Thursday, 25 September 2014

Securing the virtual you

I blogged recently about the Cyber Kill Chain where I look at each of the steps.  Many of the steps can be dealt with using technology, except one stage, the reconnaissance stage.

Who's the target?

As the bad guys need to be more specific in targeting individuals, research is the key.  Knowing who someone works for, who their friends are, their hobbies and pastimes, they all help construction a picture of the target.  If you know your target, you can try to exploit it by sending emails with specific topics and links to lure your target to click on a link which can compromise their machine.

Spear-Phishing

People who are normally target to a "spear-phishing" (if phishing is a wide indiscriminate attack to get users details, spear phishing is targeting a very group or an individual person) are people who will have more rights than a typical user.  Why?  Well I mentioned in previous posts that a compromise will involve administrative credentials 100% of the time.  So the target will often be members of the executive team (who often have more rights than a user) or members of the IT team.

Research/Googling?

How would I find out more about someone?  Use Google (other internet search engines are available) and search for them.  As an example, I'll use me and see what's available out there...


LinkedIn

The second hit is for LinkedIn and most of the posts that follow are for a Singaporean racing driver (I'll give you a hint, I'm not a racing driver!).  For those who are unfamiliar with LinkedIn, it's a social networking site for "professionals" effectively giving a CV online.

So following the link, it takes me to a number of people called Andrew or Andy Tang internationally, but LinkedIn handily gives a link at the top to refine this list to Andrew or Andy Tangs based in the United Kingdom.  



So if you knew who I worked for (MTI by the way), then you'd know to click on the top link.  If you didn't, then you probably won't target me!  So now I can see a public profile of Andrew Tang, and even without a LinkedIn account I can gather a lot of information.



Now you know who I work for and have worked for, along with people who I must be linked with in some fashion, as people looking for my profile have also looked at these profiles.  That already creates links with people or organisations I would potentially trust, or would not find odd if I received a communication from them.  Additional information such as company websites and blogs may also be there and give more clues.

Google+/Blogger

Following out to the blog, it can be seen that the URL to my blog (that you're reading by the way, thank you) is http://blog.andytang.com which gives us similar information to the LinkedIn profile, as well as a link to my public LinkedIn profile.  There is also a link to my Google+ profile as the blog use Blogger which is a Google company.  

Twitter

Information we already have like company and LinkedIn details.  There is a link to Twitter, along with some people who have put me in their circles.  Again, more people that I would not find odd if I received communications from them.  Let's follow the link to Twitter...


No real insights here, except that I say I live in Surrey.  That may have been assumed as current and previous employers are in Surrey as well.  

WhoIs?

Maybe time to get a little cleverer!  We know the domain I own andytang.com, so there must be some information around that domain.  A WhoIs will find out who has registered this domain:


No real information here either!  

Facebook

I've tried looking for a Facebook page, but struggle to find myself, even if I spread the net wider with more information than can be found above.  None of the profiles below are me, but then I have locked down my privacy settings.


I thought I'd try a different way to get to the profile.  I know who Andrew Tang works for and I know they have a Facebook page.  Having a quick look through would show up any posts Andrew Tang may have liked, and from there I can access the profile and gather more information:


This shows my Facebook privacy settings work!

Corporate Website

Most corporate websites have a who's who on it, but I'm not currently on it.  Although if I were, it would probably show a photograph and a brief about me, which  could uncover hobbies or pastimes.

So what?

A lot of information can be uncovered very quickly about people.  If I were a target to an attack, I would hope that my privacy settings and IT awareness would help.  If the communication was more targeted from people I know or around a hobby or pastime, I may well click on them.

Our virtual presence keeps growing, but do we keep tabs on what's out there.  I did the above with no special access or logins.  The only site that needed an account was Facebook, but the rest is there to be discovered.

Take the time to secure and protect your information, and make sure there's not too much out there.

Googling yourself is no longer about vanity, it's about security!

No comments:

Post a Comment