, information is key to hackers. If you watched Cyberwar on Channel 4, you would’ve seen one of the state employees from the former Soviet Union admit that a lot of hacks they pull off are not that hard – it simply comes down to phishing, which needs research, psychology and basic tech skills. Spear-phishing is all about making the email appear genuine and inviting enough for the victim to want to open it.
Company profile pages can be too revealing
Professional services firms are notorious for giving out too much information. Barristers, solicitors, accountants all have an employees page on their website, listing all or some of the following: staff names, email addresses, phone numbers (at times mobile), department, school and university attended, associations, wife/husband and children’s names, PA names, religion, football teams, where they volunteer, deals worked on and a ton more.
Perhaps what football team they support is a light-hearted fact to detract from a fairly bland and uninteresting industry. Seriously, why is their religion or wife’s/husband’s name of use for someone picking a supplier or individual at that supplier?
Oversharing on social media, even LinkedIn, can provide valuable information
This is just the corporate profile pages, let alone what is listed on LinkedIn – or worse, Facebook or Twitter. LinkedIn should be for professional networking anyway, not giving a solicitor’s daily opinions on Brexit.
Still, LinkedIn can be a gold-mine of information for attackers. Professionals list software names and versions, clearances and access to top-secret information at x organisation. Facebook and Twitter are useful to find people who are on holiday.
Political and religious views are even more active on Facebook. What if you knew someone was a member of Labour or the Conservatives, create a fake political site asking for their passwords, and re-use it on their work account?
How clues from the physical world can aid hostile recon
Now on to the physical world. Let’s imagine all of the staff have a very low profile online or post little of interest. A nation-state or organised crime group has a large budget to infiltrate and will happily conduct physical reconnaissance. Buildings can be swept to see where the fire exits and main entrance are, whether it has a turnstile or a mantrap, how many security guards there are when they change shifts, whether there is 24/7 security, whether any email addresses or phone numbers are on display.
Cyber attack trick 1:
What about ID badges or papers left next to windows? Below is an example of what many companies do – put offices and computers next to windows on the group floor.
In the blurred and partly blanked out photo are an assortment of internal forms, such as uniform or holiday requests. Now what? If you’re an attacker, you could:
- Take a high-res photo.
- Create a template in Microsoft Word based on the photo.
- Find a target on social media who appears to be on holiday.
- Create a personal email address under his/her name.
- Fill the template out.
- Find out the email address of HR.
- Email HR from the personal address saying, “I am on holiday and desperately want to book time off to go to a wedding, and since I am on holiday, I do not have access to my work email.”
- Bounce niceties back and forward to build a “relationship”, and either inject something into a future document or send a link to “holiday photos” which has an exploit on. Since there is by now a relationship going, the victim will be more likely to follow instructions.
- Yes, after a week or two the fake holiday request may be discovered but by that time intellectual property rights (IPR) have been stolen.
Cyber attack trick 2:
Another trick is the well-known “rock up with a coffee-stained document to reception”, and it works as follows:
- Find the address of the office you wish to visit.
- Find someone in a high-ranking position who is on holiday – via Facebook or Twitter.
- Prepare some marketing documents or a CV.
- Pre-spill coffee or cola on them.
- Dress and groom yourself well.
- Appear at reception and say, “I am here to meet x.”
- The receptionist will say he/she is away.
- Say, “Argh, ahh he/she is on holiday till [x date].”
- Bring out the documents.
- Say, “Ahh these are all messed up, my son/daughter must have done this!”
- Say, “I am going away tomorrow and high-ranking person x requires them before he/she returns.”
- Ask the receptionist to print off a new copy using the USB provided.
- The PDF or Word file then infects the network.
Cybersecurity lessons learned:
- Have policies about what can be posted through work and personal social media accounts.
- Create work templates for the “our staff” page with minimal details listed per person.
- Ensure privacy filters are fitted to group and basement floor windows.
- Sweep Github and social media accounts to catch employees posting or uploading too much.
- Conduct phishing tests and check improvements over time.
- Make security awareness fun, not the bland 60-minute training video with a quiz at the end everyone skips to.
- Minimise what is listed on job adverts.
- Block USBs and whitelist devices so HID (human interface devices, aka rubber duckies) cannot attack.