How to Hack a Corporate Network…with Facebook
Robert Siciliano Identity Theft Expert
There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. They have no reason to distrust. People who are your “Friends” are generally those who you “know, like and trust”. In this world, your guard is as down as it will ever be. You are in the safety of your own home or office hanging with people all over the world in big cities and little towns and never have to watch your back.
Ethical hackers are the tech industries white nights, also known as “white hat hackers”. Steve Stasiukonis from Secure Network Technologies is such a person. He’s hired by by companies CIO’s to penetrate an organizations network to determine where its vulnerabilities are.
The process of a white hat starts with a permission based hack that often leads to results that make the CIO nauseous. Getting the data may mean hacking a wireless connection, hacking a public facing website, or even going through a skylight after hours. In Dark Reading Steve writes about how he did it with a fake badge and a Facebook profile. This is a perfect example of how vulnerable people make themselves and their corporate networks because of what they post to Facebook.
We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.
We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer’s employees were using Facebook, so we created a Facebook group site identified as “Employees of” the company. Using a fictitious identity, we then proceeded to “friend,” or invite, employees to our “company” Facebook site. Membership grew exponentially each day.
By creating a group, they were able to get access to employees profiles. The “group” is a place where those who you know, like and trust are your “Friends” and in this case fellow employees who you have no reason to distrust.
Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.
Because of the companies size they were able to recreate the identity of an employee that wasn’t known to the branch office to which they breached. But his name was still in the system. So with a little creativity, a fake business card and enough information gleaned off of Facebook, they were able to re-create their man.
On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client’s logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.
Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company’s sensitive secrets.
Awesome. This is a perfect example of why Facebook is a nightmare to the corporate CIO. I don’t share that trust that most people have in Facebook. I’m all business on Facebook. I’m not all that friendly. Kind of a stiff. I’m also a security professional, not so trusting. So to my “Friends” (the actual 10 out of the 400 that I have) I apologize to all. I’m just not ready to share my daily routine with everyone just yet. If ever.
People often try to “friend” me, and I can see that they are “friends” with people I know. But I don’t know them. And the mutual friends often tell me that they don’t know the person, but were “friends” with someone else they knew, and they accepted based on that! That’s nuts! Next thing you know, they are trolling through your “friends” and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don’t allow these trolls into your life. Mom told you not to talk to strangers. I’m telling you not to “friend” strangers, because they could be scammers.
Scammers are watching. They know that once you are on Facebook, your guard goes way down.
- Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
- Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)
Robert Siciliano Identity Theft Speaker discussing Facebook hacking on CNN