Too Much Information: Social Networking Sites Help Hackers Break Corporate Networks

The Internet is a gold mine of information – for the bad guys who want to break into your organization.

Just as foreign spies can use seemingly innocuous bits of personal information to get unwitting people to aid in their nefarious plans, hackers, criminals and enemy agents can easily obtain information from a wide range of online sources that can be used to turn one of your employees into a security threat.

"All it takes is one person to compromise an organization, to compromise your company," said Ira Winkler, president and CEO of the Internet Security Advisors Group, and author of "Spies Among Us" and "Zen and the Art of Information Security."

Winkler made the comments in a presentation entitled "Security: How to Recruit Spies on the Internet," at the COMDEXvirtual conference.

Businesses spend millions of dollars on technology to prevent hackers and thieves from gaining access to their corporate networks. But what's often overlooked is the human element. A company's own employees can be nearly as great a threat, either by unwittingly giving outsiders access to a corporate network by opening an e-mail they think is legitimate, or actively aiding outsiders for money or because they are disgruntled.

Winkler devoted part of his eye-opening talk to discussing cases where an insider has compromised an organization's security and given up confidential information. The well-publicized story of Bradley Manning, the disaffected U.S. Army soldier who provided reams of classified information to WikiLeaks, is a case of an insider acting on his own.

More often "operatives," as Winkler called people who recruit insiders to provide information, do their dirty work by finding a target's weakness, whether it be a need for money, a big ego, a disaffection with their job, or some kind of belief or ideology that can be exploited. And that's where the Internet in general and social networks like Facebook and LinkedIn come into the picture.

"Everyone these days is affected by social networking in one form or another," Winkler said. "Social networking is a treasure trove for spies." People reveal many details about their lives online. That includes seemingly innocuous things like families and friends, hobbies, where they work, clubs and organizations they belong to, books they read, restaurants they eat at, and so on. But also things not so innocuous, like gripes they have with their boss or job, confessions about financial problems, potentially embarrassing photos, and even political beliefs.

"People are basically giving spies everything they need to manipulate them," Winkler said. And most have no idea they are doing so. "How many people really research themselves to see how vulnerable they are?"

NEXT: Beware of "Friends" You've Never Met

Educating clients about such security risks is part of the training and awareness programs offered by Emagined Security, a San Carlos, Calif.-based provider of information security and compliance professional services.

"The most important thing is security awareness," said David Sockol, Emagined Security president and CEO, in an interview. "We take every opportunity we can to educate people. There's no reason to make it any easier for hackers."

Part of the problem is that social sites like Facebook don't automatically place enough restrictions on who gets to view an individual's information, Sockol said. Users have to actively choose more restrictive options. A more locked-down profile, Sockol said, should be the default.

The anonymity of the Internet also works to the bad guys' advantage. Operatives approach people online in chat rooms posing as someone they're not: Winkler cited the case of a Russian hacker who posed as a young woman in a chat room frequented by other hackers and seduced them into giving up information. "A lot of people want to believe what they're told on the Internet," he said. Others may pose as an old school acquaintance, or simply "friend" you on Facebook because they say they have similar interests.

"You have no idea who they really are at all," Winkler said. "People never know who they're dealing with on the Internet. Stop and think about how many friends you have on the Internet that you've never actually met in real life."

Winkler warned against the misconception that operatives only target "high value" people. A low-level employee with access to a corporate network is all that's needed. The attack that breached RSA Security earlier this year was accomplished when employees opened a spreadsheet attachment they thought came from their boss, according to Winkler.

"All it takes is one individual with the right type of access and you have a domino effect inside an organization," he said. "From that one computer they can literally take over all the critical assets of the server." Businesses and organizations must never let down their guard against the threats from foreign intelligence agencies, hackers and organized crime gangs. "They have lots of time to find that one individual who's going to be vulnerable."