Hacking a Corporate Network with Facebook

There's an excessive amount of trust in the Facebook world. When people login to the social-networking website, they entirely drop their sense of cynicism. Facebook users feel they have no reason to distrust; people who are "Friends," are those who they "know, like, and trust."

In the realm of Facebook, people are as vulnerable as they will ever be. They feel a sense of safety and security in their homes and offices, or hanging with people all over the world -- in big cities and little towns, never having to watch their backs.

Ethical hackers, also known as "white hat hackers," are the tech industry's white nights. Steve Stasiukonis of Secure Network Technologies is an example of such figure. He is hired by companies' CIOs to penetrate organizations' networks to detect and determine their vulnerabilities. The process executed by a white hat starts with a permission based hack, which frequently produces results that make CIOs nauseous. Getting the data may mean hacking a wireless connection, hacking a public facing website, or even going through a skylight after hours.

In Dark Reading, Steve writes about how he obtained data and information with a fake badge and a Facebook profile. This is a perfect example of how vulnerable people make themselves and their corporate networks as a result of what they post on Facebook:

We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer's employees were using Facebook, so we created a Facebook group site identified as "Employees of" the company. Using a fictitious identity, we then proceeded to "friend," or invite, employees to our "company" Facebook site. Membership grew exponentially each day.

By creating a group, they were able to gain access to employees' Facebook profiles. Because the "group" is perceived as a place inhabited by those you know, like and trust -- "Friends," and in this case fellow employees -- members feel no reason to distrust:

Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.

Because of the company's size they were able to recreate the identity of an employee that wasn't known to the branch office to which they breached. But his name was still in the system. So with a little creativity, a fake business card and enough information gleaned off of Facebook, they were able to re-create their man.

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client's logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24x7 card access key to the building.

Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company's sensitive secrets.

Awesome. This is a perfect example of why Facebook is a nightmare for the corporate CIO. I don't share that sense of trust that most people feel in the world of Facebook. I'm all business on Facebook. I'm not all that friendly. Kind of a stiff. I'm also a security professional -- not so trusting. So to my "Friends" (the actual 10 out of the 400 that I have), I apologize to all. I'm just not ready to share my daily routine with everyone just yet. If ever.

People often try to "friend" me, and I can see that they are "friends" with people I know. But I don't know them. And the mutual friends we have often tell me that they don't know the person, but were "friends" with someone else they knew, and they accepted based on that! That's nuts! Next thing you know, they are trolling through your "friends" and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don't allow these trolls into your life. Mom told you not to talk to strangers. I'm telling you not to "friend" strangers, because they could be scammers.

Scammers are watching. They know that once you are on Facebook, your guard goes way down.
  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)
WATCH: Robert Siciliano, Identity Theft Speaker, discusses Facebook hacking on CNN