The Perils of the Internet
Last week, certain areas of the Internet found out about Zanarkand and, upon seeing the cipher at the bottom of the page, decided we were part of a government conspiracy. While this is obviously untrue, and we’ve explained the cipher and (sadly) decided not to honor the discount contained within it going forward, the situation did serve to highlight one of the issues with the Internet: easily-accessible personally identifiable information (or PII).
Once they found our site, it was very easy to discover who our President is, as his name is on our business application, our FCC license, and the public data about the website. From his name, they were then able to find his LinkedIn and Facebook pages. And from there, they started constructing a profile.
If this were an intrusion attempt, rather than a portion of the social Internet chasing ghosts, they could have leveraged this information to attempt to gain access or additional information. They might have friended him and found his friends list, then correlated that with the rest of the bios on our site. And if they were dedicated, they could have then found out everything they could about each person on our team, and used that in a social engineering attack.
For example, let’s say they found out that one of our team members, Andrew, has a hobby of collecting rare ceramic figurines (he doesn’t, but it’s a good way to illustrate our point). With that information, they could start going through websites dedicated to that hobby, looking for any posts by Andrew. And because Andrew is dedicated to finding certain, very rare figurines, he has been posting on many different sites, detailing exactly what he’s looking for. With this information, the attacker could then contact Andrew, saying that he has exactly what Andrew’s looking for–all he has to do is visit a webpage (conveniently linked in the email sent to Andrew) to see the item. When Andrew inevitably clicks the link (because he cannot resist a good find), his browser becomes compromised, and from that his computer, and from there the attacker has access to any networks the computer is connected to, as well as any information Andrew has stored on the computer.
This is a somewhat contrived example, but attacks like this are often carried out in the real world, and they are an effective (if not efficient) way to compromise a network. Exploiting weaknesses like Andrew’s penchant for finding rare figurines can sometimes be the only way into a secure network, and can be very difficult to protect against.
The best way to foil attacks like this is to always be on your guard. Sometimes even the most seemingly-innocuous information can give someone exactly what they need to start an attack, so never assume that just because someone knows about your obscure hobby, they have only friendly intentions. And if you are on Facebook, LinkedIn, or other social sites, do your best to keep your work account separate from your personal one. These are fairly simple steps, but they can make a huge difference when it comes to securing yourself and the company you work for.
Social attacks can be as simple as the poorly written phishing attacks you get from people claiming to work for your bank, or as complex as what we’ve posted here–although even this example isn’t as in-depth as some attacks can be. So be careful with your personal information, and stay safe out there.