5 things you need to know about social engineering

Cybercrime0

tags

·         Phishing

·         Social Engineering

·         social media

          

Social engineering plays an important part in a significant number of cyberattacks, however big, small or sophisticated the crime is. In fact, as ESET’s senior researcher David Harley has previously observed, it has “been a constant all through the life of internet security”.

But what is it exactly? In its broadest sense, social engineering is about psychological manipulation – getting people to do things you want them to do. For example, you could socially engineer a parking warden to avoid a parking fine, or play up your employer’s ego for a salary rise.

In the context of cybercrime, social engineering is widely described as being a non-technical tactic used by hackers to gather information, conduct fraud or gain illegitimate access to victim computers. Social engineering relies on human interaction and involves tricking people into breaking the security procedures that they would usually follow.

“Social engineering is about psychological manipulation.”

Common social engineering attacks include phishing emails, vishing (phone calls from people who falsely claim to be from a respected organization), and ‘baiting’, where legitimate looking USBs are loaded with malware, after which time the creator simply waits for the user to plug it into their machine.

Social engineering can also extend to business and friend requests on LinkedIn and Facebook respectively, with criminals using social networks to gain trust and secure data. More often than not, the end result is either extortion or theft.

This includes ‘diversion theft’ (stealing something to steal something bigger later) and tailgating (piggybacking people into secure areas that should ordinarily be off limit). One convicted fraudster even used social engineering to escape from prison in the UK recently. The fraudster used an illicit mobile phone to create a fake email account, posed as a senior court clerk and then sent his ‘bail instructions’ to prison staff. He was mistakenly released but later handed himself in.

Cybercriminals will use these kinds of attacks for a variety of reasons, as documented above. It’s certainly an effective weapon in their arsenal, allowing them to steal privileged credentials, infect people with malware or to get them to pay for useless and dangerous scareware. Most of the time, their ultimate aim is to steal money and data – or to assume the identity of the victim.

It’s easy and cheap to do – renowned security consultant Kevin Mitnick once said that it was easier to trick someone into giving a password for a system than to spend the effort to crack into the system.

With all this in mind, we look at five things you should know about social engineering.

1.     It’s physical and digital

Social engineering is an age-old con in all walks of life, so it would be wrong to think that this is either new or only seen in the online world.

In fact, social engineering has long since been used in the ‘real’ world. There have been numerous examples of criminals posing as fire marshals, technicians, exterminators and cleaners, with the sole purpose of entering company buildings and stealing company secrets or money.

It was only later, sometime in the 1990s, when vishing become popular, with email phishing sometime after that.

2.     The quality varies

The quality of social engineering scams varies wildly. For every sophisticated social engineer sending authentic-looking phishing emails or doing vishing calls, there will be countless others with poor English, conflicting stories and confusing information.

You’ve probably already come across a number of these yourself: from dubious emails from a ‘Nigerian bank’ to others promising that you’ve won the lottery in some other country, there are ample examples of pitiable attempts of fraud.

3.     Countries are doing this

At a very high-level, nation-states are actively engaging in social engineering campaigns, or at least using them as part of much more sophisticated advanced persistent threat (APT) attacks. This kind of online espionage plays an important role in the cyber efforts of countries like the US and China, as a Wired feature revealed.

“APTs are often reliant on old-fashioned social engineering in order to get an initial foothold on a system.”

“While the term APT suggests sophisticated malicious technology, APTs are often reliant on old-fashioned social engineering in order to get an initial foothold on a system,” Mr. Harley recently commented.

“Preferably a system that belongs to someone relatively highly-placed in the organization so that they have access to sensitive data, whether the intruder’s objective is fraud or espionage.”

4.     You probably won’t notice an attack

The worrying thing about attacks like this is there is no immediate warning, no clear sign that you are under attack or have been compromised. There is no pop-up asking for bitcoins (like with CryptoLocker and other ransomware), or a scareware ad asking you to download an application or call a service centre.

Most of the time, the criminals conduct their attack, steal your details and disappear. And if it’s data theft, you may never know of the compromise, let alone if your details are being sold illegally on the dark web.

5.     Social engineering is big in enterprise

Social engineering affects all of us, but it is increasingly being used by fraudsters to target enterprises and small-and-medium-sized businesses ­– 2014 has even been described as they year that cybercriminals “went corporate”.

One industry report from earlier this year revealed that social engineering is now being used to target middle managers and senior executives. Why so, because they are “goldmine”, explained Richard De Vere, a social engineering consultant and penetration tester at The AntiSocial Engineer Limited, at the time.

“If you’re putting together a phishing email, LinkedIn is a goldmine of middle managers and C-level executives,” he told SC Magazine. “Automated tools can quickly pull together a list of hundreds of email addresses – together with user data and VPN/OWA/Active Directory credentials.”

ESET predictions and trends for cybercrime in 2016f

By ESET Research 

It’s that time of the year when the information security industry takes part in its annual tradition: coming up with cybercrime predictions and trends for the next 12 months. These lists usually range from the mundane to the bizarre, to the lighthearted and the dire (perhaps depending on the predictors’ consumption of eggnog and/or dystopian sci-fi media). Many have about as much accuracy as one might expect of people who are experts but not psychics. Still, you never know.

As regular readers of We Live Security will know, every December the ESET researchers put together their own predictions and trends for the coming year. In 2014, the emphasis was on APTs (advanced persistent threats) and attacks targeting the corporate world. This year, we’ll be offering a deeper analysis on a variety of topics such as IoT, ransomware, crimeware, haxposure, Windows 10, and critical infrastructure among others.

The full article will be released soon and you’ll be able to download the full version directly from our white paper section. What now follows is a brief, occasionally tongue-in-cheek view from a number of ESET researchers on what they expect 2016 will bring.

From David Harley:

·         More convergence between tech support scams and real malware, especially ransomware.

·         Increased targeting of platforms other than Windows for pop-up fake alerts and for ransomware.

·         In the UK at least, NHS sites will continue to be slammed by security bloggers for squandering their pitiful resources on direct healthcare instead of upgrading computer systems.

·         More toys will follow the Pink Fink (aka Hello Barbie) into the Internet of Things (IoT), despite concerns about privacy and the continued attention of researchers probing for scareworthy vulnerabilities.

·         Understandable panic about terrorist attacks and other manifestations of physical violence will be translated into calls for the weakening of encryption and the abolishing of privacy.

From Aryeh Goretsky:

·         We will see an increase in the usage of virtualization technology by home and SOHO (small office/home office) users, followed by an increase in attacks on them.

·         Adobe Flash, PDF and Oracle Java will remain targets of opportunity. (Keep ‘em patched, folks!)

·         Web frameworks (Drupal, Joomla, Typo3, WordPress, etc.) will also be targeted, and exploits for them will increase in value.

·         Web performance, optimization, analytics, personalization and other related service networks (think Newrelic, Optimizely, Parsely, etc) will be increasingly targeted via both sophisticated attacks (i.e. code injection of specific customers) and unsophisticated attacks (DDoS).

·         Windows will still be a target.

From Bruce Burrell:

·         High-visibility breaches will continue. This will be across all sectors, of course, but the press (and hence the public) will probably pay the most attention to the ones in retail and healthcare. The organizations affected will take restorative and preventative measures in the short run — then they will revert to NIMBYism.

·         Elsewhere, there will be lots of corporate board handwringing and, in some businesses, perhaps even occasional increases in security funding.

·         Unaffected end users will be anxious, until the next news cycle. Afflicted users, of course, will stay anxious longer, when they realize their identities have been stolen, or funds drained, or that they can’t get health insurance because …

·         Regrettably, if 2016 unfolds like previous years, not enough will happen, as far as end users and businesses actually doing anything to protect themselves.

·         Legacy devices will continue to be used in healthcare, because there is a perception, real or imagined, that it is not viable to move away from them. New devices will not have anywhere near sufficient security baked in until long after the 2016 timeframe. The exceptions will be few and far between — but we should do everything we can to encourage those vendors who ‘do it right’.

From Stephen Cobb:

·         In 2016, healthcare IT managers will be under pressure from 3LAs on three sides: fresh OCR HIPAA audits and penalties; more aggressive FDA action on vulnerable medical devices and pseudo-medical apps; and at least one FTC action against a wearable or IoT device or app used in wellness programs.

·         2016 may also see the responsible disclosure debate hit healthcare IT, just like the live Jeep hack demo hit the automotive industry in 2015. Many security experts oppose risky public demonstrations, but there is no denying the power of a video showing a car being disabled on the highway, which accomplished what several previous parking lot demos did not: a whole new level of public and congressional attention.

From Cameron Camp:

·         IoT security will continue to make headlines, but if your digital ‘e-bear’ toy gets hacked you are in no certain peril, aside from a trip to the store to return it. Expect 2016 to be the year of the full-frontal assault on all things IoT though, where cybercriminals will find new ways of attacking unsuspecting victims through their new flock of ‘digital doo-dads’. But it will still take more time to find the ‘killer bad app’ nemesis for the IoT.

·         SCADA (supervisory control and data acquisition) hacking becomes nation state day job for more people. After years of tinkering and poking the doors of unsuspecting industrial players, nations will pride themselves on having SCADA digital chops.

·         Credit cards will still get hacked – despite EMV. Where’s there’s money, there will be hackers, no matter the technology. Still, EMV raises the bar a bit and makes hacking more expensive, which is good.

From Lysa Myers:

·         Governments around the world will continue to pass laws that belie an understanding of technology, especially encryption and networked communication.

·         Companies will continue to pump out toys, fitness devices, ‘smart home’ devices, apps, etc, that leak personal information like Snoqualmie Falls in an El Niño year.

·         Healthcare companies will continue to lead the Breach Parade, as medical device manufacturers continue selling equipment with woefully outdated software and operating systems, and electronic health records are implemented without sufficient risk assessment.

·         (Hopefully) more device manufacturers will publish responsible disclosure procedures for reporting vulnerabilities in their products.

·         More devices and accounts will add simple – and perhaps novel – authentication techniques that allow people to increase their security

·         More chip and signature terminals will come online in the US, and be closely followed by complaints from retailers that they’re significantly slower than magstripe cards.

Each of us had our own area of concern, according to our particular specialties, but we all predict many of the same outcomes for next year. From the 10,000 foot view, this could best be summarized as ‘things will continue along the same trajectory’. This could be considered a fairly pessimistic view, and yet a rather obvious one.

That said, the upcoming year – as with all years – brings the possibility for many learning opportunities, which offers plenty of scope for improvement. Unspoken jokes about job security aside, we very much hope this coming year yields greater transparency and understanding of security issues, which generates more and substantial improvements in privacy and security for everyone. Please stay tuned to We Live

Quantum cryptography ‘is vulnerable to attack’

By Narinder Purba posted 22 Dec 2015

Quantum cryptography, considered to be one of the most complex and unbreakable methods of encryption, has been found to be vulnerable to attack, according to a major new study.

Published in Science Advances, the paper concluded that energy-time entanglement, which underpins many forms of quantum cryptography, is exploitable.

Researchers from Stockholm University and Linköping University observed in theoretical models and later in actual experiments that the critical security flaw could allow for attackers to “eavesdrop on traffic without being detected”.

“The energy-time entanglement technology for quantum encryption studied here is based on testing the connection at the same time as the encryption key is created,” the experts highlighted in an official press release.

“Two photons are sent out at exactly the same time in different directions. At both ends of the connection is an interferometer where a small phase shift is added. This provides the interference that is used to compare similarities in the data from the two stations.

“If the photon stream is being eavesdropped there will be noise, and this can be revealed using a theorem from quantum mechanics – Bell’s inequality.”

All that said, if the connection is actually secure – and therefore “free from noise” – the photons can be used as an encryption key. This ensures that your communication remains inaccessible and unreadable.

“If the photon stream is being eavesdropped there will be noise, and this can be revealed using a theorem from quantum mechanics – Bell’s inequality.”

What the researchers have therefore deduced from their experiments is that if the photon source is substituted with what they call a traditional light source, a particularly informed attacker can extract the code string.

Armed with that insight – i.e. they now know what the key is – the snoop can access the encrypted data surreptitiously, rendering Bell’s inequality-inspired security test redundant.

Writing about quantum cryptography last year, the information security consultant Rob Slade said that while he appreciates the idea behind it, “it is just another form of key exchange”.

Vous ne savez pas quoi offrir à vos enfants pour Noël? Le Père Noël pourrait venir d’une galaxie très lointaine

Il ne reste que quelques jours avant Noël et vous ne savez toujours pas quoi acheter pour votre enfant ? Pas de soucis : nous avons une liste de cadeaux high tech afin de vous donner des idées… 

Votre petit dernier aime jouer? Choisissez parmi les jeux créatifs qui aideront votre enfant à grandir. Un bon exemple, très populaire en ce moment auprès de millions de jeunes, c’est Minecraft. Il permet de faire des tas de choses depuis la construction de châteaux  jusqu’à creusement de catacombes sans oublier de partir à l’aventure avec des amis dans un monde de réalité virtuelle. Mais avant de le laisser jouer, parlez-lui des risques possibles de sécurité (possible security risks) et expliquez lui clairement que les gens qu’il rencontre en ligne ne sont pas nécessairement des amis une fois qu’ils sont  déconnectés.  Il doit aussi savoir que s’il a la moindre question ou s’il rencontre quelque chose de suspect, votre porte et votre esprit seront ouverts.

Il fut un temps où les téléphones mobiles étaient réservés aux riches. Aujourd’hui, la technologie moderne est tellement répandue qu’un enfant sans téléphone est considéré par ses camarades comme ‘dépassé’. Mais si vous décidez de lui acheter un appareil mobile, vous ne devez pas choisir un appareil haut de gamme très coûteux dont il est évident qu’il n’utilisera pas toutes les possibilités. Choisissez plutôt un appareil  Android d’entrée de gamme. Cela vous permettra de rester en contact avec votre enfant et vous fera économiser de l’argent. Si vous êtes inquiet au sujet des risques d’un téléphone mobile continuellement connecté, choisissez un outil de contrôle parental (parental control tool) qui vous permettra de créer une liste noire avec des sites inappropriés ou de limiter le temps de navigation et le temps passé à jouer.

Cette liste ne serait pas complète sans mentionner les consoles de jeux. Mais, ici aussi, vous ne devez pas dépenser des fortunes pour avoir le dernier cri. Vous pouvez, par exemple, choisir un modèle de PlayStation, Xbox ou Nintendo plus ancien qui sera moins cher mais avec lequel vous pourrez jouer certains des derniers jeux en date tout comme des titres datant des débuts de ces plates-formes.

Pour les fêtes, le dernier Star Wars vient de sortir dans les salles et l’Internet en est rempli. Cette folie a aussi pris une forme physique : avez-vous vu la vaste gamme de jeux et de jouets, tels que les éditions spéciales de Lego ou les figurines représentant les principaux personnages du film ? Il y en a une qu’on voit partout sur les réseaux sociaux. Nous parlons du robot qui a remplacé le légendaire R2-D2 et qui s’appelle  Sphero BB-8 Droid. Ressemblant à un ballon high-tech avec une tête, ce petit bonhomme qui vient d’une galaxie très éloignée pourrait être celui à acheter pour Noël. Vous avez le choix entre la version à câliner ou  celle avec commande à distance.

Avez-vous un petit ingénieur à la maison? Il y a des kits de construction – tels que le Haynes V8 Moteur à Combustion ou les  LittleBits (Gadgets & Gizmos) - qui apprendront à votre fils ou votre fille les bases de la mécanique ou de l’électronique et pourraient être leurs premiers pas vers un avenir dans un secteur industriel en pleine croissance.

Préférez-vous  les jeux de société ancien style alors que vos enfants ne rêvent que de tablettes, smartphones et autres gadgets ? Aujourd’hui vous pouvez avoir les deux en même temps: il vous suffit de choisir la version virtuelle des jeux. Vous les trouverez pratiquement tous, depuis le Monopoly classique jusqu’aux tout derniers titres comme TicketTo Ride.

Vous songez à une tablette ? Alors, gardez à l’esprit l’âge de votre enfant avant de faire votre achat. Bien que les iPads ou Samsung soient très populaires auprès des ados, vous avez d’autres options si vous désirez avoir quelque chose correspondant mieux  à l’âge d’un plus jeune. Un exemple, Amazon Fire Kids Edition, qui permet aux enfants de jouer avec des jeux et de visiter des sites correspondant à leur âge spécifique. L’autre façon d’imposer des limites  c’est d’installer un outils de contrôle parental (parental control tool), comparable à celui utilisé pour les smartphones, qui vous permettra de bloquer des applis et sites inappropriés et de décider combien de temps votre enfant peut passer à naviguer ou à jouer. 

Star Wars: A New Hope – 5 information security lessons

Unless you have literally been living on a remote, desert-like planet in a galaxy, far far away, spending your days looking out over the horizon as two suns start to set, then you might have missed a certain level of buzz about a certain new Star Wars movie.

Indeed, the world has gone positively potty over The Force Awakens, the seventh and latest instalment in the now possible endless franchise. Without giving anything away (this feature is entirely spoiler free), the J.J. Abrams directed film has been declared a triumph by critics all over the world. In short, it has been described as both a fitting tribute to the original trilogy and a triumphant start to what will be the next chapter of the saga.

Like most Star Wars fans, we’ve made an effort to rewatch all of the movies – not that we needed an excuse to revisit this captivating world – and in doing so, we inadvertently uncovered some interesting information security insights, specifically from the first ever flick, A New Hope.

After some further scrutiny (i.e. we watched the movie again and again), it became all too clear that there’s a lot that can actually be learnt from this magical space opera. So, here we are … a Star Wars-inspired cybersecurity feature. Enjoy, and may the force be with you.

1.     Do not underestimate the power of end-to-end encryption

If you want to ensure that the details of your communication remain hidden from prying eyes, so that only the sender and the receiver have access to it, then end-to-end encryption will serve you well.

The Rebel Alliance is big on encryption. Princess Leia needs to get a message to her “only hope”, Obi-Wan Kenobi, and, attune to the fact that the Empire is hot on her heels, she duly encrypts her plea for help (as well as the Death Star blueprint) and hides it in everyone’s favorite little droid R2-D2.

Leia understands that if R2-D2 is captured, she can feel somewhat confident that data will remain secure –  in other words, while it might now be in the hands of the bad guys, it’s unreadable. Only Obi-Wan has the key needed to decrypt the message, meaning the princess’ secret plea for his assistance can only ever be unlocked by the Jedi Master.

2.     You must learn the ways of social engineering to stay secure

Social engineering is an effective form of manipulation that allows cybercriminals to deceive victims. From an information security point of view, it’s used to covertly gather sensitive information and/or gain access to devices and accounts, usually for fraudulent reasons.

The Jedi are, in some ways, masters of social engineering (used, of course, for the greater good of the galaxy). We first get a glimpse of this when Obi-Wan, accompanied by Luke, is stopped by stormtroopers on their way to meet Han Solo and Chewbacca.

They are asked for identification, and swiftly, with a subtle wave of the hand, this is rebutted. They stormtroopers have no idea what’s happened. Being aware of social engineering techniques might have made a difference, as in Return of the Jedi, Luke’s efforts to sway Jabba with the force fail.

3.     I find your lack of faith in your vulnerabilities disturbing

Even the most comprehensive security systems have their vulnerabilities, which is why it is important to constantly assess the means by which you’re protecting your assets to uncover hidden flaws.

General Tagge is all too aware of this. In a meeting with his colleagues and superiors he cautions that the data breach experienced by the Empire might leave them open to an attack.

“They might find a weakness and exploit it,” he warns, appreciating the fact that because the information that was accessed was highly sensitive, it presents a grave danger.

“Any attack made by the Rebels against this station would be a useless gesture, no matter what technical data they have obtained.”

However, this analysis of the situation isn’t shared by all. General Motti, for example, underestimates the skillset of the rebels: “Any attack made by the rebels against this station would be a useless gesture, no matter what technical data they have obtained.”

While the Death Star is pretty heavily protected, a small vulnerability, overlooked by the Empire, is discovered: a thermal exhaust port that is connected to the space station’s reactor core. If you can gain entry through that small opening, well, it’s game over.

4.     I sense the presence of a something I can’t quite put my finger on (trojan horse)

A trojan horse is a type of malicious software that purports to be anything but. In other words, as in the Greek mythology from which it gets its name from, the superficial and seemingly innocuous nature of it belies the devastating and harmful nature which lurks below.

The crew of the Millennium Falcon, when caught in the Death Star’s tractor beam – after discovering the planet Alderaan has been destroyed – possess all the hallmarks of a trojan.

Although the Empire is initially cautious about what they have just beamed into the battle station – the equivalent of downloading a shortened link – the check they perform doesn’t spot the hidden crew (ultimately the trojan).

“Great shot kid! That was one in a million!”

While Darth Vader kills Obi-Wan – they have finally spotted the malicious software and attempted to contain it – it is too late. The tractor beam is disabled, the Millennium Falcon escapes, the Rebel Alliance gets hold of the Death Star’s blueprints and … well, you know the rest: “Great shot kid! That was one in a million!”

5.     The password protection and 2FA is not strong with this system

If you don’t invest in strong passwords and two-factor authentication (2FA) solutions, coupled with an open access policy to your network – as opposed to only senior employees possessing the rights to this – then you’re likely to experience some sort of data breach, big or small and intentionally or otherwise.

R2-D2 – who faces stiff competition from BB-8 these days – makes easy work of the Death Star’s lack of password protection. Not only is he able to plug himself into the battle station’s central computer, he is able to locate specific information with very little effort (specifically Leia’s location).

Moreover, later on, when the heroes are trapped in the trash compactor, R2-D2 is once again able to effortlessly locate the kind of data and controls he needs. To all intents, there is nothing by way of security to stop him in his tracks.

However, had the Empire anticipated the threat of a cyber expert; had strong passwords in place; and had invested in two-factor authentication, then the ending of a New Hope would have been remarkably different.

Author Editor, ESET