Still, he acknowledged that the practice isn’t without risks. Clever (and even not-so-clever) attackers could use knowledge of the link between the executives’ e-mail accounts and the online service to assemble a profile of an executive, then craft a convincing phishing attack containing a malicious attachment. Attackers could also use the web sites' password recovery features and knowledge gleaned from publicly accessible sources to gain access to- and control of the executives’ accounts. Things being as they are that same e-mail and password combination might provide access to other web sites and corporate resources, as well.
Chris Hadnagy, author, Social Engineering: The Art of Human Hacking
The problem is magnified by cloud services such as Apple’s iCloud and Amazon.com’s Amazon Web Services (AWS). In just the most recent example of this, an article on Wired.com by writer Matt Honan described how malicious hackers were able to use knowledge of his e-mail address and some social engineering to take over that account and, then, use connected services to remotely erase both his computer hard drive and mobile phone. Knowing that high value targets like Microsoft CEO Steve Ballmer and Apple CEO Tim Cook use DropBox and what their account ID is, puts attackers just a couple of challenge-response questions away from taking over their account. That doesn’t mean that those accounts hold any sensitive corporate documents, Grossman noted. But most malicious hackers or sophisticated attackers would at least have a go at hacking them in the off chance that the CEOs got sloppy, storing a document with high impact, he said.
An expert in the art of social engineering agrees that social media accounts like those scanned by Cerrudo are a gold mine.
“When I get hired to do a social engineering penetration test for a client the first thing we do is start gathering as much intel(ligence) as possible,” said Chris Hadnagy, author of the book Social Engineering: The Art of Human Hacking. “For calls and phishing emails nothing helps me more than finding social media accounts with lots of information on them.”
Tools like the free and open source forensics tool Maltego allow anyone to link e-mail addresses with Twitter and other social networking accounts. Some tweaking and Googling turn up Facebook, LinkedIn and other accounts that divulge a wealth of information that can fuel attacks, Hadnagy said.
“I basically just look for schools, jobs, family, hobbies (and) personal interests and use that to craft my attacks,” he said. ”To date the success ratios for this method are very high.”
Social engineering – the art of human trickery – is increasingly recognized as a key element in almost all successful cyber attacks. Hadnagy’s firm, Social-Engineer.org, now sponsors social engineering "Capture The Flag" contests at Black Hat and other security shows, pitting contestants against prominent global corporations in search of "flags" - sensitive, but non-proprietary information.
Past social engineering Capture the Flag competitions have targeted iconic firms like McDonald's, WalMart, Microsoft, Google, Ford and Pepsi. The results suggest that even wealthy, sophisticated companies are ill-equipped to fend off sophisticated social attacks that use publicly available information to help gain the trust of intended targets. Companies should make their employees aware of the risks of using their corporate e-mail on social networking and other consumer sites, said Grossman. “They need to know what the trade-offs are, and make a decision based on their tolerance for risk.”
As for the web site owners, attention to account security varies. Many large consumer banks have abandoned the use of e-mail addresses as account identifiers, Grossman said. But social networking and other sites value convenience and ease of access more highly.
Security conscious firms should think about treating the user ID like a separate password – unique and difficult to guess, and separate from other corporate identifiers like an e-mail address, Grossman said. That makes it all the harder for attackers to know which account to focus their attention on.