How much does your Facebook, LinkedIn or Twitter account give away about you?
Chances are it’s too much, and it could cost your or your boss big time, according to a ‘woman’ whose job it is to break through the barriers to reveal business’ security failings.
And no matter where you sit in the line of command, your social media accounts are probably just what she needs to open the door.
Sophie Daniel - probably not her real name - has revealed just how far she can go if you’ve revealed where you grew up, your pet’s name or your mum’s maiden name to your Facebook friends.
It's called a 'social engineering hack', and chances are you've left yourself wide open.
Sophie can make it all the way into your boss’s office before anyone knows she’s in the building. And who knows what she's swiped in the meantime.
Chances are everything needed to guess your password has been shared on your Facebook feed over the years. Photo: Getty Images
Writing for Vice's Motherboard, the security firm penetration tester said one woman, nicknamed Mary, had helped her do just this because she was kind, caring, and gave away too much.
“Mary was a brand-new hire working as an assistant at the manufacturing facility. Mary had a public Facebook account too,” Sophie wrote, after finding her mark via LinkedIn.
“This is not an advanced investigation. I'm not a private investigator and I don't have the resources of the NSA. But I can do a lot of damage with simple methods.
“Most notably to me, there were photos Mary posted of her time volunteering with a certain maternity support center.”
Appropriately prepared and aware of Mary's soft spots, Sophie assumed the identity of a fictional PA called Barbara, phoned Mary and told her she was organising a visit for an architect who'd been hired to redesign the offices.
Mary was not aware of any office redesign. Mary became suspicious but 'Barbara' had done her homework.
‘Barbara’ told Mary she was overwhelmed and baby was due soon. Mary went into comfort mode and helped ‘Barbara’ get out of trouble with her fictional boss.
“Our Mary was committed at this point. Not because she is stupid, but because she is a good person. She wanted to help me,” Sophie wrote.
Days later, Sophie arrived at the building using a different moniker - Claire this time - and they rolled out the red carpet. Everyone was very excited about the redesign. Sophie told them she worked for the same firm that did Google's offices.
'Claire' had come prepared with faked business cards. Her 'firm' also had a fake website.
“We became best buds. I was given complete and unaccompanied access to the facility where I stayed for several hours," she wrote.
“I gained network access and stole several thousands of dollars in physical primitives by picking my way through cheap locks.”
As ‘Claire’ explored the building, she managed to steal thousands worth of sensitive products before the staff took her out for tacos for lunch.
Afterwards she continued her expedition, eventually navigating her way to the office of the employee who had contracted her security firm so she could introduce herself.
“I will never forget the look on his face… Pure gold. "Who?.... Wait, what? How? How did you get in here?!" Sophie wrote.
With that a long conversation followed about all of the various opportunities the company had to stop her infiltration in its tracks.
Sophie assured her readers Mary was not fired, but probably should have taken some more effort to verify that ‘Barbara’ and ‘Claire’, were who they said they were.
She might also consider adjusting her LinkedIn and Facebook privacy settings.
No comments