Social media and its hidden threats
- 16 April, 2019 08:30
Social media, where do I start. Social media has taken over our lives especially with the millennials and all of the following generations, we live and breath it, we go out to dinner and need to take a picture of our lunch before we can even eat (even if it takes 10 minutes to get that exact shot I want and my food is now cold), any time we travel or just go to the shops we feel the need to check in and tell our 10 followers what we are doing almost to the extreme where we tell them the last time we went to the bathroom (seriously anyone I know does this, even if you are my parents -I will unfriend you – no exclusions).
In today's society people share way too many details about themselves and their loved ones. STOP THIS NOW. No one needs to know everything you buy, every time you do anything or are just leaving your house. I don't need to know your dog's name, your old school photos, children's names and birthdays of your whole family as you post about every single one of them. I get some of you like to share your experiences and that is fine even I use social media but why I use it is probably a completely different reason that you do. Let me explain.
I am a HACKER (also known as a penetration tester or security engineer but the name doesn’t matter), part of my job is to look for vulnerabilities in client systems and exploit them. Find vulnerabilities and weaknesses that will provide me with a way in, these could be systems, processes or even humans. If you share too much on social media, you are waving a red flag at a bull known as hackers. Yes, some of them are like me and are trying to better protect our clients or business but there are probably more malicious actors (bad hacker types, cybercriminals and so on) then there is of us good guys/girls.
What you all need to understand is that these profiles are all public, anyone from anywhere around the world can look over everything you have ever posted, and you will never even know they did it. I know many of you are probably thinking so, what does it matter I have nothing to hide. If I wasn’t willing to share the information, it wouldn’t have been posted on my social media. The part that you need to understand about this is, it isn’t about any one particular post, it is about all the information that you are sharing.
When I want to gather information on a target company I look for all of the staff on LinkedIn and then Facebook to learn all I can about them. To put together information that will help me guess your account passwords because you have probably already given it to me in pieces on your different pages. Let’s see what you might have used, pets names, favourite movie or foods, children’s names and birthdays, partners DOB or anniversary. The list keeps going and going. All of this can be easily collated into a file that can be used to attack your accounts and let me straight into the company systems. That’s not hacking you say, but it is I am just letting you save me lots of time and headaches breaking in the hard way. (See this video on how easy it is in person too!)
It doesn’t end there though either, all of this information will be perfect for me to conduct a social engineering attack against your organisation. I know a lot of information that could help me appear that I know you well, how is your son’s basketball going? Did John pass his exams? I could have a great phone conversation with one of your team to make it look like I am who I am pretending to be.
How about we talk about your latest holiday to QLD? I could go on for hours on how the information that we all share on social media is used and abused by malicious actors (and us good guys on occasion) to succeed to gain access to your accounts. In my case I would just go after your company account as that is my goal, but malicious actors will go after your bank accounts (that would be a great surprise when you try to pay for the petrol you just filled your car with when all your funds have been transferred out to some nice offshore bank account). They will take control of your emails, social media and any other accounts they can get access too then use those to scam your friends, so they can then clean out their accounts as well.
Social engineering can be done without this information but don't make it easy for someone by giving them a treasure trove of ammunition against you without even doing anything to get it except look you up online. Sounds like an easy payday to me. This isn't the only threat that you face by oversharing, let us look at it from some other angles.
What about if you wanted to stalk someone, I could see everything you are doing know where you normally go, who your friends are even where you live (people should never share their full address on social media – if you have, take it off please). Maybe a burglar who has been staking out your home to clean out, gets your name from mail in your mailbox then looks up online to see your normal activities and you have posted that you are away for three weeks in Bali or New Zealand. You may as well have just left your doors unlocked as you won't have anything left when you arrive home form your most amazing trip ever that you couldn't stop posting about.
So I hope you all understand what it is I am trying to get at here, STOP OVER-SHARING on social media, it will be the best thing you ever do, both to help reduce your risks of being a cybercrime victim and to be honest many of your followers/friend will probably thank you as well as it can be irritating when you have one of those friends who share more than any of us really want to know.
Take my advice or don't but at least know your risks than when your accounts are all breached you have no one else to blame but you're serious oversharing.
Till next time…