Secarma recently discovered article about an API tool called “The Beat” from Rutgers University seemed to be one of the more interesting uses of social media information. The Beat links geo information embedded within Instagram images to Google Streetview. This is then made searchable using tags from Instagram. APIs and information gathering was covered in the Social Engineer Podcast 039.
On the surface, it seems to be a fantastic tool. A user can search tags for a concert that they attended and find other people who were also there and take a look at their pictures – as the Social Engineer Podcast doesn’t really focus on “how to find girls for free,” this could be one further use of “The Beat!”
However, as we discussed the security implications of this tool here at the office, we decided to search for more unusual items. It was when we identified that, searching more generic terms, we uncovered the darker side to the API.
By searching Sunbathing “The Beat” would present images with tags of Sunbathing. This initially brought up cats and dogs sunbathing taken by their owners – all linked to an approximate address. As the images of cats went by, a rather risqué image appeared of a person sunbathing. They had taken the photograph down her body to their feet. The photo included the description and tags:
Instagram challenge day 7- mums garden is so pretty #instagramchallenge #instagramdaily #instapicture #instagram #colourful #challenge #plants #pink #flowers #flower #sunbathing #suntan #summer #sunny #sun #garden #green #mum #nature #stairs #colour
The user had included themselves in an Instagram challenge to take photos with certain keywords.
The user also used their fullname (including middlename) as their Instagram username – e.g. John P. Smith
The critical point is that “The Beat” also provides a full postal address including house number courtesy of Google Streetview.
By searching the user’s name and address in Google, their father’s details were revealed as he runs an electrical business from home. This gave us his postal address, telephone number and a mobile telephone number.
As part of the Instagram profile, the user also included:
- BBM number
- Kik profile name
- Tumblr account
At this point – in two web pages and one web search we managed to identify the full name, address, telephone number, make and model of mobile device and photograph.
As part of the research, we decided to continue the search to see exactly how much information we could find out about this random user. Going to the profile for this user’s Tumblr account showed no direct information until you enter the “About Me” page. This then also gave:
- Twitter handle
- Date of birth
- BBM Pin (again)
- Facebook page
- Relationship status
By spidering out from this into the user’s Facebook page we confirmed their date of birth and then identified both parent’s details, siblings (who also used to work with the father).
Twitter also handed over a list of their associations and locations (including college).
Exploit Used: The trust that this user had put into social networks and not thinking about how a malicious person could use their information to geo-locate them.
Vulnerability Exposed: Social media giving too much information away, trust in social media, lack of security awareness by users.
1) NEVER put this much information online
2) There is not enough education on online security risks
3) Connecting the dots is easy online
4) A full ID profile took 10 minutes because someone was so open with their info
5) Without digging into the text posted a social engineer can gain valuable information just from pictures!
6) Turn off your locations
7) Don’t use usernames that are your name … oh wait, that’s me then!
Let’s not think like the consumer that is meant to use this tool and instead, think like the malicious user or the social engineer. What searches would you perform?
- Debit card
- Credit card
- <Town name>
- <Road name>
- <Target Company Name>
Now we start getting into the psychology of the hack. We begin to think about the social media type, how much data is shared and the likelihood that data may be exposed from their desk, office, area, environment which could tie into the user’s location.
Since the original posting of the Rutgers system, the operators have generalised the addresses shown to only display the road name and area rather than the actual address number. However, this does not do enough to conceal this information, as using Google Streetview the address can easily be guessed from the photo.
By searching company names, or relevant details you can easily find photos of offices (inside and out) and potentially uniforms, ID badges and social habits. All this is critical for the information gathering part and maybe even the elicitation,
As more information is added into social media platforms (“Big Data”), more can be exploited. It is our prediction that as the APIs become more open, we will see additional services launched and thus the internet will become an even bigger playground for those wanting to launch social engineer attacks.
Guest Blog Post written by Stuart Coulson of Secarma
Originally an internal division of cloud and web hosting provider UKFast, Secarma began operating as a standalone company in September 2012 – specialising in disaster recovery services and business continuity. With an impressive track record of providing crisis management and ethical security testing for a number of different industries, BBC’s award-winning radio show The Naked Scientists enlisted the professional expertise of Secarma to investigate data security – purchasing formatted hard drives on eBay that were sent to Secarma with the goal of recovering data. Secarma was then invited to discuss the outcome of their investigation, as part of Radio 5 Live’s ‘Science Night’ broadcast.