We were asked to check the integrity of a larger financial firm located in Canada. We had a couple of meetings about where the important information was most vulnerable. After great debate, we decided that the HR department would be our target. They held a lot of SSN and PMI information. As a team we looked into when the best time would be to test this target and figured out that most, if not all of the department would be recruiting at an MIT function. Because I set up a fake linkedin account as one of the upper management employees, I noticed that many of the employees including the VP of HR made reservations to MIT using Tripit via linkedin. It was quite amazing how many requests I got out of the HR department to be linkedin without verifying the my account.
While planing our attack, we started following many of the employees on FB, Myspace and Twitter. Nothing really special came out of our monitoring, until the weekend before our attack. The VP started twittering about a trip to Chicago. She was tweeting about the flight, the airline losing her luggage and how nice the weather was when she landed. Next she twittered for recommendations on where to get a new cell card for her laptop because the other one was in her lost luggage. She also started tweeting about a great sub shop called Jimmy Johns. The twitter was basically in these words, “I have fallen in love with a sandwich across the street from Best Buy. While waiting for them to install my cell card I ordered the gargantuan.” Well because twitter is in real time, I knew this would be a great opportunity for a social engineering attack. I google mapped all the Best Buy stores and street viewed to see which had a Jimmy Johns across the street. It was actually down a couple blocks..but I found it.
Calling the store, I asked for the technician working on her machine. Thanked him for helping us out with her laptop and asked if he needed anything like an Administrator password? The technician said, “No, she already gave us the 2 passwords, xxxxx and xxxxxx.” I said, “Great! What card and firmware are you installing?” The technician answered the questions after 15 minutes of trying to find it on the CD. “Version 2.1.1″ Finally, I asked if he could do a huge favor, because we knew of a bug that would cause problems for her connecting to our VPN with that particular firmware, could he install an update? I will email you a 2.1.2_firmware.exe file, if you will install it then she will be all set and not call me later. The technician sympathized and agreed to help me out. We now had a back door to the HR department and I freed up a weekend from testing.
Moral of the story? Information security is just that…keeping your information secure. If your policy is to allow employees to use social media sites then treat them as, yet, another system and find a way to monitor the information. Just like you should be testing phishing attacks you should be testing social networking attacks. If you have a policy against employees using social media then find ways to enforce the policy.