For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.
Showing posts with label Oh The Humanity. Show all posts
Showing posts with label Oh The Humanity. Show all posts
Wednesday, April 30, 2014
Oh the Humanity: Picture of a Thief
In order to improve security awareness among staff, the first step is to change each employee’s mental picture of what it means to be a thief. Every social engineer who calls will not be an easy-to-spot gentleman with an oily voice and diabolical laugh. Awareness cannot be based on preconceived notions about gender, personality, and level of authority.
In order to be successful, social engineers will go to any lengths, will play on your employees’ weaknesses, and will find ways to get in their heads. For many men, that weakness is a friendly girl.
For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.
For some folks, it might be a helpless old lady. Here’s another story that illustrates one of the two main problems with employee-based security.
Tuesday, February 25, 2014
Interview: Naoki Hiroshima, or How One Social Engineer Used the Phone as a Weapon
It didn’t take long for Naoki Hiroshima’s story to take Twitter by storm when he posted his article on Medium on January 29. After all, no one likes it when a social engineer wins—especially when his target is smart, tech-savvy, and prepared.
Here’s the story in a bright, colorful nutshell:
So, Naoki lost his Twitter handle and the thief got away. Grrr.
That’s what makes this story such a model for the danger of social engineering. In fact, the details of Naoki’s story were so frustrating that we sat down with him last week for a little more detail.
Here’s the story in a bright, colorful nutshell:
Share this Image On Your Site
That’s what makes this story such a model for the danger of social engineering. In fact, the details of Naoki’s story were so frustrating that we sat down with him last week for a little more detail.
Tuesday, February 11, 2014
Oh the Humanity: The Problem with Security Policy
Everybody talks about people using easy passwords. For example, using the same password forever and adding a 2. ‘Password.’ ‘12345.’ We all joke about it (even though it’s no laughing matter).
In the past decade, we’ve had the unique opportunity to see long lists of actual passwords through penetration tests for large companies. Now, initially, I didn’t know this was unique. I mean, everyone talks about what passwords people use, but honestly, nobody really knows. They are private, after all, and sometimes encrypted. Even though we all think we already know, it’s still eye opening to see what real people use for their passwords. And, as in the case of one particular job, those passwords are not always what you expect.
In the past decade, we’ve had the unique opportunity to see long lists of actual passwords through penetration tests for large companies. Now, initially, I didn’t know this was unique. I mean, everyone talks about what passwords people use, but honestly, nobody really knows. They are private, after all, and sometimes encrypted. Even though we all think we already know, it’s still eye opening to see what real people use for their passwords. And, as in the case of one particular job, those passwords are not always what you expect.Tuesday, December 3, 2013
Oh, The Humanity: The Danger of Anonymity
And now for something a little different. Throughout our “Oh, the Humanity!” series, we want to demonstrate some of the most dangerous ways social engineers can infiltrate a company—and pretty often, that involves the phone or email. But every now and then, it’s a simple (and downright silly) move that gives a thief access to very sensitive information.
Here's the story. When we begin a project with any company, one of things we most want to demonstrate is how easily we can get access to their network as outsiders. While social engineers are frequently insiders, we often attempt to replicate that level of access from our “basement.”
In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.
Security Breach: Signed, Sealed, Delivered
In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.
Thursday, November 14, 2013
Oh, the Humanity! Train Employees to Say "No" to Social Engineers
Let’s set the scene for the third social engineering tale in our story series “Oh, the Humanity.” A Fortune 100 company asked us to test their defenses against pretext calling, email phishing, and physical security. The best part? They pretty much just gave us carte blanche and asked us to figure out how a social engineer would develop an attack.
After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.
After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.
Tuesday, November 5, 2013
Oh, The Humanity! Another Pretexting Success Story.
And welcome back to our social engineering success story series: "Oh, The Humanity!" Storytelling can be a very effective tool in the fight to raise awareness about information security and effective training—and our firsthand experience with pretexting, phishing, proximity attacks, and more have provided us with ample ammunition. And now, on to our next story...
A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.
Here were the ground rules:
Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.
Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.
A while back, a large and pretty well known financial institution (name changed to protect the innocent) hired us to measure whether or not their call center was properly safeguarding the sensitive information in its customer accounts.
Here were the ground rules:
Rule #1: We only called on test accounts, or fake customers placed in the system by the company for penetration testing purposes only. This precaution was for everyone’s security.
Rule #2: We were only provided with the most basic fake-customer information: name and address. These pieces of information pretty well represent what a social engineer can get publicly on the Internet.
Friday, October 25, 2013
Cute-Girl Voice: A Social Engineer's Secret Weapon
Surprised? Yeah, me neither. What did surprise me, though, was just how easy social engineering really was.
Subscribe to:
Posts (Atom)