Did I Lock The Door?
By Matt Cole – Senior Technical Consultant
How many times have you left the house, and then 10 minutes later, you’ve wondered if you locked the door or not?
Most of the time, you have, and your house is relatively safe, but it’s quite often the first thing you consider when worrying about your security. The same could be said for a system or an account. Did you remember to lock your device, or log out from your online account?
Of course, this does make access for a criminal more difficult, but in a digital age where everything is online, we must consider more than just whether we have preventative measures such as locks, or restricted access.
Perhaps another question we should be asking is, “Am I accidentally giving away my keys?”.
The information we share online always seems so innocent because it is normally such a minute detail that no-one could possibly use it maliciously. A picture of a dog, a running route on a fitness app, or membership of an online community.
The problem comes when all this information is collected, processed, and analysed. This is called Open-Source Intelligence (OSINT), an intelligence discipline using information gained from public sources, which is then analysed to satisfy a certain requirement. This can be something legitimate such as due diligence, or nefarious such as gaining access to someone’s workplace, or online account.
Consider a scenario where someone has just joined a new company. They post a picture of themselves in the new office, with a job title of System Administrator, and the post has a comment from a manager saying, “welcome to the team.”
This is a relatively common example and can provide a lot of ammunition for a potential attacker. For example, the attacker could take note of the manager’s name, use an open-source tool to work out the company’s email address format, create a similar looking email address with the manager’s name, and then send an email to the new employee asking for personal information. This is called a spear phishing attack and does not take much time to be set up and executed convincingly. Due to the fact the employee is new, they might not yet be aware of the company’s culture and communication style, and assume it is from the manager.
Another piece of information could be the job title itself. In this example, the job title, System Administrator, could lead a hacker towards exploiting a vulnerability of a certain software or hardware that the company may be using, and when cross referenced with the employee’s qualifications and experience, the search is narrowed.
It could also be used alongside other OSINT techniques such as researching their geolocation activity on fitness apps, to craft a very convincing spear phishing attack against another employee. They would be an ideal target for hackers to impersonate due to their critical role within the organisation, creating a natural sense of authority and trust from those receiving communication from them.
The point of this is not to say stop sharing content. Communication via the internet has opened the world, forged new connections, maintained relationships that would otherwise have dissolved, brought many benefits, and has launched us into a digital era. However, in this new era, it is best practice to limit what you share where possible, and to limit the recipients of your content to those that you trust. Once it is on the internet, we should assume that everyone in the world can see it, even after it is deleted, also that someone out there will want to use it maliciously. Social media, geolocation, avatars, and usernames are relatively new concepts, and we must consider their impact on security as equal to those physical or preventative measures we’re so used to.