The Hacker News reported today that security researchers at a company called Trustwave had released an open source tool that automates the process of using facial recognition across eight social platforms. Covered by the software are; Facebook, LinkedIn, Instagram, Twitter, Google+, Russian social networking site Vkontakte, and two Chinese sites, Weibo and Douban.
Are we supposed to be appreciative of this action? Apparently, we are, as the firm repeatedly emphasizes the fact that this tool gives white Hat (ethical) hackers the same tools as the bad actors use. But wait a minute, posting an open source application on GitHub means the bad guys can grab it too, right? Again, the question comes to mind; we are supposed to appreciate this?
Before getting too much further, how does this app work? First of all, you have to feed it information on the people you are trying to gather information about. The list can be 1000’s of names or more. With this feeding, the app goes to work, taking as long as 15 hours, according to the Hacker News article, with a big internet connection to produce results for large lists. Finally, it creates a spreadsheet with various bits of information gleaned in a convenient, easy to use format.
Trustwave developed the tool for people who want to perform penetration tests or conduct human engineering attacks on their networks or provide the service to other companies. As Trustwave points out, gathering intelligence online takes a long time when done manually, limiting the ability of the good guys to ply their trade and help companies maintain tight security. This tool significantly reduces the time required. Unfortunately, it reduces the time required for bad guys just as much as it does for the good guys.
Anxious to add the app with the harmless-sounding name, Social Mapper, to your arsenal of hacking and research tools? Click here to grab your copy. The developers also provide possible use cases (see below) and provide all the information you need to get the software up and running on your machine. Perhaps I am overreacting but making this widely available does not seem like the best idea. Unless GitHub has a means of blocking out the bad actors.
As promised, here are some ways Social Mapper can be used to help ethical hackers test the security of existing networks and the people who use them.
Social Mapper is primarily aimed at Penetration Testers and Red Teamers, who will use it to expand their target lists and find their social media profiles. From here what you do is only limited by your imagination, but here are a few ideas to get started:
(Note: Social Mapper does not perform these attacks, it gathers you the data you need to perform them on a mass scale.)
- Create fake social media profiles to 'friend' the targets and send them links or malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
- Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
- Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
- View target photos looking for employee access card badges and familiarize yourself with building interiors.
Hopefully, the software will only be used for good. As the Hacker News article so eloquently says, “What could possibly go wrong?” Only time will tell.
When it comes to getting the best secure communications available to individuals, groups, and companies, check out the offering CRIP.TO is developing. With our best-in-class, unique solution, you get the freedom to communicate fearlessly. Just be sure to keep a wary eye on your social media accounts and always be careful about what you click!