So I know this post will be a very unpopular among many of my social marketing friends who feel that tweeter is the best thing since sliced bread. I will admit while I find most technologies coming out today as fairly useful. I could not find any useful purpose for twitter in my daily life. Until Today….
When you are trying to pull off an attack, any attack, the first thing you have to do is gain as much intelligence about your target as you can. When performing a social engineering attack, we have to find as much information about our victim employees as possible. If I am going to successfully trick you into clicking an unsolicitated email, I must send you an email that will perk your interest. Before, this involed scouring websites, forums, and social networking sites. While these were very useful, it could be static, you were into cars 6 months ago, but now not so much. The key to a successful social engineering based attack is simple – If you know enough information, the victim will never suspect you are an attacker.
So what is Twitter? It is a micro blogger that only allows 140 characters at a time. So people are forced to blog on very small timely subject. From what they ate for breakfast to about current events, “Tweets” are frequent and the subjects are far reaching. This can be likened to a cyber glimpse into someone’s life. And that is a dream for a malicous attacker. If I as an attacker am trying to find information about you that I can use, then twitter becomes a must read for me. Granted it may seem like what song your listening to doesn’t seem like a security issue. Remember, a successful social engineering attack conviences you I am someone harmless. Sending an email from the Hannah Montanna fan club saying to join may not be a draw for alot of people, but if I find that employee who is Tweeting about Hannah Montana then I have found my ticket in.
The key to gathering successful intelligence is to first linking the employee’s business information to a personal identity. Tweeter can again help. If I am trying to find information on a Dr. Jane Doe who is a chemical engineer. I do a search for a Jane Doe on Twitter and I find a tweeter who is tweeting about working on a chemical molacule chances are I have found a match. From there I would look at her handle and see if that handle is used anywhere else on the internet.
Tweeter to a Jailbird
Your employees are twittering, do you know what they are saying? Have they said anything negative about your company? Have they let out any company/trade secrets? I did a twitter search for Layoffs and check out some of these hits I found. (These are hits from within the last hour)“I can’t “publicly” confirm or deny any layoffs. You will see a press release soon on Q1 results with details contained therein. “ “My co. offered 65 + 5 yrs. employees or 20 yr. employees a BUYOUT that sucks. Insulting offer. I sense layoffs are coming next. “ “Just entered the ranks of the unemployed!!! Layoffs at *****! Couldn’t have come on a brighter, sunshiney-er day!!! “ “They have bhind scenes. So far I’m ok but they can’t cut too much from me. We knew layoffs in works. Fred always said he wouldn’t “
Most companies have a procedure in place to determine what company information is release, when it is release, and who releases it. I find it highly unlikely that these tweets were approved by the company’s management as offical statements from the company. Let’s think about other instances, is your company about ready to release a new offering that is secret right now? Do you have an expected new offering that has some issue? Were your financials not quite where they were expected?
If your company is a publically traded company, Tweets of secret information could be seen as insider information. At that point you better have a PDA that will survive 5-7 years (with good behavior 🙂 ).
Plugging the holes
Again as with many security fixes it comes down to your end-user employees. Security Awareness training and proper policies put in place. Have policies that state what business information that should not be release by unauthorized employees under any form. Make sure your employees know the risks of tweeting business information and ensure these policies are enforced.Share