Quantcast
Channel: Cadence Blogs
Viewing all articles
Browse latest Browse all 6681

Social Engineering

November 9, 2017, 5:00 am
$
0
0
The biggest weakness in security are the people. It is almost never the encryption algorithms themselves, or anything technical like that. Last year, Science Daily reported that many people will apparently give out their passwords for chocolate : Researchers asked randomly selected passers-by about their attitude towards computer security, but also asked them for their password. Some participants were given chocolate before being asked for their password, while in the control group they were only given chocolate after the interview. If the chocolate was received beforehand, a total of 43.5% of the respondents shared their password with the interviewer. One of the most fascinating keynotes at this year's Arm TechCon was by Jessica Barker, who is the founder of Redacted Firm, a cybersecurity consulting company. She also seems to be one of the "goto" people to appear on British news programs when there is a security breach of some sort. Maybe echoing Mike Muller from the day before, she showed herself on various news programs reacting as sad, concerned, worried and more. Not too much joy or happiness. She brought us all up to date about social engineering. She titled her presentation How to Hack a Human . Cyberattack Caused by a Vendor? Your Customers Still Blame You One thing that has changed relatively recently is that organized criminal gangs have realized that it is quicker, cheaper, more effective, and less risky than other forms of crime. As the head of MGM's security said in a keynote at GOMAC earlier this year, he is not worried about the casinos where people have to show up in person (you can read my post What Keeps MGM's Head of Security Up at Night? Lightbulbs! ). The big business vulnerability is the insider. Not so much the malicious insider, which is rare (but costly when it happens). Rather, it is the accidental insider, individuals trying to do their job who make mistakes. This is who social engineers prey on. They use psychological triggers that are known. It's been going on for hundreds of years, what used to be called confidence tricks. But the internet makes it a lot more scalable. There are various flavors of this: sending emails (phishing) sending text messages (known as smishing (from SMS, the GSM short-message-system, which were the original text messages) voice calls (vishing) physical attacks, like tailgating into the office through a secure door spearphishing (also sending emails, but targeted at an individual or small group, making the message look like it came from the CEO or a customer) There have been several high-profile spearphishing attacks, from Google and Facebook to the DNC. The basic idea is to use psychological triggers to get you to visit a website so they can capture your credentials or compromise you. Or, like in the email below, get you to wire some money. Once the money is wired, it's gone and unlikely you can get it back. You can see if you read the email that it contains lots of triggers: it is very sensitive, it is urgent, extremely confidential, it is flattering ("I can rely on you"). People tend to react quickly, due to the urgency, and then later when the pressure is off, they suddenly think that something seems a little unusual and only then do they check. Junior people in organizations think they couldn't be a target. But they are easier to compromise, and then the bad guys can get to someone more senior and get deeper into the organization. In fact, earlier in the day, Simon Segars, Arm's CEO, had said that he gets phishing attacks almost daily, and of course, he is a high-profile target. Mary Aitken, the other panelist, said that if she wanted to hack Simon, she'd start by hacking someone in his trusted circle. The most common phishing attack is now ransomware. Over 90% of phishing emails lead to locking up someone's computer or files (or TV) until a ransom is paid. It is usually just a few hundred dollars, so people tend to just pay, and not even report it. But the highest value is more targeted. Social engineering is on the rise because it works. Hot States We all like to think we are rational and would never get fooled. But we all have both Spock and Homer Simpson in our brains battling it out. There are ways to make people more like Homer and less likely to think clearly, which is what social engineering is all about. In fact, confidence, the fact that you think you understand this stuff and would never get fooled, is a vulnerability. Social engineering gets you into a hot state, where you are more Homer and less Spock. Curiosity (it killed the cat but makes the phish live). Simple things like an email promising embarrassing photographs of your friends, containing some details to make it plausible. It looks like nothing happens when you click. But the bad guys can now access your microphone, camera, edit your files, capture your keystrokes...and more. Or dropping USB sticks in the parking lot. with interesting labels like "salaries and bonuses." Temptation (the cyber siren song). Sextortion, mostly hacking young men, where they look attractive, you accept the connection, you discover you have lots in common; eventually, it builds up to explicit pictures, and then when the target reciprocates they get blackmailed. Kindness (no act of kindness, no matter how small, is wasted). Holding the door open for someone carrying a baby or a lot of coffees. Your friend who has lost his passport and money. Authority. Instructions from someone more senior like the CEO (and you don't just pick up the phone and call the CEO to check, you just do it). There was a well-known case where a box showed up in Malaysia with a handwritten note from the CEO saying it was the new antivirus equipment, so they installed it (surprise, it wasn't antivirus equipment and that the note was not from the CEO). People Are the Weakest Link "You can't patch stupid." We need to help people to be safer online and become our strongest link. It is too easy for security experts to tell people to use password managers and two-factor authentication... but many of the people they are telling don't know what those things are. In those cases, people just switch off and ignore it. So Jessica finished up with some practical advice: Know what you have that might get attacked. What would be valuable and to whom? Take an attacker’s eye view... and attack yourself sometimes. Plan your incident response. Do you know who to contact if you realize? Do you have something other than an email if your email is compromised? Have you talked about social engineering at all? People are at the core of security; train them early and often. The most important of all, perhaps, is that there are no stupid questions. Social engineering is all aiming to stop you asking questions and just do what the bad guys want. More Details Jessica's website is www.redactedfirm.com , or you can follow her on Twitter @drjessiacabarker . Sign up for Sunday Brunch, the weekly Breakfast Bytes email.
Search
Viewing all articles
Browse latest Browse all 6681
Search