The concept of TMI – too much information – doesn’t just apply to socially awkward dinner conversations with your surprisingly loose-lipped blind date. Employees and executives are often oversharing personal details on social media and even in automated out-of-office (OOO) email messages. And under the wrong circumstances, an attacker could use some of these shared details to gain access into company networks.
Of course, OOO instructions serve an important business communications function, and a strong strong social media profile is a great way to network with your peers and brand yourself. So the question becomes: Where do you draw the line? What constitutes TMI?
A new survey-based research report from Tessian – with contributions from HackerOne – looks to raise awareness about this very issue. According to the document, 84% of roughly 4,000 surveyed professionals in the U.K. and U.S. said that they post on social media every week. About half share names and pictures of their children, 72% reference their birthdays and 36% volunteer information about their jobs.
When openly available to the public, such information can be gathered and exploited in phishing, BEC and impersonation campaigns to craft more convincing scams. Indeed, 55% of respondents said they have public Facebook profiles only 33% said they set their Instagram accounts set to private.
Meanwhile, 93% of survey participants said that they set an OOO message while on vacation. Just over half, 53%, said they indicate how long they’ll be away, 51% provide their personal contact information, 48% reference an alternate contact person to whom senders can reach out, and 42% reveal where they are going.
While at least one expert said he felt the report treads into FUD (fear, uncertainty and doubt) territory, it’s nevertheless a worthwhile exercise to examine the advantages and drawbacks of including or excluding certain information in public postings.
Thought leaders say a sound strategy balances business and personal needs with basic cyber hygiene. Some information should never be publicly available over the internet, while other details are okay to share so long as you have certain security safeguards and awareness training in place to make sure attackers cannot turn that info against you. Several thought leaders in this area shared with SC Media examples of what to do, and what to avoid.
As quoted in Tessian’s report, Katie Paxton-Fear, cybersecurity lecturer at the Manchester Metropolitan University, said that “OOO messages – if detailed enough – can provide attackers with all the information they need to impersonate the person that’s out of the office, without the attacker having to do any real work.”
Still, it’s common sense to leave OOO instructions for colleagues or business partners who are urgently trying to contact you in your absence. What’s open for debate is how much information is necessary.
“Out-of-office replies exist to serve a very important purpose. We should not expect employees to be glued to their phones while on vacation checking their email," said said Stephanie Carruthers, chief people hacker at IBM X-Force Red. "Simply choosing not to implement these replies can lead to customer service issues or intra-team communication issues, with the sender wondering why they are being ignored."
With that said, some details can be avoided. “You really want to try to limit the level of information you share because everything you put in that out-of-office reply can be used to provide context or make a social engineering attack even more convincing, said Tim Sadler, co-founder and CEO at Tessian. “And all of that is building... believability between the attacker and the recipient.”
For instance – we know you’re excited about that Hawaiian vacation – but perhaps you should avoid mentioning your actual destination while on vacation, or the hotel you’ll be staying at. Also, it’s okay to be vague about how long you’ll be out of the office.
Ira Winkler, president of Secure Mentem, said OOO messages “probably should not have specific dates.” And although he doesn’t believe OOO messages are a major concern, “I personally don’t advise an OOO message, unless you are definitely not responding to emails for an extended period of time. If that is the case, you can write that you will be slow in responding to emails, but if someone needs immediate help, they can contact ‘XXX.’”
Speaking of which, Sadler at Tessian said you might want to put some thought into that chosen point of contact, as you are essentially “guiding somebody who may be trying to launch a social engineering or phishing attack in the organization to another person that you work with.” An adversary might try to email this person posing as you and then request a fraudulent financial transfer, for instance.
But fear not: rather than eschewing an OOO message altogether, employees instead can simply make sure that certain key protections are in place.
Rather than abandon the benefit an OOO provides employees and customers, specific considerations for OOO use should be implemented in security awareness training," said Carruthers. "The first [consideration] should be that attackers will leverage OOO information just like any other inside information to build rapport and bypass employee judgment. Secondly, when you designate someone as your alternative point of contact, that does not mean they should try to do your job. Instead, they should try to determine if an issue truly is essential and if so, have a way to escalate it to the employee who is out of the office for guidance.”
“Additionally, companies should consider implementing additional policies to avoid massive losses from BEC scams – such as multiple employee verification for wire transfers over a specific amount,” Carruthers added.
Winkler agreed: “If people do their functions properly, they would know how to verify anything that a would-be social engineer would attempt to convince them to do... I care infinitely more that people are trained to verify requests for sensitive actions than whatever goes in an OOO message."
Sadler also said that companies could configure OOO settings so that only established contacts within your email network replace the automated reply, but not total strangers.
“That's one way that you can still share that information to guide people who would have a legitimate interest in contacting your colleague while you're away without kind of giving it to everybody in the world,” he said.
Social media platforms can be another go-to source of intelligence gathering for malicious cyber actors. Sadler said Tessian’s report isn’t trying to “take the social out of social media,” but it is trying to convey that “hackers try to screen people's social media accounts to find information that could be used to break into their accounts and steal their digital information,” or craft compelling scams.
By no means does your social media presence have to be anonymous or vanilla. But it might be wise to keep some information off-limits. “Just be very aware of the information that you're sharing and don't base anything that is secret or confidential on publicly available information that you share,” said Sadler. For instance, if you’re going to post about your children and dogs, then you definitely don’t want some combination of your kid’s and pooch’s name as your password.
Carruthers said social media users should feel free post away; they just need to be mindful with certain specifics.
“Something to keep in mind when discussing job-specific duties and responsibilities on social media is to be generic and high-level,” she said. “Posts about a new position at a company, why you’re excited to be working there, or completing an important and publicly announced project are all fair game.” But “you do not need to list what specific anti-virus solution you helped implement at your organization.”
Winkler is a bit more conversative: “I always recommend posting as little as possible,” he noted. For instance, “I tell people to avoid posting information about trips until they return. [And] I recommend never sharing information about your family.”
Winkler said that as part of his security consulting and training services, he has successfully been able to use social media postings to find out about various companies' technology architectures and passwords. “Corporate newsletters were priceless to help many of my espionage simulations,” he said.
Posters may want to particularly pay attention to the photos they are sharing to make sure that no intellectual property, or sensitive and exploitable data is in the background. The Tessian report, for example, cites the case of former Australian Prime Minister Tony Abbott, who posted photos of his plane boarding pass on Instagram, which a hacker later used to obtain his phone and passport information. Photos also carry geolocation information in their metadata.
Carruthers has seen a lot of sloppy social media practices while performing red-team ethical hacking and pentesting work for her clients. “Some of my favorite finds are employees posting selfies with their company badges on,’ she said. This has allowed her to print out her own fake duplicate badges that gained her access to the client’s premises.
In another work assignment, the IBM red team “discovered a day-in-the-life-of-style video that an employee posted on their social media account,” said Carruthers. “During one scene, the employee was showing off their cubicle. In the background was the wi-fi name and password written on their whiteboard. Good news for us – when we showed up the next week, it still worked.”
Aside from badges and wi-fi credentials, Carruthers recommended that employees make sure that whiteboards, computer screens and specific software programs are not discernible in any images posted on social media.
“I've seen many instances where people will take a photograph of their bank card and tweet it at the bank… and say, ‘Hey, I'm having problems with my account,’ or something like that. Don't do that,” said Sadler.
Even more recently, people have even posting their COVID-19 vaccination cards, which also contain personal information on them, said Sadler. “The world's going to carry on spinning if you just don't share that information."
The good news is that sound cybersecurity procedures can significantly limit the damage of letting certain details slip via social media. For starters, Sadler recommends that companies enable multi-factor authentication to secure access to key accounts and systems.
Indeed, “if there are guessable passwords and no multifactor authentication, the organization has poor security that no reduction in social media posting will help,” said Winkler. “I look at the examples in the report of how social media is used by hackers, and most of them show a systematic failure beyond a social media post – for example, poor verification of requests for financial transactions.”
Sadler also advises using a password manager for account credentials, and discourages reusing passwords or deriving them based on things about you that are common knowledge.
But it's not just about credentials either. Some accounts make you respond to security questions for account verification -- the answers to which hackers can potentially uncover by perusing your social media spaces. But Carruthers has an easy solution for that as well: use fake answers. “You can either lie, or use a password manager and generate and store a long and complex string and use that in replace of the real answer to your mother's maiden name, or the street you grew up on,” she said.
Additionally, Sadler recommended that individuals restrict access their social media accounts by setting them to private, so that only approved contacts can see more information.
At the end of the day, promoting security awareness is paramount. “Overall, we should train employees to avoid sharing specific, high-risk information online, but equally important is training them to spot a potential BEC scam despite the inclusion of a few convincing details,” said Carruthers. "Be skeptical of any unexpected emails with a sense of urgency, and consider the risk of what you are being asked to do or share.”