Employees seen to innocently reveal facts which could be of huge help to computer hackers.
Dubai firm checks security with fake Facebook profiles
DUBAI // The Facebook profile of Sara Gonzalaz shows an attractive young graduate who works for Starbucks Dubai and lists Harry Potter among her interests. But Sara is a man.
Her profile is kept up by David Michaux, a director of the Dubai security company Whispering Bell, and she was created for a corporate client who wanted to test the ability of employees to resist scams on social-networking sites.
"She's completely fictional," said Mr Michaux. "We pulled a couple of pictures off the internet. This was for a specific client who wanted to see how trusting their employees would be. We got an exceptional amount of information."
The scheme was part of a wider "penetration test"his company carries out regularly for large corporations across the country.
The test involves a variety of tactics, from spamming staff with extremely credible phishing sites to leaving USBs loaded with viruses around an office or a car park.
The purpose is to test a company's defences against cybercrime.
"Companies, especially pharmaceutical firms, spend billions of dollars on research and development," said Bassam Ghellal, who is also a director at the firm.
"If someone was to steal designs or formulae and patent them, they would stand to lose huge profits. We produce a detailed report on their security vulnerabilities which they then use for training."
Several security companies carry out penetration tests in the UAE. Ira Winkler, a security expert, has travelled to the Emirates several times for consulting work.
He said it was right for companies to be concerned that social-networking sites could be used to compromise their security, but he questioned penetration tests.
"There have been cases of criminals putting up fake profiles to gain information," said Mr Winkler, president of the Internet Security Advisors Group. "There are also intelligence agencies which do it, to see if there's a susceptibility for manipulation.
"But to carry out a penetration test, it's wholly unnecessary to go into this level of detail."
Mr Michaux said that although his company was not willing to conduct "honey traps", there was a need to explore security through social-networking sites.
"If you have an organised gang trying to break in, they aren't going to stick to etiquette rules," he said. But Mr Michaux said all methods the company used had to be approved by the client.
To carry out the exercise, Whispering Bell created six fake profiles: three men, and three women. According to Mr Michaux, females do better than males.
The next step was to make the profile look credible, which involved attracting a large number of friends. The fake Sara received dozens of friend requests when she left a message on a group saying she was new to Dubai.
"She's had marriage proposals and people offering to send her plane tickets to New York," said Mr Michaux. "It was absurd. People are somewhat gullible."
Once enough friends are on a profile to make it look genuine, the team starts to add employees from the target company.
"We got an exceptional amount of information," Mr Michaux said. "We wanted things that would help us guess user credentials for logging into a system.
"We could have talked to them about their mother's maiden name and about their favourite pet, which are all things that come up in security questions."
Other questions, such as which anti-virus a company uses, are also dropped casually into conversation. That kind of information could help the company tailor a virus to avoid detection.
Mr Michaux said the moral was not to believe everything you see on social-networking sites.
"There's nothing that brings the message of security awareness home more than showing a picture of Sara and then the picture of the geek behind the laptop who's controlling her - in this case, me."