Thomas Ryan of Provide Security setup a fake identity using a photo of a hot looking female as a means of portraying the potential security threats posed by social networking sites like LinkedIn, Facebook and Twitter. Ultimately the experiment worked as the profiles were used to successfully socially engineering the U.S. government, military and intelligence communities.
And so it apparently was. She was an avid user of LinkedIn – a social-networking site for professionals sometimes described as “Facebook for grown-ups.” Her connections on it included men working for the nation’s most senior military officer, the chairman of the Joint Chiefs of Staff, and for one of the most secret government agencies of all, the National Reconnaissance Office (NRO), which builds, launches and runs U.S. spy satellites. Others included a senior intelligence official in the U.S. Marine Corps, the chief of staff for a U.S. congressman, and several senior executives at defense contractors, including Lockheed Martin Corp. and Northrop Grumman Corp. Almost all were seasoned security professionals.
It is great to see the U.S. government finally start to embrace social networking, but is the cost of being socially engineered worthwhile? How so many “smart” people fell victim to this ruse may appear to be surprising, but it really should not be. A picture of a hot chick is worth a lot of capital, especially in geek circles. Couple that with a wicked resume and connections to people in important organizations and you have a formula for socially engineering anyone, much less the government.
Hopefully the vulnerabilities exposed by social networking usage in this exercise will be used to help better educate the government, military and intelligence communities. This is one thing lacking in the government – quality education about the dangers of online social networking and the threats these tools pose to our government.
Information Assurance remains a growing field of expertise, maturing on an almost daily basis. The industry has exploded over the last 10 years even though the concepts of IA has been around since as early as the 1960’s. Although the industry and its practitioners continue to evolve, those in upper-management have a difficult time fully grasping the core principles. As in many areas of management these days, there are far too many gun-shy managers who are more concerned with appearances and perception than properly mitigating risk to the networks they are charged with protecting.
Read the full story …
Web Proxy servers are an essential aspect of a solid network perimeter defense strategy. Exposing the fragile desktop client to the internet at-large by allowing direct connections to the internet is dangerous and may lead to compromise. This can be exasberated if the overall network security strategy is not sufficient. Web Proxy servers can help alleviate a number of security concerns while offering a central facility for logging and content verification. In an enterprise environment, Web Proxy servers are used to enforce acceptable use and security policies. Learn how to configure Squid to enable Active Directory authentication for an enterprise web proxy solution.
Read the full story …
Whether you run your own home network or are part of the IT shop administering the corporate network, there are some basic information security protocols which should always be followed. These tips are designed to help you, the administrator, adequately protect the network from the myriad of attacks available today. Ensuring your network is free of compromise is vitally important for all network users because it allows for the continued, uninterrupted operation of the very network they rely upon to perform their job.
This list is, by no means, designed to be all-inclusive. It is merely a small subset of tips which should help set most people in the right direction. These tips are generally married with more complex solutions, producing a far more comprehensive effort than the mere implementation of these basics.
Read the full story …
