21
Jan 2021
Social Media Security
Social Media Security is a topic that affects everybody. You might think that by not having an account on a popular social media site, you’re safe from the same type of social engineering attacks that affect active users. That might be just the kind of reaction a social engineer is looking for.
Cybersecurity is usually seen as a series of blinking lights – little devices that sit in a server room or technical fixes for technical problems. In recent years, there has been an influx of a new type of hacker. Social Engineers expose vulnerabilities and attack the person in front of the computer.
For some hackers, social media is the first place to look for OSINT. Open-Source Intelligence (OSINT) is relevant data collected about a target from places that are open to the public. Government records, real estate data, image analysis and pouring through local news are examples of places to find open-source intelligence. By far, the best tool on the internet for finding information on a person or organization of interest is the use of social media. That statement in and of itself should be enough to warrant a review of your social media use to see what parts of your daily routines are exposed to the public. By gathering a large amount of data on a target, attackers are able to create patterns of behaviour and trends that a target will likely repeat – that’s what we want to prevent.
Generally speaking, there’s a few standard rules where social media use is concerned. A malicious person is going to be looking for relevant, specific information. Knowing that, we can adapt to the way that we work online.
Don’t post the big W’s.
Remember back in public school, when you had to review a news article to find the relevant, specific information surrounding the core of the story? Yeah, so do bad guys.
Avoid posting information about where you are, who you’re with, what you’re doing and when you’re doing it. Including this information is what social media has programmed us to do – when we receive a ‘like’ for posting something, we get a tiny little hit of that feel-good brain chemical dopamine. Bad guys know that, too. They know that most people are inclined (even subconsciously) to chase that feel-good response and will post the stuff that makes that happen.
The trouble is, when you post enough information with who, what, where and when data, your actions and belief structures can be shuffled into an order. That order – a pattern of history – can be used to predict the way you might react to situations in the future. Without paying close and conscious attention to the way you act, this response – the way you act – can be manipulated through social queues to influence you.
Don’t post Pretext.
A common use of OSINT is to develop pretext for an on-site visit by an attacker. Sure, we trust the physical security devices and policies put in place to thwart an in-person visit from a bad guy, but with the right pretext, you might even let them in yourself.
Pretext, when it comes to social media security, is the use of a story to build trust with a target. This might be in the form of an email or private message that references a past professional event the attacker claims to have attended. This could look like an attacker trying to determine services you use to develop a reason for appearing in-person – if an attacker knew which cleaning service visited your office, could they use that information to develop a pretext for trying to fool you into thinking they were on-site for scheduled cleaning?
Be careful posting email addresses.
On social media, posting email addresses can be a tricky thing. Say, for example, your organization is hiring. Generally, resume uploads go to whomever is responsible for the hiring process. Posting the direct email address of that person can lead to a sophisticated attack.
Let’s say your hiring manager’s address is billdungey@company.ca. It takes a few minutes and 20 dollars to register a new domain with a few free email addresses. So, let’s say the bad guy registers a domain and creates an email account that looks like this – billdungey@company.co.
Sure, with the time to review the particular extension on that domain (“ca” as compared to “co”), you’ll notice the difference. A very common attack uses Domain or Typo Squatting to emulate the target’s email addresses with a minor typo. In the middle of their workday, most people don’t have time or attention to notice the difference.
When posting email addresses on social media, it is always best to lead would-be contacts to a general mailbox like info@ or hello@ instead of an actual user address so bad guys don’t have an easy time deciphering specific people they can pose as.
Social media presents an amazing way to communicate. Using social media wisely requires a nuanced approach with careful consideration for the data we share. Of the available sources of information an attacker could use to begin profiling a target, social media is the most common and most content-rich place to start gathering information. Your use of social media should be predicated on that idea – the bad guys use it too, and they know exactly what to look for.