I saw the perfect opportunity: an employee was badging into the secure work area. As I attempted to follow him, he turned, looked at me and asked, “May I see your badge?” With a confident smile, I reached into my purse and pulled out a badge to show him. He smiled, thanked me and went on his way as I entered the secure area with a counterfeit employee badge — all thanks to a single social media post by one of their company interns.
How did I get here? Let me start from the beginning.
Hacking Humans to Expose Security Blind Spots
I’m a “people hacker” for X-Force Red, an autonomous team of veteran hackers within IBM Security, hired to break into organizations and uncover security risks that criminal attackers may use for personal gain. I gather information that companies or employees have inadvertently exposed online, and use social engineering to convince people to give me more information or access until we eventually reach our target. Often, this means actually sneaking my way into the physical offices of a company.
Through my experiences, I’ve learned the best spots to search for intel that will help me break into a company. Social media is a goldmine. About 75 percent of the time, a social media search turns up the information I’m seeking within just a few hours. This is especially true for large companies, where these posts are most often from interns or new employees.
Welcoming Interns at the Cost of Security
Internships are an excellent way for students and recent graduates to gain valuable work experience in industries they might consider for a full-time career. However, Generation Z’s tendency to overshare on social media combined with lax security training during internship onboarding is a recipe for disaster when it comes to security and business risks. From posting photos of their security badges to video blogging a “day in the life” at the office, the social media habits of interns and eager young employees make them a rich source of information for hackers.
Let’s examine some of the factors at play. A security awareness program by itself is neither sexy nor glamorous. As a result, this part of the onboarding process often gets completely overlooked, and in many cases, some policies are relaxed when it comes to interns. These might include rules around locking down workstations, credential sharing and social media restrictions that normally apply to all other employees.
Add to this equation the fact that Gen Z is the most avid generation of social media users to enter the workforce to date. Among those who are between the ages of 18 and 24, 75 percent use Instagram, 73 percent use Snapchat, 76 percent use Facebook and 90 percent use YouTube, according to Pew Research. Introducing this group of users to their first workplace experience without social media security guidelines is a huge risk that most companies are not considering.
And interns aren’t the only target for hackers looking to glean information. New full-time hires can pose a risk as well. For companies that don’t include security awareness training as part of onboarding, new employees may not be trained until the next round of companywide instruction, which could be up to a year away. Excited new employees often post their #NewJob #FirstDay #CompanyName via a hash-tagged selfie, showing off their new workspace and neglecting to realize that sensitive company information may be in the background.
It’s not just posts from interns and employees that can create an issue. I often find that a company’s own social media team is putting the organization at risk by posting photos and videos that expose sensitive content as they race to showcase all the fun things that make their workspaces and programs look exciting and alluring to attract new talent.
Popular Targets For Hackers
While interns and new hires are busy going about their day, eager to learn and get their hands dirty, so are those watching them. Unfortunately, there is a slew of adversarial actors waiting to right-click and save these photos shared on various channels to a directory called “[CompanyName] OSINT findings.”
OSINT stands for open-source intelligence, which is searching for information through publicly available sources such as social media, blog posts, search engines, new papers, etc. As your friendly neighborhood hacker, let me share with you some of the OSINT tactics adversaries could be using to gather important information on employees. Spoiler — it’s not the ones you’re immediately thinking about!
While scrolling through picture after picture is a bit on the labor-intensive side, it can also contain some easy-to-find details that can be searched by keywords. Here, interns and employees seek double taps on their posts with hashtags such as #CompanyName, #WorkLife, #WorkFlow, #Intern and #FirstDayofWork. More often than not, these pictures reveal internal office layouts, badge pictures, desktop applications, digital files and Outlook calendars in the background of a quintessential coffee cup post.
This can be an easy win for hackers looking for ways to breach company premises physically. After some casual browsing, X-Force Red team members found a photo of one of the happiest interns, and right next to their mug was a tiny picture of their face on a new corporate badge. After a few minutes of photo editing, we could use that image to produce a fake badge. The fake badge may not work on doors, but it could work for piggybacking when other employees enter a secure location.
Glassdoor is one of the many employer review sites where one can get an insider’s unfiltered view of what employees think about an organization and its executives, give recommendations to management, list out pros and cons, and even disclose salary ranges and typical interview questions. Glassdoor is another platform where adversarial actors can gather information on companies.
Using this information, an attacker could develop phishing emails, preparing the subject and content according to what’s trending among employees of a given company. Unfortunately, employees could easily fall for a well-crafted email, and they may forget to check the sender’s legitimacy. They might even proceed to click a link in the email and submit their corporate credentials to a fake website if it promises a lucrative perk like a permanent parking spot.
Employers should train employees on keeping the company secure and being mindful of its policies when posting on any website, even as they openly and anonymously rate their work life. Nothing on the internet is truly anonymous, and if a company is damaged from such a posting, it could affect the employees as well.
They say a picture is worth a thousand words. If that’s true, then what is a 37-minute vlog of an intern who decided to strap a GoPro to their head and do a day-in-the-life video in the office worth? Well, I’m not sure about the word count, but I can tell you it could provide information on the following:
- Antivirus choice
- Badge layout
- Building layouts
- Check-in procedures
- Employee dress code/trappings
- Employee events calendar
- Employee lunch hang-outs
- Guard huts
- Open common areas
- Operating systems
- Parking structure
- Phone numbers
- Physical keys
- Popular smoking areas
- Productivity suites
- Sensitive documents
- “That secret door that I use and no one else knows about in case I forget my badge”
- Weak door controls
- And much more!
Adversaries looking for information about organizations are after just the right video, and this is where YouTube, Vimeo and other sites can provide the kind of information they’re looking for. Interns, employees and even internal marketing, public relations and talent teams are all parties that might publish videos without reviewing them from an operational security perspective.
Take this case for example: A video is posted by an organization’s social media team. They picked one intern and followed behind them with a camera from the start of their day to the end. In the first scene, our team went frame by frame until they found one that showed the intern logging into their laptop at their cubicle. A sticky note was stuck to the laptop with that intern’s new password. This seemingly friendly video was full of content that could easily be used to compromise the organization’s security.
Key Takeaways From the Dark Side
While social networks do vary (each one has a different model and different shareable file types, and many are a lot more popular in some parts of the world than others), what they all have in common is users who are eager to share. This makes social media platforms great places for adversaries to look up information and causes of elevated risk across organizations.
Here are a few takeaways to ensure that your interns, new hires and even longtime employees don’t let their enthusiasm for social media expose content that could help a hacker in their quest:
- Don’t skip the security training — Make sure your interns and new hires are getting this as part of their onboarding process. You can make this fun and effective by helping them to understand the ways a hacker could use the seemingly harmless info they might consider posting.
- Rethink your social media security policy — Don’t attempt to draft one long policy that people are unlikely to read. Cover the most important rules, including those that relate to avoiding security risks — not just the privacy and behavior best practices. Have employees read the policy and sign off on it physically.
- Train managers and social teams to spot the risk — Train your social media and digital teams to review visual content posted to social networks or any other external platform through a security lens. Managers, particularly those who oversee new employees or interns, should receive this training as well. Train your employees to ask themselves the following when they review content: “If an attacker saw this, what would they see here that could help them?”
- Establish a safe photo space — Companies should be able to share photos of employees at work safely. Consider designating an area of the office where all sensitive information has been removed — a certain lounge or cluster of couches, tables and desks, for instance — as a safe photo zone. It doesn’t hurt to post reminders for employees to remove their badges when they take photos in this area as well.
- Review with a seasonal focus — Have your security team monitor social media feeds closely during the first week of an internship and other times when employees are likely to post sensitive information. These might include large company events or social outings in the office. By doing so, the team can look to delete any risky posts quickly before they’re found by a future attacker.
- Hire a hacker — Hackers, like those working at X-Force Red, are hired by organizations to attempt to compromise their employees, systems, applications and other sensitive assets. They use the same tools, techniques and practices as criminals and can help to determine which of your employees are clicking on suspicious links, posting too much information on social media channels and opening the door to potential attackers. Companies can use this information to improve their security awareness program, provide role-based training and rethink controls to bolster their security.
Learn more about our X-Force Red Adversary Simulation services and X-Force Red Penetration Testing services.
People Hacker for IBM– X-Force Red
Stephanie "Snow" Carruthers is a People Hacker for X-Force Red, an autonomous team of veteran hackers within IBM Security. At DEF CON 22 she won a black badg...