Penetration Testing mailing list archives
Re: Facebook from a hackers perspective
From: "DokFLeed" <dokfleed () dokfleed net>
Date: Wed, 11 Mar 2009 13:53:54 +0400
Interesting Post,There is a concept which is common in Military "EEFI Essential Element of Friendly Information" so really for military, it's a different game However, corporates are becoming aware of such risks and new policies are being issued such as Social Networks Policies etc.. Greynets ( Social Networks, Web2.0 etc) + P2P + IM are the new threat to Information , specially if you consider Information Assurance not just Information Security. I have seen "Social Network Security Program" services starting, and products aimed to these kind of threats but they will be all rendered useless without a strong awareness campaign
But at the end, you are totally right, you can easily target the weakest link on the security system "a non aware user"
Cheers Dok----- Original Message ----- From: <bariswinston () yahoo com>
To: <pen-test () securityfocus com> Sent: Friday, March 06, 2009 4:14 PM Subject: Re: Facebook from a hackers perspectiveThis pen-test exposes that the weakest link of security chain is human being indeed. Where are security mechanisms or security devices that we paid hundered thousands dollars for? Would not they protect us against security breaches? Then should we chuck them all out? no i do not think so. Because they have no guilt. Yes there is a guilty. That guilty is us. Because we did not tell employees not to trust others easily and to think twice before giving information. Information can seem to very small but if it is used effectively it can get larger something like snowball. And for an attack, everything will become ready same as mentioned in this blog.
Facebook is a very strong social networking/social engineering tool. People who found out its power are using it for reconnaissance. As far as i know Israel army forbidden its personnel from being member of Facebook for 3 months because of disclosure. You can easily access informations about people by using search methods and convince them to trust you and share some little informations seeming to be innocent. In the past, hackers would use corporate web sites to access corporateās telephone directory, call someone as if its colleague to get him/her to do something. But facebook and other social networking web sites are more preferable for hackers anyway. Because attacker do not have to use its voice. why do an attacker want to leave track or disclose location information by using phone? Attacker can already become a person that he or she want to be in facebook by using faked facebook profile, faked e-mail address. Yes that is appealing the hackers.
It was very very successful penetration testing i think. Baris Erdogan Security Consultant Datateknik
Current thread:
- Re: Facebook from a hackers perspective bariswinston (Mar 10)
- Re: Facebook from a hackers perspective DokFLeed (Mar 12)