Social engineering can often be compared to spying and espionage you normally associate with outlandish spy movies, when in fact it can be as simple as:
We met at [random conference]. I found your profile on [such and such] social network, and wanted to friend/connect with you.
[Not who I say I am]
You click accept, and now that person has access to your profile that was set to “private”.
Between good social engineering, and OSINT, a lot of data can be gathered about you. Your likes, your dislikes, your family, your friends, when you’re out of town, when you’re going out for a drink, when you’re working late, etc. This information can be used to establish a pattern of life and/or spearphishing (the art of using highly targeted, crafting phishing attacks to target an individual for exploitation).
Bad guys can also potentially gather information about your employer and the technologies they use through your social media profiles. Ever complain about having to configure a particular appliance or piece of hardware/software for work? Do you use LinkedIn? Your profile has to be somewhat public in order to get views from recruiters, or other companies looking to hire talent.
Your social media accounts, and the information therein, are like puzzle pieces of a much bigger picture. The more pieces you put out there, the easier it is for bad guys to piece together the picture and access more information.
If you would like to see a real-life example on how social media can be used against you, consider the story of “Robin Sage”. To paraphrase, the Robin Sage experiment was an attempt to create a non-existent persona to determine how much information and access one could achieve if they had a convincing enough persona. Robin never existed. Her pictures were faked, and of the credentials from her LinkedIn profile were faked. Even still, with no validation whatsoever, Robin acquired access to tons of information, most of it privileged.
To a lesser extent, good offensive security practitioners utilize publicly available data sources on a regular basis as a part of their engagement. Befriend employees of a company, see if they have other social media presences, check out what they’re talking about and use the information as a method of passive reconnaissance and as part of an external penetration testing/security assessment. If you would like to learn more about the phases of a security assessment, please refer to the PTES (Penetration Testing Execution Standard), specifically the section on intelligence gathering.
So, what can one do to combat the threat of OSINT and social engineering? I have a couple of recommendations that can be used to help you retain your privacy:
While this won’t do much to stop the bad guys from seeing stuff you’ve posted or if you’ve accepted their friend requests, most social media networks sell your information to third party advertising firms. This is a legitimate revenue stream in which information about you is mined by these advertising companies to target you with ads that they would consider relevant to your interests.
Using an ad-blocker puts a wrench into this operation. If the ad companies pay for information about you, to target ads towards you that you will never see due to implementing an ad-blocker, then there is nothing gained. Using an ad-blocker sends a message that you’re not okay with this, and that the social media platform should consider other means of generating revenue. Not only do you get the benefit of not seeing ads blasted all over your web-browser, you also get the added bonus of being less susceptible to malvertising, or malicious advertisements. Most online ad exchanges do not do any kind of buyer or seller investigation. This lack of regulation contributes to malvertising and malware delivered by ads.
Fill out as little information as possible, use false information where you can
When you join most social media services, you’re required to enter some modicum of information about yourself. Don’t offer anymore information about yourself other than what is absolutely necessary to create your profile, and even then, you are under absolutely no obligation to be forthcoming with any of the information you provide. Most social media sites have policies against impersonating other people, but there is no policy about falsifying information about yourself, or providing disinformation. Use this to your advantage.
When filling out profiles on LinkedIn, be vague. Instead of stating you “administer [antivirus platform in use at your company]”, simply state “administers enterprise anti-malware solutions.” Consider using vague terms on your resume as well, because you have no idea where that resume will end up. You can keep a more detailed copy of your resume available that goes into details on what software/skills you have specific proficiency in, but only provide or use this resume in printed form.
Take care when registering your accounts
If it’s an account you don’t plan on using often, or do not care about having e-mail correspondence from, considering registering to the service through a temporary e-mail provider, such as 10-minute mail, guerrilla mail, or similar. These services allow you to setup a temporary e-mail inbox, register to a site/forum, then never have to deal with the e-mail address again. Be aware that if you do this, a lot of forums/social media platforms reset your password over e-mail. So, if you ever lose access to the account, the likelihood of you getting access to that account again is extremely low. To prevent account loss, I highly recommend using a password manager like KeePass to store your account passwords. To avoid account compromise, use two-factor authentication where possible, and never re-use the same password.
Be aware of your online presence
Don’t be afraid to google your real name, or your social media account usernames. Figure out where your profile name and/or real name has shown up, and if you notice accounts that you no longer use/utilize, consider doing some digital housekeeping and closing up your old accounts. The justdelete.me service is excellent for getting instructions about how to remove your online accounts. You might also consider deleting your old comments from various social media platforms from time to time. For example, I discovered the tool twitter archive eraser for bulk deleting tweets.
Always think before you act
The single best piece of advice I can offer you is if it has to stay a secret, then putting it on the internet is a surefire way to ensure that it doesn’t stay secret for long. Always think about the long-term effects of anything you say and do on the internet. Content on your accounts can be deleted, but as many say, nothing on the internet is ever truly gone when it gets deleted; somebody, somewhere archived a copy of something. As you well know, nothing is ever 100% secure (unless the drives are encased in concrete and the case is thrown off a pier). Yes, even if you used top-notch encryption. Yes, even if the service promises to never hand over your data to government enquiries.
As initially stated, this is nowhere near a complete list of things to consider to protect your privacy and operations (whatever they may be), but simply a few suggestions. If this has piqued your interest, here are some interesting security researchers to follow and/or readings to consider: