Tuesday, 9 September 2014

Much ado about SOCMINT!

You may not have heard of the term SOCMINT which emerged a couple of years ago as the abbreviation for Social Media Intelligence. What has this to do with Apple iCloud and Celebrities?  Well if you are to believe Apple this is what was used to hack into celebrity iCloud storage.  It appears the criminals gathered enough online information on these individuals to reset their passwords and hijack their accounts.  Effectively we have a successful social engineering attack without manipulating the human.  No one rang Apple, no one rang the celebrities, no eavesdropping in restaurants, no near contact to clone phones or going through celebrity trash cans.  It appears this attack relied totally on intelligence  gathering and analysis of online digital content and perhaps some targeted phishing emails.

Social engineering of social media, I think I can create a new acronym - SESM. Checked Google no one has used it before.

How do you stop SESM happening to you?  Google, Microsoft and Apple all want you to use their cloud services,  it’s free, it’s so convenient  and you can recover your device, so  “ don’t use it” is not the practical answer.    It is about responsibility for your security.  In a foreign country would you hand over your passport to a complete stranger?  Yet when it comes to our online digital life the lack of physical presence seems to  create the belief that it is ok to pass responsibility for the security to others.  How much did you pay these strangers to do this for you?
Here are some simple strategies to keep strangers and hackers out of your digital life:
1.  Passwords are important,  give them personality – use special characters or a pass phrase. If a site you are using does not support them, account lockout hacker tools can automatically run every word in the dictionary and common password combinations against your account in only a few hours.
2.  Get in front of a screen with  someone who you have not “friended”, might be a sibling or work colleague. Get them to look you up on Facebook and  other social sites  and see what they can see as a stranger – you might be surprised.  You can then go and fix your security settings.
3. On social media value your circle of trust. Do not “friend” anyone you have not met. What they say to you in a request could be totally false. There is no internet Bro code that states “I will not make up a social media page and tell lies”. You need to protect yourself and your friends. If they say they know you through a mutual friend – ask your  friend how they know them before responding.
4. Would you walk up to a creep on the street and handover a photo of your smiling face with your home address written on the back? No, so don’t  do it online. If you upload a photo taken at home or a friend’s house make sure the location/gps data has been removed.
5. Birth date. You need this for Facebook so everyone can wish you happy birthday but do you really need to divulge it on other sites?  Most of the time these sites only want this so they can market to you, it is not adding to your experience. Limit the amount of personal information you enter on such sites, just because they ask you don’t have to tell. If you have to enter a birth date then for example round the year to the nearest decade.  If one of these sites is compromised then the hacker cannot use the birth date to help gain access to your  important sites.
6. SMS alerts. Apple has announced it will strengthen its iCloud account alerting in light of the celebrity hack. If there is one thing to do as soon as possible it is go to your social media sites and check that you have SMS alerts turned on for account change requests.
7. Security questions. As appears to have happened to the celebrities. The questions like - what is your mother’s maiden name , what city were born in  or what high school did you attend don’t really cut it.  Instead  try  - what movie star or singer  do you not like? You are more likely to post or join conversations about things you like rather dislike – politicians are probably the exception.  

8. Phishing emails can look very legitimate and may be personally addressed. Never respond or open links in unsolicited email asking you about online account details or that they have something for you. Just delete them.   Only go to your sites using your browser favourites or app, you can then check if there are any legitimate messages for you.
Greg Starkey

No comments:

Post a Comment