Step One - Become an Insider

Fri, 30 Nov 2007 12:41:18 GMT
by pdp

When I was boarding this morning on the train towards the office, I saw a smart dressed guy sitting in First Class, staring on his brand new Samsung ultra slick Q35 Red Core 2 Duo notebook, and checking his Facebook account. This guy, apparently a big corporate shot by the look of it, was on Facebook. Then it hit me!

I know that this will sound very funny but this was the first time when I realized something I knew all along. Social Networks are bad, bad, bad! I've been talking about social networks for quite some time and I did mention how bad they could get but I have never realized their potentials for maliciousness until today. I found an empty table where I could put my cup of coffee and started thinking about my sudden reality wakeup call.

The night before that I had a conversation with ap about the types of malicious hacking incidents we knew about so far. I think he will put down with his thoughts on the subject soon, but what we have concluded is that the insider threat is probably the biggest problem. This conclusion came after not only looking at some of the stats but also from personal experience with penetrating various corporate networks while working as "ethical hackers" (penetration tester sounds funny) for security assessment companies. So, ignoring all accidental and hobbyist hacks and omitting all the attacks which target individual users for their bank account details, etc, the most and by far the worst scenario will be when a dedicated attacker becomes an insider.

This does not necessarily means that the attacker needs to go and start working for the organization they want to penetrate. This is an option, it is true, but having someone to do all the dirty stuff (the proxy) simply sounds a lot better. In the case of the guy on the train, well..., what would have happened if someone specifically have targeted this individual through his Facebook account? Wouldn't that be the perfect way to become an insider? I think so! Compromising this guy's laptop sounds a lot more trivial then knocking on the front doors. Moreover, having a Facebook account is almost like pointing a static DNS entry towards your machine. It is obvious that the victim will visit their account with their work or home computers or mobile phones.

The insider threat is the biggest and the most complicated to resolve. Most, if not all, security consultants try to protect the perimeter but we all know that all networks are rotten from inside. And this my friends means that once the attacker obtains internal access it is GAME OVER for the organization in question. Whether that will be through the means of a proxy, the guy with the slick laptop, or by physically attending the organization's building, it is simply a matter of choice and personal preferences, maybe also a bit of strategy.

I will stop this discussion right here and leave it open-ended since I have more ideas and things to talk about on this matter but not that much dedicated time. Though, for all of you who still think that bugs in software are the best thing since sliced bread, well, you might find yourself that you have been fooled. Bugs are just means to an end. Hacking into something, may or may not involve taking advantage of bugs. Hacking is more about outsmarting those that have put the restrictions on first place.

Archived Comments

Another interesting area for exploration related to this is Facebook apps. There are no real restrictions on what the apps do or what external websites they connect to. A bit of reading of the developer information reveals many possibilities. Combined with social engineering this has potential.
Richard BejtlichRichard Bejtlich
Hello, Great blog! If you join a company, if you are hired by the company as a contractor, or if you are a trusted partner, then you are an insider. Insider means you have authorized access to a resource and you have an approved means to use that resource. You are also provided some degree of instruction on how to use that resource and the data it processes. Anyone else who accesses a company resource is not an insider. He/she is an outsider. An outsider who compromises an employee's system does not become an insider. True, the intruder has probably the same degree of access that the legitimate insider has. Nevertheless, the outsider should not be called an "insider."
yeh you are actually right. but it is all semantics isn't it. but you are right. so how do we call insiders that has been compromised?
The main difference between insiders and outsiders, is the organization in question has control over their insiders. Outsiders on the other hand, are only subject to the jurisdiction of the laws they reside under. This is the point when people and process take over what technology can't handle itself. You're also stepping into economic and industrial espionage legal territories as there are laws in place to protect against such attacks. There is the Economic Espionage Act of 1996 here in the USA that makes the theft or misappropriation of a trade secret a federal crime. So how do we call insiders that has been compromised? Criminals.
Linked In is probably worse, because people more consistently disclose their actual titles... Email Subject: Good God you won't believe it! [name of ex-coworker taken from LinkedIn] from [name of old company taken from LinkedIn] has been indicted for fraud! Check out the report!