Should you protect your identify from cybercriminals and would be penetration testers?
Monday, October 29th, 2012
Andy Smith, an internet security chief at the Cabinet Office, has said people should only give accurate details to trusted sites such as government ones. (http://www.bbc.co.uk/news/uk-politics-20082493)
Giving fake details to social networking sites is “a very sensible thing to do”
The reason for this is the high volume of websites that ask for highly privileged information such as date birth on their users where this information is not strictly necessary. Because of the vast number of websites involved, the overall challenge of keeping an individual’s information confidential is becoming virtually impossible.
As an individual working for a well respected penetration testing company I see the effects of this on a daily basis when SECFORCE are asked to perform social engineering attacks and client side browser exploitation against unsuspecting company employees. For us, without the rich source of information leakage on organisation’s employees in social media and other websites, our job of either tricking the user, or using their identity to trick others would be much harder.
The trick with a client side attack is to encourage an individual to perform an action of some kind, the chances of this being successful are increased a thousand fold if you use specific information pertaining to that user that puts them at ease, and elevates their misplaced trust in you - ‘the attacker’. This is why social media is so powerful – a message from a friend on Facebook, an email from a colleague on LinkedIn, each containing a specific piece of information (for example a happy birthday message on your birthday), and prompting an action to click or download such as - here is a picture of your daughter from the party last weekend, or good luck with the presentation today.
Messages that are backed by some truth and privileged information are likely to result in the desired result (compromise of the user).
Cyber criminals have exactly the same access to this information as legitimate penetration testers and they are putting it to good use. Client side browser attacks are exponentially increasing. The attacker’s goal is often being to form a bridgehead into an organisation for further significant impact. This form of attack can be sustained against an organisation and its employees for a period of months, so the odds of success are on the side of the attacker, and the only real countermeasures are the awareness and vigilance of your employees.
So, is Andy Smith from the Cabinet Office correct to give this advice? It is clear that there are a number of challenges to protect an individual’s identity online, however at the same time, websites such as Facebook, Twitter and LinkedIn as well as the hundreds of others that store information on you are here to stay. We are at a point of transition, not fully equipped or aware of the risks our online behaviour expose us to, but at the same time reliant on the benefits this new technology brings to our lives.