CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks - 5 month later Date: 19 th October 2007



Similar documents
CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks Date: 16/

White Paper - Crypto Virus. A guide to protecting your IT

Practical guide for secure Christmas shopping. Navid

Internet threats: steps to security for your small business

Information Security solutions that protect your business

Five Tips to Reduce Risk From Modern Web Threats

Is your Organization SAFE?

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Guidance on the Use of Social Networking

43% Figure 1: Targeted Attack Campaign Diagram

Internet Advertising: Is Your Browser Putting You at Risk?

NATIONAL CYBER SECURITY AWARENESS MONTH

Cyber Security Awareness. Internet Safety Intro.

Streamlining Web and Security

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Types of cyber-attacks. And how to prevent them

Are You A Sitting Duck?

Top 10 Tips to Keep Your Small Business Safe

Open an attachment and bring down your network?

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Guide to Penetration Testing

Patrick Gray Principal Security Strategist DATA SECURITY CHALLENGES IN THE ALL TOO PUBLIC AND NOT SO PRIVATE SECTORS

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

Social Networking and its Implications on your Data Security

What are the common online dangers?

WHITE PAPER The Five Step Guide to Better Social Media Security

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

How-To Guide: Cyber Security. Content Provided by

Beyond the Hype: Advanced Persistent Threats

Breach Found. Did It Hurt?

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

white paper Malware Security and the Bottom Line

Securing Endpoints without a Security Expert

Security Practices for Online Collaboration and Social Media

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

STOP Cybercriminals and. security attacks ControlNow TM Whitepaper

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Deduplication as security issue in cloud services, and its representation in Terms of Service Agreements

National Cyber Security Month 2015: Daily Security Awareness Tips

Data Loss Prevention Program

Application Security in the Software Development Lifecycle

Privilege Gone Wild: The State of Privileged Account Management in 2015

ICTN Enterprise Database Security Issues and Solutions

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Recognize Nefarious Cyber Activity and Catch Those Responsible with IBM InfoSphere Entity Analytic Solutions

Learn about each tool in parental controls and find out how you can use them to secure you and your family.

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Everyone s online, but not everyone s secure. It s up to you to make sure that your family is.

Privilege Gone Wild: The State of Privileged Account Management in 2015

Contacts: , find, and manage your contacts

INSIDE. Cyberterrorism and the Home User By Sarah Gordon, Senior Research Fellow

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

CERT's role in national Cyber Security: policy suggestions

Cloudy Privacy Computing

Why The Security You Bought Yesterday, Won t Save You Today

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Primer TROUBLE IN YOUR INBOX 5 FACTS EVERY SMALL BUSINESS SHOULD KNOW ABOUT -BASED THREATS

The Increasing Threat of Malware for Android Devices. 6 Ways Hackers Are Stealing Your Private Data and How to Stop Them

Cyber Security for audit committees

Emerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA

WHY DOES MY SPEED MONITORING GRAPH SHOW -1 IN THE TOOLTIP? 2 HOW CAN I CHANGE MY PREFERENCES FOR UPTIME AND SPEED MONITORING 2

Malware & Botnets. Botnets

IT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE. Part I: Reducing Employee and Application Risks

What Do You Mean My Cloud Data Isn t Secure?

Roger s Cyber Security and Compliance Mini-Guide

The term Broadway Pet Stores refers we to the owner of the website whose registered office is 6-8 Muswell Hill Broadway, London, N10 3RT.

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

You are the weakest link! Presented by Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit & Security O Connor & Drew P.C. mhammond@ocd.

The SMB Cyber Security Survival Guide

Why should I care about PDF application security?

7 Things All CFOs Should Know About Cyber Security

Security Awareness for Social Media in Business. Scott Wright

Cyber Security: Beginners Guide to Firewalls

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Are You the Target of a Denial of Service Attack?

Defensible Strategy To. Cyber Incident Response

Security - A Holistic Approach to SMBs

Hacker Intelligence Initiative, Monthly Trend Report #15

High Speed Internet - User Guide. Welcome to. your world.

Computer Security Maintenance Information and Self-Check Activities

Protecting What Matters Most. Bartosz Kryński Senior Consultant, Clico

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

1. Any requesting personal information, or asking you to verify an account, is usually a scam... even if it looks authentic.

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

Legal Notices. Purpose and Scope of Website. StanCorp Financial Group, Inc. Contact Us. Public Affairs. Special Investigations Unit

HIPAA Myths. WEDI Regional Affiliates. Chris Apgar, CISSP Apgar & Associates

NTT R&D s anti-malware technologies

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

10 best practice suggestions for common smartphone threats

Social networking at work: Thanks, but no thanks?

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

How to build and use a Honeypot. Ralph Edward Sutton, Jr. DTEC 6873 Section 01

Best Practices Top 10: Keep your e-marketing safe from threats

CYBERSECURITY: Is Your Business Ready?

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

WHITE PAPER. Understanding How File Size Affects Malware Detection

The Cloud App Visibility Blindspot

Transcription:

CSIS Security Research and Intelligence Research paper: Threats when using Online Social Networks - 5 month later Date: 19 th October 2007 Written by Dennis Rand rand@csis.dk http://www.csis.dk

Table of contents Table of contents... 2 Introduction... 3 About... 4 Social Networks - LinkedIn... 5 Abstract... 5 Employees can bring client information if they leave... 6 Competitors use of your social network... 7 Hackers use of your Online Social Networks... 8 Building up a large network... 9 5 month later What has happend... 10 Email harvesting... 13 Personalized malware and attacks... 14 Information disclosure of products and vendor usage... 15 Conclusion... 16 Disclaimer... 17 2/17

Introduction This research paper is focusing on some of the pitfalls that occur when companies or enduser signs up for common Online Social Networks such as but not limited to - Linkedin. Still, a lot of the problems described within this report, are exactly the same in any Social Networking applications available on the internet today. LinkedIn is an Internet social network service, used mostly for business connections. It has over 10 million registered users (source: LinkedIn) The threats when using Social networks are as following: - It can be used by competitors to gather information about your company s clients and who in the organization that it could be interesting to contact. - It can also be used by Hackers to find information about your company. - It can be used by employees to bring client information with them when they leave the company. - It can and possible will be used in the future for more specific attacks on specific companies or types of business. This paper was updated the 17 th of October and is based upon the already existing paper that was released on 16 th of May 2007. We have added updated statistics and some additional information to the report. The threats remain the same and are unchanged. 3/17

About A/S is a privately held Danish IT security company originally founded in 1999. Today we employ more than 20 dedicated and competent people. Values operates with a set of values describing our way to act internally, with our customers, as well as generally in the market. It describes our culture and is the very framework for our decisions and strategies and thereby supports us in all we do. This set of values makes us capable of attracting and retaining some of the leading competencies within IT security. Our devoted staff and the company value set is the main reason why we keep strengthening our reputation as a trusted, loyal, and competent IT security advisor. product strategy CSIS Security group wants to offer the most extensive and cost effective IT security solutions in the Nordics. To reveal, document, and prevent security breaches for our customers. To support the IT security responsible with gathering and analysis of information to prevent IT related crimes and harmful user behavior. IT security solutions ensure that management as well as the technical staff has access to an updated overview of the current status, and documents governance and control of security exposures 24x7. s target is to be among the top 3 suppliers within standardized, stabile, and modular IT security products, while providing economies of scale through a central solution with the possibility for strategic outsourcing The research paper was written by Dennis Rand at Questions should be directed to: Dennis Rand rand@csis.dk http://www.csis.dk 4/17

Social Networks - LinkedIn Abstract This research paper is describing some of the threats when companies or End user signs up for Online Social Networks. However, we will only address issues regarding LinkedIn in this paper. LinkedIn is an Internet social network service, used mostly for business connections. It has over 10 million registered users. Through your Social Network you can - amongst other things: Find potential clients, service providers, subject experts, and partners who come recommended Be found for business opportunities Search for great jobs Discover inside connections that can help you land jobs and close deals Post and distribute job listings Find high-quality passive candidates Get introduced to other professionals through the people you know Source: LinkedIn website (http://www.linkedin.com) The above can be abused by competitors to gather information about your company s clients and who in the organization to make contact with. But it can also be abused by hackers to gather sensitive information about your company that could be used in a targeted attack. The general issue with Online Social networks like LinkedIn, exist because people using it, are not aware of the threats that lie within the very structure of the network. I will try to show some of the pitfalls that you need to be aware of when employees in your organization are using services like LinkedIn. Also remember that these issues are not only related to LinkedIn, but to most Online Social Networks. 5/17

Employees can bring client information if they leave Most companies have a policy or personnel contract that states what information can be brought outside of the company when the employee is leaving it s position. E.g. it s not allowed to take any customer information with you, but when using LinkedIn or other Online Social Networking services, it can be hard to ensure that this does not happen. As I see the trend, more and more people add their clients and business partners and friends to these networks allowing them to bring it everywhere, maybe not with that specific purpose when they start building the network, but more because it is being so widely used. One of the features in LinkedIn is the possibility to integrate it with Outlook; this allows a person to create a network from a list of all contacts that are located in a company s mail system. Because of this, companies need to take action against this and make a description in their contracts and/or security policy on how users are to use Social networks if at all. 6/17

Competitors use of your social network The use of Social Networks are getting more and more common around the world, and are used for keeping a list of clients, friends, co-workers and business partners and contacts in general. LinkedIn has the option of allowing your current connections to view and browse all your current connections. This is a default setting when you start using LinkedIn, so it has to be changed manually, which I would advise everyone to do. When looking through the list of connections 90% of people in my list allowed current connections to view all their contacts. One of the best types of employees to get connected with are the sales people and management, since they are usually the ones who contact companies and not always think about the threats. These people could pose the biggest threat when looking at the competitor stealing information through Social Networks. While using LinkedIn it was possible to gather a large list of potential companies and within these companies also contacts that could be used to get your foot in. 7/17

Hackers use of your Online Social Networks A hackers approach towards abusing LinkedIn would be for the purpose of gathering information, since in LinkedIn and any other Social Networking solution, you can be whoever you want to be, or you can take the identity of whoever you want. During this research paper I created a profile with a fake name, and an all in all fake profile, used an anonymous mail address that could not be traced back to me. Profile has been hidden since I might want to use it in the future as well. Another reason for not making the profile name public is to protect the people I have connected to. Now that I had created an anonymous profile, I started building a reputation, and finding the companies that I wanted to explore deeper. Since the specific company that I wanted to gather information about does not have their email addresses made public anywhere, I added myself as a previous employee at the company, and used the feature in LinkedIn named Invite Colleagues. Depending on the size of the company and how I introduced myself a lot of people accepted without any questions asked. One of the things I experienced was that there were 5 people from that specific company that actually asked to be connected to me, and again I had never worked there. 8/17

Building up a large network I sent out a base of 10 invites to people I had never heard of with my test person. From there on I used the contacts to get even more contacts through introductions, and also send more invites to people who had published their email addresses so it is shown to everyone. Due to the fact that a lot of people make their email address public, it was possible to find the first 10 people with public mail addresses. Within 3 hours I received the first acceptances of the invites I had send out to people I had no clue on who was. After 3 days I started to get invites from other people just trying to get their network to grow larger, so this also helped me getting an even broader network. In less than 2 weeks I had build up a network of 1300+ connections with email addresses, names and a lot of information about the different large companies. The fact that I was able to build a quite large network of people with such a short timeframe actually surprised me. Also when looking at some of the large companies that I connected to, and was able to see a lot of information about, people really doesn t think of the possibility that the information they put into their profile can be abused. I would compare this to Google hacking, but with a new touch that hackers can use to get a lot more information on the internal infrastructure of companies. 9/17

5 month later What has happend It is now 5 month since this paper was released and I begun writing on this research project. I was impressed, that even after this paper was made public; people were still accepting - and worst of all - inviting me like crazy, all because I have a large. Network. I now have 2100+ connections in my network. However, since Linkedin changed their policy on how many invites you are allowed to send out, I stopped inviting people. But as illustrated below 18% the main reason for my network being this big today, is that people started inviting me to join their network (!). I received around 3-5 invitations every day. I then started wondering whether the main part of my network was just recruitment company people who wanted to have a large network to search in or what industry they are working in? But when I stated going through the connections one-by-one I was amazed when looking at the titles of people. This made me conclude: if people in the security industry are not more careful with their information they share, how would you expect normal people to be aware of the dangers?! 10/17

11/17

Top 30 of industry Computer and Network security 93 Financial Services 64 Banking 50 Investment banking 12 Security & Investigations 12 Defense & Space 7 Government Relations 4 Government Administration 3 Military 3 Law enforcement 1 Interesting industries CISSP 61 CISA 53 CISM 17 CEH 8 Certifications 12/17

Email harvesting If you create an interesting profile, and through your profile appear to be a previous employee, then you can get a list of employees that you can send an invite to without having to know their email address. The first few contacts are the hard ones to get, after that people can see that the identity that I created is already connected to someone within the organization, or some well known people they are more likely to just accept the connection. During my research project I actually got contacted by 5 current and previous employees that wanted to get back in touch. Now when you decide you have gathered enough information into your network, you can collect all this information in just one click. 13/17

Personalized malware and attacks I think that one of the more used ways in the future to distribute malware will be through more personalized or company specific attacks, the reason for this is to ensure a longer undetected life cycle of the specified malware or attack. This way to attack corporations has already been used with vulnerabilities, and also in some situations malware, but there is no question that this would be a more effective way to attack specific networks. Scenario 1: A malicious person would use the contacts connected through the network and send mails that includes information available about the people in the network. E.g.: Hey Jack, We connect through LinkedIn and I wanted to send you this information. Please view the attached file or download it from www.xxxx.dk/mycv Best regards John Doe Scenario 2: Publishing a question to specific groups within LinkedIn and add a link to a malicious website that would infect the user when they visit the website. Scenario 3: Add a link on my public profile to a website that could collect information on all the people visiting the website or add a malicious file for download calling it e.g. CV.exe describing it as a self extracting file containing a PDF with my CV. 14/17

Information disclosure of products and vendor usage Another security threat concerning Social Networks is that people put in too much information that can be abused by hackers to gain a rather large knowledge about the network and infrastructure. Look for these types of employees since they are the ones that potentially could be connected with consultants, software and hardware vendors: IT-security employees o Firewall vendors o External consultants o Other software / hardware vendors Networking people o Hardware vendors o External consultants Infrastructure And a lot more Also people who are working with the above often write what kind of Software and hardware they work with at the current place they are employed. As shown in the above case I would have a really good clue on what these two companies use to protect themselves, and also what OS they have available and how long they have used it, without being connected to the user. 15/17

Conclusion The use of Online networking applications are becoming more and more popular, and should be described in the Companies Security policy, one in which social networks are allowed, and how these are to be used, to protect your company from information disclosure. There are in short the following issues to be taken into consideration: People will write too detailed and possibly confidential information within their profile. People will allow everyone to see all connections made, again allowing possible confidential information to leave the company. Employees can bring client contacts with them, if they decide to leave the company, without stealing any information in the way we usually see; they have just connected to the clients. People will trust their connections and click on everything that they receive from these people. So are Social networks like LinkedIn Good or Bad? Well that again all depend on the usage of it. I find Social networks to be a good thing as long as you remember that your information is to some extend public to the world, so beware of what you write about yourself and your company since this information can and properly will be abused. Also when you accept connections ensure that people are who they say they are, and whether or not you really want them as a connection. And last but not least ensure what your company security policy has rules on usage of Social networks for their and your security. 16/17

Disclaimer The information within this document may change without notice. Use of this information constitutes acceptance for use in an "AS IS" condition. There are NO warranties with regard to this information. In no event shall be liable for any consequences or damages, Including direct, indirect, incidental, consequential, loss of business profits or special damages, arising out of or in connection with the use or spread of this information. Any use of this information lies within the user's responsibility. All registered and unregistered trademarks represented in this document is the sole property of their respective owners. If you use the above information you have to credit for the research. 17/17

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information