During our penetration tests we often get asked about the amount of information that is leaking out via social networks, web pages and the like. In fact the first step in our methodology is Recon where we search the Internet and social networks for information about the company we are targeting. It is sometimes surprising what we find when we look.
During the course of one engagement, the organization commented that their staff was not allowed to discuss the company on social networks. They had gone so far as to forbid their staff from listing the company as an employer on LinkedIn. When we heard this, we of course felt that a gauntlet had been thrown down. So we decided, as an addition to the penetration test, to see exactly how effective this strategy would be in preventing us from determining who worked for them.
We began by working through LinkedIn’s search and Google, limiting the site in the results to LinkedIn. (This last can be accomplished by adding the site:linkedin.com string to the query.) By doing this and searching for things like the city the organization was located, we were able to find a single person who had posted a status message with the name of the company in it. This was the break we were looking for.
We then started poking around in two sections of this LinkedIn profile. The first was the connections list. As shown in the below screenshot, (taken from my connection list NOT the clients!) we are able to see people connected to the person we are viewing.
 |
| Connections Listing |
This gave us a listing of the one person’s connections, which often include people who work at the same company. We also looked at the People Also Viewed listing. The one from my profile is shown below.
 |
| People Also Viewed These Profiles |
This lists the various accounts viewed after the visitor left this profile while browsing LinkedIn. By taking these two lists, from the one account, we were able to start picking out people who either did not list a current employer or had something interesting.
What was that something interesting you ask? Well it’s simple. When people realized that they were not allowed to list their current employer, they began to put in various strings that meant they worked for a Stealth Startup. We also noticed that many people put the same string.
By recursively working through these two lists on each account, we were actually able to create a detailed list of employees we believed were part of the company. We were then able to gather a good idea of the technology in use and even what the stealth application was related too. This was due to the listed skills and the fields the employees came from before their stint at the startup.
So how do you fix this? Ultimately, you can’t! People are going to list things and you are going to have to deal with the results. So make sure you know what is out there. This organization was not searching for data like this since they felt that they had it covered with their policy. Make sure you don’t fall into the same trap! If portions of your corporate security depend on employees following procedures, then you must regularly test for violations of those policies.
Kevin Johnson is the CEO of Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at kevin@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.