AVA: A Social Engineering Vulnerability Scanner

This is interesting:

First, it integrates with corporate directories such as Active Directory and social media sites like LinkedIn to map the connections between employees, as well as important outside contacts. Bell calls this the "real org chart." Hackers can use such information to choose people they ought to impersonate while trying to scam employees.

From there, AVA users can craft custom phishing campaigns, both in email and Twitter, to see how employees respond. Finally, and most importantly, it helps organizations track the results of these campaigns. You could use AVA to evaluate the effectiveness of two different security training programs, see which employees need more training, or find places where additional security is needed.

Of course, the problem is that both good guys and bad guys can use this tool. Which makes it like pretty much every other vulnerability scanner.

Posted on August 19, 2015 at 7:11 AM • 14 Comments

Comments

JeffPAugust 19, 2015 8:50 AM

"Of course, the problem is that both good guys and bad guys can use this tool." Aren't the bad guys already using social engineering "tools" of their own?

Spaceman SpiffAugust 19, 2015 9:11 AM

@Mace - my userid is nonofyourbusiness, and my password is xyzzy987654321boom! ... Good luck!

TimHAugust 19, 2015 9:47 AM

Instantly deploy automatic tests across email and social networks like Twitter, Facebook, and LinkedIn.
Public facing info only, or does the company have to demand login rights to their employees' SM accounts to do this? Ain't gettin' mine, hun.

SamAugust 19, 2015 10:07 AM

@TimH

Congratulations, you are a closed firewall port. Unfortunately, AMA probably only needs one of your contacts to leave their Facebook profile public, and you're slurped up from their friends list.


What I'd like to know is how they solved the identity problem - what do you use to decide that two "people" are the same? Names are not enough. Email? Maybe. Phone number, if someone is silly enough to leave that public. And it's not a helpdesk number staffed by a lot of different people. I'd think if they have a good automated solution for determining, with high reliability, that two accounts are genuinely associated with the same real world person, that *by itself* is a massively marketable solution to a problem still causing a lot of companies grief.

They might get around it by not caring about the dirty edges - and either planning attacks where they find good data quality, or just spraying a lot of attacks all over the place and just following up the ones that stick.

Peter GalbavyAugust 19, 2015 10:42 AM

Does this, when done from a non-criminal "side" obviously, class as entrapment?

meAugust 19, 2015 11:15 AM

If you think you're on the receiving end of something like this, and you don't know who's doing it, who do you report it to, without wasting their time and your credibility if it's nothing?

meAugust 19, 2015 11:42 AM

Homeland security are doofuses, I went to their website but they're so eager to make sure that the appropriate missive goes to the appropriate office that there's no catch-all email address or contact form, for stuff that doesn't meet their specific criteria.

AnuraAugust 19, 2015 11:50 AM

@Sam

Names alone sometimes are enough. After that, location and date of birth can seriously narrow things down. From those three pieces of information, you can probably accurately identify the vast majority of people.

TimHAugust 19, 2015 11:58 AM

@Sam
That's why I'll never have a FB account. One's FB signature is completely vulnerable to the data that other FB account holders ascribe to it. Linkedin, on the other hand, has a secret additional database on each subscriber scraped from other sources, but you have one has significant control over the profile itself. The secret additional database is obvious from the 'do you know this person' offers that you do actually know, have no relationship to anyone else you have linked in.

JeremyAugust 19, 2015 1:06 PM

@Peter Galbavy

Whether or not something counts as entrapment seems unlikely to be changed by the use or non-use of a tool like this.

This site has an approachable explanation of entrapment and some of the myths surrounding it:
http://lawcomic.net/guide/?p=633

SJAugust 20, 2015 9:02 AM

@TimH, @Sam, RE: LinkedIn

LinkedIn often kindly asks me for access to my GMail Addressbook.

I don't give that access...but if anyone who has you in their GMail AddressBook does do that, then LinkedIn knows that you have communicated with them over GMail.

That's not the whole story, but I'd guess that LinkedIn's secret database of potential connections starts with items like that.

It's also possible that LinkedIn scans FaceBook.

There's a particular person that LinkedIn routinely asks me about. That person is a complete stranger to me, but has the same name as an old friend...who I've connected with on FB.

TimHAugust 21, 2015 11:36 AM

@SJ So the solution is to use a unique email address for each of the social networking accounts, not used for anything else.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.