Tag Archives: social engineering

FBI Warning for Students

Hope your new year is going well!

The FBI has recently posted a warning about a scam that is targeting students in search of employment.

I won’t go into details here, as the FBI has published the full information they have as a public service announcement on their website at: https://www.ic3.gov/media/2017/170118.aspx

Even if you are not a student it is worth reading for the insight it gives to how malicious actors are trying to exploit the desire of students and graduates to find work.

Safe Computing!

Seasonal Phishing

Did you know that Phishing has a season, just like real fishing?

Statistics show that during the year-end holiday period, malicious users are more successful with phishing attacks about holiday giving or shopping because they tailor their message to fit the hustle and bustle and activities of the season.

Here is a short videowhich reminds all of us not to let our guard down just because we are too busy or distracted to carefully scrutinize an e-mail advertises a sale or touches our heart.

Have a good holiday season, and Safe Computing!

Cybersecurity Awareness… or not?

An interesting exchange of opinions recently occurred between two of my favorite news sources related to information technology security.

Since we are still in the midst of a month declared by the federal government as “Cybersecurity Awareness Month” (see both https://www.dhs.gov/national-cyber-security-awareness-month and https://staysafeonline.org/ncsam/), which is an effort to increase security awareness among regular technology users, the disagreement is interesting.

The premise of “cybersecurity awareness” is that all computer users need to be trained to be more knowledgeable and to apply their experience, knowledge and expertise in making the use of modern technology more secure.  This is a worthy goal, I believe.

However, Bruce Schneier,  a highly respected security expert and author, persuasively argued recently that maybe the computing industry should be less focused on educating the user and more on fixing the current state of technology:

Stop Trying to Fix the User

I am sure that many technology users will agree that there are basic technology fixes that should happen!  However, Lance Spitzer, the training director for the Securing the Human of the SANS Institute and security blogger for Educause disagreed with Bruce’s emphasis on the technology:

Why Bruce is Wrong

The college’s Information Technology Services division does as much as can be done technically to ensure that all users have as safe a computing experience as they can on campus.  However, given the state of computing technology, solving IT security issues with technical solutions is never going to be enough to make them non-existent.

Every one of you, as users of college systems, are still an important part of a robust security solution, and your ability to recognize something is wrong often proves better than the best technology solution.

So in a way, both of these authors are correct:  There absolutely should be better, more secure technological ways of doing some of the everyday things we do with computers, like click a link or login, but until that exists, users need to be better trained and more aware of how to evaluate the risks inherent in technology use on a daily basis and to respond when they experience attacks by malicious users.

This  will continue to be an interesting discussion, I think…

Safe Computing!

Credential Stealing

One of the consistently best voices addressing cyber security issues worldwide is Bruce Schneier.  He is a cryptography expert and privacy advocate out of Harvard who has published many books, some of which are very technical in nature and intended for professional information security audiences .  But one of his great skills is that he also writes about important and timely privacy, trust and security topics in a manner that is accessible to most lay people.

Today I am bringing your attention to a recent article he wrote for the Xconomy web site which addresses the evolving nature of  computer attacks and the assumptions most people make that such attacks are merely technical or malware issues.

Turns out, the challenges in modern IT security are not so much about technology, but about people using the technology.  In fact, Schneier states that “…software vulnerabilities aren’t the most common attack vector: credential stealing is.”

The article quotes the head of the NSA’s Tailored Access Operations (TAO) group as saying “…stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day…” ( essentially a software-based cyber attack using previously unknown tools or methods).

Schneier urges computing professionals to adapt to this changing environment, but the key piece of information within the article for most regular technology users is that they are more and more likely to be the initial target for malicious actors, who are using everything they can–including social engineering, phishing, physical and psychological manipulation, and outright threats–to gain legitimate credentials to target systems or networks, including home networks.

Using the kinds of techniques perfected by stereotypical con men and the hacker culture,  modern criminals are now hacking people more than they are hacking machines.  And once they have YOUR work or personal login credentials, they have the same access to everything you have access to within those environments.

So this article is a good reminder for each of us to think twice any time a person or a machine asks for personal or college information, or for home or work technology credentials.

Safe Computing!


The full Bruce Schneier essay can be accessed at: http://www.xconomy.com/boston/2016/04/20/credential-stealing-as-attack-vector/

If you are interested and wish to see more of Bruce’s writings, his personal blog web site is: https://www.schneier.com/.

(Sometimes his writings are too technical for me, but he has a very practical, realistic and common sense approach to many security and privacy issues, so it is worth checking his site out for the more generalized stuff that can help you can understand all of the issues about which he writes.)

Password Security

I haven’t had much time recently to write here a lot, but there is an interesting story related to a data breach in the public sector that I thought would merit a few moments today (here is a link to a Wall Street Journal article about it ).

The basis for the story is that a number of DropBox (a popular cloud file storage site) account passwords have been published by some hackers.  However, the security for the DropBox site itself has NOT been compromised in any way…

So what happened?

It seems that the hackers were able to get into another unidentified website’s user database, which stored account names and password credentials for that site, then went down that list of credentials at the DropBox site.  They were subsequently able to access a number of DropBox accounts.   This ability to use a password stolen from one site to access another site occurred because the users used the same login name and password for their DropBox account that they used on the website that was compromised!

Knowing it would be difficult to get through the high levels of security that DropBox has in place, the hackers simply went to the less secure site and reused against DropBox the information they acquired there.  It wouldn’t surprise me if they actually did this a number of places.  They could have tried accessing Google or Microsoft or Yahoo or any other site they wanted.  The security issue is actually the REUSE by users of the same user names and passwords on different websites.

This illustrates one of the primary purposes behind most malicious attacks: the acquiring of credentials.  If a person with bad intent has actual login access to any given website, it doesn’t matter how much security that site has against direct attacks or hacking.  The bad guys are already in.

Bottom line:  never give away your login name and password, and don’t reuse passwords across multiple websites.  That is the ideal.

However, because it is difficult for all of us to keep track of lots and lots of passwords and to always use a different one for every purpose, at least be aware of what you are trying to protect and think about how to use more secure passwords at sites you wish to better protect.

For instance, you absolutely shouldn’t use the same password for very public places like Facebook or Twitter that you use for very private places like your bank or credit union site.

This applies to campus, as well.  The password you use when handling sensitive or protected college information shouldn’t be the same password you are using to sign up for a Groupon newsletter or to access personalized content on CNN.

 

Federal Trade Commission Scam Alerts site

Happy June!

Today’s information is short and sweet, and is about an important resource each computer user should have at their fingertips.

The Federal Trade Commission has a website intended to inform consumers about current scams, including computer spam scams (say that three times, real fast).  Of course, most things that may be identified as applying to consumers can be valuable in the workplace, as well.

So check out the information posted there, then bookmark the site both at home and here at work, and refer to it whenever you have questions or are just curious.  You can even sign up to get automatic alerts, if you wish.

 

Social Engineering

WHAT’S THAT?

Social manipulation (or “engineering”: a term coined by hackers) is a collection of successful physical and psychological techniques which allow the exploitation by malicious persons of the human tendency to trust or help other people, and is one of the greatest on-going information security threats. 

Social and environmental engineering is done to gain unauthorized access to college information, or to network and computing resources.  Because it is so successful in providing  attackers a way to bypass, through users, any electronic security methods which may be in place, various social engineering techniques are used every day.

Preventing intrusion by outside parties to college systems through the unwitting collaboration of students and employees is an important goal of information security, because once any access is attained, severe damage can be done.

In a service-oriented environment such as the college, this manipulation of trust creates a significant challenge to staff and requires that we are constantly on guard.  User awareness of various methods used to gather information is an imperative step in maintaining information security. 

Campus employees should always be thoughtful about legal requirements, such as FERPA, and college policies addressing what information may and may not be released to outside parties.

 PURPOSE

The initial purpose of social engineering is to obtain a user’s password.  Any account which provides access to the Bellevue College computers or network can be used by a knowledgeable user in many malicious ways, the least of which compromises only the account for which the password is known.     

Subsequent purposes related to social engineering are to physically obtain desirable sensitive information or to gain access to unattended systems,  thus negating the need for a computer password.

Social engineering attacks use both physical and psychological methods:

Physical methods for collecting information may include:

    • Impersonation of repairmen, IT support personnel, managers, etc., either by phone or in person.
    • Collecting and analyzing information from discarded trash (dumpster diving).
    • “Shoulder surfing”, which is watching to see employees type their passwords.
    • Searching a work area for passwords or other sensitive information that has been written down.
    • Using unattended computers that are already logged-in.

Psychological methods for collecting information manipulate trust and emotion to acquire information or access.  Some of these interactions may be in person, but more likely will be over the phone or through e-mail.  Some risks include:

  • E-mail purporting to be from a campus authority, such as the Help Desk or Information Resources (IR).
  • Direct phone requests to the Help Desk for password resets for the accounts of other users.
  • Pleas or threats for information by impersonation of authority figures or support personnel.

When this type of social engineering is done by e-mail, it is often referred to as “phishing.”

SUGGESTED RESPONSES

Area of Risk:   Office trash; dumpsters

Malicious user Tactic: Dumpster diving

Strategy to combat: Once something is left for trash, there is no expectation of privacy.

    • Reports containing confidential or sensitive data should be shredded before disposal.
    • All computer system media (Floppy disks, CD-ROM disks, tape, internal or external hard drives, USB drives, etc.) should be carefully erased and disposed of properly.

Area of Risk:  Psychological

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat:  If you don’t know someone, check!

    • Challenge the authority or identity of persons unknown to you – ask them to identify themselves.
    • IT support personnel will always wear Bellevue College identification.

Area of Risk:  Network, e-mail, and internet usage

Malicious user Tactic:  Creation and insertion of malicious software on systems to acquire passwords or other sensitive information

Strategy to combat:  User initiative and awareness

    • Appropriate password use and management.
    • Campus user caution regarding e-mail from unknown senders and e-mails with attachments.

Area of Risk:  Offices

Malicious user Tactic:  Shoulder surfing; stealing sensitive documents or external hard drives; wandering through halls looking for open offices; using unattended computers that are already logged-in

Strategy to combat:  User initiative and awareness

  • Don’t type passwords with anyone else present (and be courteous by not watching others typing in theirs).
  • Mark documents as confidential and require hard copies of those documents to be physically locked up.
  • Lock external hard drives and USBs up at night.
  • Require all guests to be escorted.
  • Do not store or post passwords near computers.
  • Lock computer when user not present, even for a “minute”.

Area of Risk:  Phone

Malicious user Tactic:  Stealing toll-free access

Strategy to combat: 

  • Protect SCAN codes the same as passwords.

Area of Risk:  Help Desk

Malicious user Tactic:  Impersonation; persuasion

Strategy to combat: 

  • Remember that the Help Desk will not ask you for your password in an e-mail or over the phone.

If you have any questions about social engineering, or are uncertain if you have been a victim of social engineering, be sure to contact the Help Desk (415.564.4357).

EBay intrusion exposes personal information

Personal privacy issue

As stated on the home page for this blog, sometimes I will be writing about privacy issues, as they are intricately tied to many topics related to information security.  In fact, the whole basic idea of information security is to keep electronically-stored things private when they should stay private.

I will also sometimes talk about issues that may not be directly tied to information security at the workplace.  This is because personal security and privacy practices related to our non-work lives can have tenets  or lessons that can apply directly to our work security and privacy practices.  Today is an example.

Currently, there is a lot of news about an intrusion into the network systems holding personal and private information related to eBay customers .  Because of this breach, the company is recommending that all customers change their passwords.

In fact, the eBay passwords that may have been compromised are encrypted, which will be difficult for the hackers to break (but not impossible).  However, a significant aspect of this data security breach is that the exposed user accounts may have also included unencrypted personal information, such as names, addresses, etc.

This puts many of eBay’s customers at a high risk of increased attempts to social engineer, or trick,  them into providing even more  private personal information.

The importance of password security and the principles of social engineering are basic information security concepts every technology user should understand, whether you are applying them to your personal life, or to your work responsibilities.

If you are an eBay customer, or a customer of PayPal, which is also owned by eBay, you should at least take the recommended precautionary step of changing those passwords.  Making this change does not guarantee that your personal information held by the company is totally secure, but it is a good first step in the wake of this incident.