Story image

Trustwave releases facial recognition tool for pentesters

09 Aug 18

Performing intelligence gathering on is a time-consuming process, typically starting by attempting to find a person’s online presence on a variety of social media sites.

While this is an easy task when there are only a few targets, it can become incredibly tedious when done at scale.

To answer this need, Trustwave has announced the release of Social Mapper, an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale.

Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients.

It takes an automated approach to searching popular social media sites for names and pictures of individuals to accurately detect and group a person’s presence, outputting the results into a report that a human operator can quickly review.

It's primarily aimed at penetration testers and red teamers, who will use it to expand their target lists, aiding them in social media phishing scenarios.

Its primary benefit comes from the automation of matching profiles and the report generation capabilities.

As the security industry continues to struggle with talent shortages and rapidly evolving adversaries, it is imperative that a penetration tester’s time is utilized in the most efficient means possible.

Social Mapper supports the following social media platforms:

  • LinkedIn
  • Facebook
  • Twitter
  • Google+
  • Instagram
  • VKontakte
  • Weibo
  • Douban

Once Social Mapper has finished running and the reports have been collected, here are some examples of how pentesters can use the information generated. They can:

  • Create fake social media profiles to 'friend' the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
     
  • Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
     
  • Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
     
  • View target photos looking for employee access card badges and familiarise yourself with building interiors.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.