Tuesday, March 1, 2016

Are we sharing too much, and who is sharing it on our behalf !



If you haven't heard of TAKE THIS LOLLYPOP it is worth your time. A great educational experience.


http://www.takethislollipop.com



It is an interactive film which accesses the viewer's Facebook profile and locates the viewer's home from data in their profile. It depicts the dangers in posting too much personal information on the Internet. 

Information gathered is then deleted which makes the film different for each viewer.... and safe....

it is an eye opener for both techies and non techies and it is extremely well done.

Perhaps if everyone realized that not everyone on the Internet or in this case social media is your friend, information would be disclosed far less openly.

The more open and full your Facebook profile is, the more the film will hit home and make you think.

Come on Sandra you don't really have 1700 friends whom you trust with your personal information do you ?????
(reference to one of my Facebook friends, her name replaced to protect the innocent)

Now this applies to corporations also, after all, if your enterprises password retrieval security questions rely on voluntarily leaked information such as hometown, birthdate, or favourite sports team, then you're exposed and chances are.... you don't realize it.

That is the thing with security (or insecurity), a malicious person will take the time to navigate the search engines and find all sorts of tidbits of information that can be accumulated to perform more intrusive social engineering attacks.

As a manager or senior executive, shouldn't you KNOW what information can be gathered or derived from your employees ?   I certainly think so.

There are tools out there, like Harvester.py which is a simply python script to dig through Google, Bing, LinkedIn and gather email addresses that have been leaked (published voluntarily). 

Other interesting ones include:
PunkSpider which indexes web pages with identified vulnerabilities
Shodan.io which lists IoT (Internet of Things) devices found on the Internet
Censys.io which does something similar...

Are you listed in any of these ?   Is the information you uncover a surprise....

99.9% of enterprises have no idea what information about them is out there.  A determined attacker will find more then enough information then is required to breach your enterprise security.

A good example is this article about a journalist who challenged (as in asked for) a group of hackers to violate his digital world at Defcon23.  

This is him, amazed at what a social engineer is getting out of his own cell phone provider.  



A video and article worth taking a look at.

http://fusion.net/video/271750/real-future-episode-8-hack-attack/

There are privately developed tools that make use of multiple sources to look for meaning and collisions and help float to the top the most important elements.   My own company has a toolset that does just that, and so far, we have had a blast identifying leaks in seemingly prestigious and "secure" companies.


Now here is an idea.... we need an interactive TAKE THIS LOLLYPOP movie that targets enterprises.....  That sounds like a great summer time project.

Any takers ?

Call me !



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies
www.eva-technologies.com







Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...