Being a security professional, you always have to think outside the box when it comes to security. This, I believe is why hackers are usually a few steps ahead of the security industry. A lot of professionals are schooled and trained to follow a certain set of guidelines in their career. If a security company releases a new product, how long will it be before a hacker can circumvent this technology? Or exploit a software flaw? It’s because hackers (real hackers), use a lot of creative thinking when it comes to ‘solving their problems’.
This is why in today’s world where everything is inter-connected and accessible online, threats can emerge from seemingly innocent vectors. It’s the old adage of by collecting one small innocuous piece of information can lead to discovering some more, seemingly innocent information which in turn may lead to the compromise of sensitive, and damaging information.
That’s why we warn users from posting personal information so recklessly on social networks. “Who cares if I let people know on my public profile that my favourite musician is Justin Bieber and my cats name is Crumpet?” As hackers scrape smaller pieces of information on a target they can build a complete profile and leverage that to attack or take over your identity and assets in various forms. This isn’t new and plays like a broken record.
The above leads me to something interesting I stumbled across recently. In the mornings and afternoon as I make my commute to and from work, I tune in and listen to a local radio station (That last sentence in itself is an example of divulging information which may lead to my eventual downfall). Like most radio stations, after listening to the different segments and shows in certain time slots, you get to know the presenters pretty well. They generally talk about their personal lives, what they got up to on the weekend and much more. They also usually have a wide array of public information on their websites about the hosts to give the listeners a more interactive and personable experience.
After listening to this same radio station for a few years and listening to the things they often talk about, I have built a pretty good profile in my head of the things each host likes, dislikes, their characteristics and habits.
I’m sure most of you already know where I am heading with this. Password guessing. You are correct in some sense, but I am taking a different angle. This post is more driven towards how seemingly innocent information may lead to the compromise of an entire company.
I was listening to said radio station the other day, and one of the hosts was joking about the ‘IT guy’ in the company. (This is a very popular, large media organisation I might add).
Host A: “Haha yeah the IT guy must be sick of you Mary, you are always calling him up because you forget your password!”
“Host B: “Shut up Mike! Well when they make you use over 8 characters, with capitals AND numbers and make you change it every 3 months it makes it hard!”
As with most of you would have, my amusement upon hearing this almost lead me to crashing my car into a sign post.
So being the security guy I am, my ears pricked up. Basically Host B just told me the password scheme to log in to the corporate network. Big deal you say, that’s a fairly tough password, right? Well, this married with an intimate character profile of these employees (radio presenters), you have a good starting point. I know more personal information about these people than I do with some of my own family. This coupled along with some easy reconnaissance of the company’s network, publicly accessible systems, internal and external DNS schemes which clearly inform you that there are certain types of remote access and user naming conventions in which employees use to log in – you are well on your way to gaining access to the guts of this large media company.
The above mentioned information might still make it a little hard to guess some passwords from the outside and hope that no IDS picks up your failed login attempts. So what can you do? You can infiltrate through their social networks.
Host A and Host B are constantly talking about Facebook, and how Host A plays on Facebook more than he does work. “Oh – so you access your Facebook while you are at your desk in the radio station huh? Nice”. Host A even had the balls to tell me that he just set up a Facebook page for his mother in who is computer-illiterate and that everyone should friend her, and giving out the username in the process. Think outside the box? He wouldn’t have set a very hard password for his poor old mother would he? Probably a family member or pets name? Hmm interesting. I know the names of most of his family members and pets from listening to him present on the radio for the past couple of years.
So I can guess Mum’s Facebook login, send Host A a message while he is logged in and presenting live on the radio and not paying particular attention to the link Mum just sent him? Hmm interesting. Also, the few thousand of Mum’s new followers might click on a new photo post on the wall regarding the appearance of Host A… a few thousand more phish added to our botnet.
I could go on and on. It just goes to show how small pieces of seemingly innocent information can be collated into an attack profile. Depending on the situation, it could take years. Who would wait for years to hack something? Like I’ve said before – hackers are opportunists. And they are creative. People divulging information about themselves will never change. Hackers will never change. I can only hope that internal security policies for this media company in question changes because at this rate, their organisation could easily be breached… if it’s not already.