As someone who is old enough to have listened to music on 8 tracks (and I mean the objects, not the application), I have watched social media grow from its inception. Admittedly, early on I was not a fan. Back before I had established a presence in the LiveJournals of the world, a friend of mine asked my permission to create a social media presence for me without my participation. Using nothing but open source data he built profiles in all the majors social media systems.
As expected, people sought connection with this persona and the experiment stopped when people started conveying personal information without verifying it was even me. It had a picture of me and facts that had been harvested from several biographies posted from security conferences where I’d presented.
Today, there are entire web pages dedicated to things like Facebook cloning, which copies relevant publicly viewable information from a target and even automatically issues requests to all their publicly viewable friends.
With a few exceptions, I suspect most of us have at one time or another run into name collisions on the Internet -- instances where you have been confused with another person who has the same name as you. Or maybe you did a web search to see who else was walking around with your name in their underwear. I know of one Steve Mancini in Maine who likes to shop at Home Depot; another has a memorial flag football game in his honor.
Somewhere around 2008, I ran into the most interesting collision when I started receiving correspondence about computer forensics training, teaching classes, and presenting. At the time, I was working with local law enforcement as a police reserve, where I managed their computer forensics department and performed forensic discovery, so I didn’t think much of it. It wasn’t until several email exchanges later I realized they had the wrong Steve Mancini. They were looking for the forensics expert in Pittsburgh that I found on LinkedIn in just a few minutes. So not only is there is another Steve Mancini out there, but his career is also focused in computer security.
Attacks on Social Media
A few years back, I learned of a penetration test that included impersonating a new member of the company to gain access to social media groups affiliated with the company. The plan was to target things like employee-managed Facebook groups, etc. The approach was to create a new account and introduce themselves to current employees within the social media group as a “newly hired, hasn’t started yet, but is looking for suggestions on where to live” persona.
Most people would probably be helpful and welcoming. In fact, if their bosses or other managers were in the group, they’d likely be even more helpful, as this is usually the type of behavior employers like to see within their organization. Would these imposters get the keys to the kingdom through this approach? Probably not, but it certainly could help them down the path. And they’d get a lot more information that you’d probably want to be known publicly – perhaps even product roadmaps and upcoming launches… the list goes on.
The degree of risk that is associated with social media will vary based on the situation and intentions. There is a significant difference between accidental collisions and intentional deception and sometimes it is not easy to distinguish between them.
Your presence on social media can result in you establishing trust with people you may not know in “real life.” It can be used by threat actors to gather information about you that may reveal information used in the ever popular “secret questions” anchored to password change processes as a “security measure.” You may even find that potentially embarrassing information is unveiled that is used against you. (Note: if anyone ever finds my “Paradise by the Dashboard Lights" karaoke rendition I am doomed.)
• Social media is an attack surface for you, for the organization you work for, and for all of your connections on social media. Like every other technology, how you use it should include some deliberation about what you make accessible and what you control.
• Impersonation is easy for attackers and can be used for several reasons, including building trust, gaining access to closed social media groups, as well as gaining information (about you or the person they are impersonating).
• Always validate the identity of anyone who you add to any social network where information about you and your organization is discussed or disclosed.
- It’s important to remember that LinkedIn, while used primarily in the business world, is still a social media platform and is used by attackers quite often. These LinkedIn requests often come from accounts claiming to be fellow employees. The industry best practice is to follow up through an alternate communication channel such as email and to report anything that seems strange – people asking probing questions about the organization, for instance, to your organization’s security or IT team.
• Most social media platforms have guidance on managing your personal privacy and what you reveal about yourself. It is worthwhile to review these and make changes based upon your personal goals in using such platforms.
About Steve Mancini
Steve currently serves as the Senior Director of Security for Cylance, where he and his team focus on risk management, security strategy, operational security, and incident response for the company. Steve worked for seventeen years at Intel, where he established programs around security community outreach, threat intelligence, APT response, and emerging threat analysis. Outside of work he co-chairs efforts to formalize a threat intelligence sharing policy framework (IEP), contributes to several working groups through the CEB CISO Coalition, and serves on the program committee for some of his favorite security conferences.