A product marketing manager at your company just posted a photo on LinkedIn. The problem? In the background of the image, there’s a Post-It note that contains his network passwords. You can barely see it, but using artificial intelligence algorithms, hackers can scan for the publicly available image, determine there are network passwords, and use them for data theft.
According to data security expert David Maynor, this is not rocket science. In fact, the AI program is easier to use than a search engine. “The AI can identify objects in an image and the environment of the photo, guess at a description of the image contents as well as your likely age, gender, facial expression, and more,” says Maynor. “And these tools are becoming increasingly powerful with every image they scan, learning and becoming more accurate.”
While it might be easy to dismiss sites like Facebook, Twitter, and LinkedIn as harmless diversions for employees, they reveal a wealth of actionable intel to a hacker.
[ ALSO ON CSO: Two perspectives on social media for security leaders ]
James Maude, a senior security engineer at the endpoint security company Avecto, told CSO about another troubling development with social media hacks. Hackers can now scan a Twitter feed to find out information about an employee’s preferences and tastes. If that same marketing manager posts all day about his new iPhone 7, the hacker can then create a phishing scam that looks like a product announcement for an iPhone 7 case. Suddenly, the trick is more effective because the hacker knows there is an existing, verified interest.
“The increased targeting of social media and personal email bypasses many network defenses such as email scanning and URL filtering,” says Maude. “One of the most dangerous aspects is that the attacker is manipulating the victim by using employment offers or illicit content, ushering victims to not disclose the incident to their organization’s security team.”
Of course, part of the issue is that social media is an incredible large attack vector -- the largest ever created. Facebook has 1.79 billion users. Twitter has 317 million users. It’s becoming hard to find people who are not using social media in a business setting. Like moths to a flame, hackers know they can find gullible victims who release unusually sensitive data.
Social media hackers rely on age-old techniques as well, as security expert Mike Baukes -- the cofounder of IT automation company UpGuard -- explained to CSO. Because sites like Facebook are considered “consumer grade” by many users, employees don’t think as much about security, so they don’t bother with two-factor authentication (say, receiving an unlock code by text). And, employees grant access to countless third-party apps which may not be secure, either.
Baukes says this creates an easy target, especially as users forget which sites they’ve approved as capable of releasing information, posting on their behalf, and connecting to other services. A hacker might not be able to break into a Twitter account, but he or she might be more successful with a dashboard that stores your authentication data in a less secure portal.
Another simple attack is so common it’s likely already happened to many employees. A hacker uses the employee picture from a social media and sends a phishing message. Because you see your own photo, you naturally click. Joseph Carson, the head of Global Strategic Alliances at Thycotic, a secure account management company, says clicking on the email leads the user to a site where they grant access to their login (usually through a fake “password reset”).
What to do
Baukes was quick to point out that most of the top tier social media services like Facebook and Twitter offer two-factor authentication, so employees should be instructed on how to enable and use those features. Next to that, employees also need to be extremely careful about handing out the credentials to any third-party sites. It creates a security nightmare of shared logins.
Maynor says it is important to understand how hacked social media data is used. In the selfie scan example, advertisers might use extracted data such as location and gender for advertising purposes. Employees need to understand that social media information can reveal a treasure trove of data about a company that can be used by hackers for nefarious purposes.
Nathan Wenzler, the principal security architect at AsTech Consulting, says users should be instructed in how to watch for unusual changes to their social media activity. For example, if you normally use Facebook and the service never logs you out, then suddenly starts logging you out for no reason, it could be due to a compromise -- users need to report this change.
Neill Feather, the president of website security company SiteLock and a board member at the Online Trust Alliance, reiterated the concern over third party sites like Tweetdeck or HootSuite. Too often, employees use strong passwords for the main social media site but weak passwords for the dashboards, which is a mistake. Another best practice: Never accept friend requests from people you don’t know. He says, Facebook estimates that at least 2 percent of user accounts are fake. Twitter has reported that at least 5 percent of user accounts are fake, he says.
The temptation is to see social media as an open portal for hacking, and there is some legitimacy to that claim. Trolls, hackers, and posers are crawling all over these sites. Yet, they provide real business value and are not going away anytime soon. All of the experts agreed: Training is key. Users should know how easy it is to fall victim to a simple social media hack.