Social Media Safety

 

 

The Top 5 Social Media Threats ;

  1. Hidden URLs 

    – These are quite common, often times leading to a site that then asks for login information.

  2. Requests 

    – Someone may send you a warning or a request to take action or follow some link. Do not be fooled by these people, they will often try to manipulate emotions to get victims to react without thinking.

  3. Fake online surveys and contests 

    Take this quiz to find out X!” These sort of posts on social media are effective bait to lure users into unsafe sites, where cyber criminals may install malware, spyware, or gather your information to misuse.

  4. Fake customer service accounts – 

    Scammers on social media often pretend to represent legitimate organizations in order to steal sensitive information.

  5. Live Streams

    – Luring users to scammer ran websites with the promise of being able to view sports games, movies, etc…Once they have lured victims to their sites, they install malware, spyware, or get users to input credit card numbers. After all this they almost never even have the live stream they claimed to.

 

3 Real Life Ethical Hacker Stories About #PasswordFails

 

People are always asking me to tell “hacking” stories, since there are so many of them…I’m going to focus specifically on password related stories.   Here is a top 3 countdown to the craziest password story I have.   

#3 – Bad passwords

Yeah, yeah, yeah, I know everyone has heard this a million times, but let’s discuss it from a hacker’s perspective.   I’ll start by saying most password policies suck and here is why.   

Let’s examine a typical password policy.  

8+ Characters

3 or more of the following

  • Upper Case Letters
  • Lower Case Letters
  • Numbers
  • Special Characters

Password must be changed every 90 days

These types of password policies actually encourage easy to guess passwords that tend to be use by multiple users.   This gives me the ability to easily extrapolate your most common passwords based on what I know, and use this to break into your corporate network.   Here is how it works:

 

Employees like to use predictable passwords and bad guys use this to perform password guessing attacks against a large group of users.  This is an extremely common vector that still works against almost all companies.   The basics are this, we enumerate users (generally through linkedin and google)…then find a login portal most users are all likely to have access to and guess 1 password against all of the users.  Traditional brute force techniques one one-user-at-a-time, cause the user to get locked out and trip alarms. Good hackers avoid alarms. A reverse brute force or password spraying attack tends to evade detection and provide almost guaranteed access to most networks.

 

One time we identified a few passwords we felt most likely to get us access to this network.   (In this case we were performing the attack against Outlook Web App) – This particular time we guessed 1 password (it was something like Summer16) and used it against 800 user accounts. We logged onto about 50 user accounts with this exact same password.    Of those users, we identified 15 with VPN access, and 2 with local admin access.   We were able to use the VPN access to compromise the 2 machines with local admin access, dump the local admin credentials.  This company was reusing local admin passwords across multiple systems.   This gave us the ability to spread to key user systems to gain domain admin rights–control over the domain controller.    Game Over – The entire attack from start to domain admin took less than 3 hours.   

The moral of this story is that weak or guessable passwords are a major cause of data breaches and tend to be an easy way into any network that doesn’t enforce multi-factor authentication.  Password length is significantly more important than complexity.   My advice is to forget about password complexity and just make all of your passwords longer.   Use a phrase and keep it over 15 characters.    

Don’t let the possibility of dictionary attacks [link to definition] overshadow their real world frequency. Those that neglect the human factor get burned by their own tech. Passphrases yield greater assurance without the unintended human consequences.     

One other moral – Never reuse local admin passwords – this a guaranteed way to turn an isolated incident into a domain breach.   Check out the Microsoft LAPS tool if you need help managing unique local admin passwords.   

 

#2 – Phishing 4 Passwords

Phishing is a guaranteed way to get users to give up passwords, one-time passcodes, infect their computers or hand over countless other forms of sensitive information.   This is every hacker’s go-to move to gain access into your organization’s networks.   Not only do they gain access to your network, but they gain the level of access the user’s they phished have.   This single attack can bypass most of the organization’s security controls designed to keep hackers out.   

So, here is how I get your users to give me their credentials and a backdoor into their employer’s network in a single attack.   

First, I craft an email telling your users about some technology upgrade that was performed the previous night and tell them that they can access it and check out the new tech if they choose.   I’ll then provide them with a web page that looks very real like login.microsoftweblogin.com (I actually own microsoftweblogin.com). At this website I’ll clone a legitimate login page and put a keylogger on the page.   Now when the user types their username and password I’ll see what they type as they type it.   Next I add a nice application addon that prompts the user to open run it.   This application might be called something like “Microsoft Web Essentials”.    So the browser asks them something to the regard of:  “Would you like to run Microsoft Web Essentials?”  When the user clicks run I have a backdoor on their system.   From this point it’s only a matter of time until we get complete control of your networks and systems.  

 

#1 – How to get domain admin over the phone

This story is hilarious, but a cautionary tale nonetheless.     During our assessments we test human weaknesses as well as computer weaknesses.    As part of this testing we make phone calls to get information, (such as password policy) or to get users to go to our site and run our custom malware that gives us backdoor access to their machine.   On one such occasion I called up hoping to get a help desk technician to go to my site that hosts my malware.   This is where it gets interesting.  

This is a law firm – So obviously I call in pretending to be a Partner in the firm.   I tell them about how I’m trying to run this analytics software a stock market analyst buddy of mine shared with me and how it won’t run.   (We had already discovered that application whitelisting security software was preventing unknown, unapproved software from running on their endpoints.)  At this point the helpdesk employee interrupts my plea for help and says “It’s okay, just use my account”  –He proceeds to give me his username and password over the phone.   

Facepalm! – His password was Password1

Next, I take those credentials and I log into the VPN that we discovered during our recon where we learn everything we can about the company and what it has on the internet.    Voila – the credentials work.   Now I am on the network and we use the credentials to compromise the machine of the helpdesk employee we were talking to and immediately discover that these credentials were in the “Domain Admins” group and that we just compromised the entire domain “Over the phone!”

This is an extreme example with the obvious lessons: don’t give passwords over the phone; don’t even share them with your everyday peers.

But the less obvious lesson, hackers don’t just exploit human trust. We also exploit fear. I’m confident this person had been bullied many times by VIP’s in that law firm. So, this is yet another example where tech burns those failing to account for human weaknesses. Worse, this non-technical root cause is just the sort of thing executives excel at fixing. The C-suite must ensure that all employees, especially themselves and other VIP’s, know that the C-suite has the backs of all those that enforce cyber policies.

This example also illustrates another lesson. The help desk person violated policy.  Policies atrophy to uselessness if they are not exercised, measured, and reported. The law firm assumed its policies were consistently enforced. Our pen test proved otherwise. Our client learned something useful before something catastrophic happened. BTW, if your organization relies only on traditional pen tests to test your organization’s human readiness, then it’s not cyber ready. I’ve love to see a good survey on this. I’d be shocked if more than 10% of enterprises exercise, measure, and report the human readiness underlying more than a few of their cyber policies.

 

Social Engineering & Cybersecurity

Social engineering has become the new standard in both cyber-attacks as well as physical security.   Many organizations are fighting back and are quickly making education a priority. First off let’s enumerate a few of the most common types of social engineering attacks and then let’s go over ways to address these threats.

Email Phishing

By far the most common method of social engineering employees of any organization is via email phishing.  An attacker will craft an email, often spoofing the sender address and trying to make the email look as legitimate as possible.  Phishing attempts (emails) are crafted in various ways. One method is a message attempting to get a you to reply and supply information you should not give them. Another method is to make the email seem completely benign and from a trusted source, so that you will click a link in the email or even download an attachment.

A few easy ways to most detect such an attack;

  1. Poor spelling & Grammar
  2. Unexpected / out of place
  3. Attempting to elicit some sort of emotion, positive or negative
  4. Check the Sender Address
  5. Hover over a link to see if the URL is one you trust

Voice Phishing (Vishing)

is becoming increasingly commonplace. This is where a scammer actually calls you on the telephone. You may have heard about these criminal organizations that are impersonating the IRS. Scammers are in the news quite a bit and have robbed countless Americans. They call pretending to be the IRS, demanding payment and making all sorts of outlandish threats. While most people are wise enough to know it is a scam. Unfortunately, many still fall for prey. Let’s face it, no one wants the federal government coming after them. 

 

SmiShing (Text Messages)

is yet another type of phishing attacks. This happens via text messaging and often starts because your phone number was entrusted to the wrong person on the internet. First, the attacker may send a text message with a link hoping you click it. This link is likely geared towards installing spyware and or malware on your device.  SMS (text message) phishing is growing exponentially as more criminals realize just how effective it is. Below is an example which I received to my google voice number. On that note, I highly recommend using such a service instead of giving out your actual phone number. Notice the use of “tinyurl.com” to disguise the actual web address and then never click on anything like it.

Smishing

 

Tailgating

Also known as piggybacking,  is when a person tags along with another person that is authorized to gain entry into a restricted area, or pass a certain checkpoint. This happens more often than people realize. Remember when Tom Brady’s SuperBowl jersey was stolen? This criminal tailgated his way in to the Patriot’s locker room and in fact came in / tailgated behind Bill Belichick. This incident serves as a great example of how it is everyone’s responsibility to keep the workplace safe. Ways to prevent breaches due to tailgating at work, include;

  • Confronting people without badges in restricted areas
  • Be aware if someone piggybacks through access control
  • “Trust” but verify

Phishing with emotion and stress results in bad choices

Recently on one of my personal sites, I received the below phishing attempt:

Phishing

I see a ton of phishing examples as part of PeopleSec’s Security Awareness Training and Education (SATE) program.  It is not often a phish in the wild catches my eye and looks like anything other than spam.  This email is an excellent example.  It causes stress that invokes an emotional reaction which in turn solicits an emotional response.

“Emotions can cloud our judgment and influence our decisions when triggered by the [stressful] situation at hand,” stated by Harvard Business Review (https://hbr.org/2015/05/dont-let-emotions-screw-up-your-decisions).

Emotional responses are at the core of successful social engineering and phishing attacks.  As an aside, the success of emotional responses is why we use so many of them in PeopleSec’s SATE program.

In summary, it is hard to keep emotions in check, and they cloud your ability to think.  So when you are stressed and emotional, Think Before You Click.

 

“CEO Fraud Attack” Readiness is Only Assumed

CEO fraud attacks succeed due to untested, unjustified confidence in employee readiness. Enterprises must take them more seriously. The scam’s tactics and techniques are hardly indefensible. Employees simply are not prepared. Quick confession: I once thought such confidence was warranted. However, numerous real-life examples changed my mind. We need others to change their mind too.

CEO Fraud Problem Pervasiveness & Impact

The FBI reported the following last year:

  • $2.3 billion worth of such scams succeeded over three years
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and losses
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims
  • In Arizona the average loss per scam is between $25,000 and $75,000.

Here’s a sampling of reported examples:

  • Toy maker Mattel lost $3 million in 2015
  • Tech firm Ubiquiti lost $46.7 million in 2015 (recovered $8 to $15 million)
  • The Scoular Co, a commodities trader, lost $17.2 million in 2015
  • Leoni AG, a manufacturer of electrical cables, lost 40€ million in 2016.

Cyber Insurance and Other Losses

Do not assume that your cyber insurance has you covered for CEO fraud. This article by Brian Krebs reports that insurers are pushing back. Assume nothing until this has been contested in the courts.

And do not assume fraudsters only pursue wire transfers. Seagate HR folk were fooled into exposing over 10,000 W2 forms for current and former employees. A similar incident hit SnapChat in 2016 as well.

The Least You Need to Know of CEO Fraud

CEO Fraud tactics usually involve spoofing emails from executives and leveraging the trust and fear those executives have with employees to coerce them into transferring money or revealing confidential data. Technically, the emails either involve a similar email domain or a compromised executive email account (Business Email Compromise). Technology sometimes detects the former, but such they are not mass emailed and makes detection less likely. The later can only be detected via human nuance where an employee’s familiarity with the executive contrasts with something in the fraudster’s email, evoking suspicion.

BTW, fear of executive wrath is a scammer’s best friend. The more you see this in your organization, the more susceptible it is.

Fortunately, a vigilant verification process with a wary corporate culture can defeat any variant. Here’s the problem: a policy document pertaining to this issue is worthless. Note the adjectives “vigilant” and “wary”.  After all thousands of these attacks succeed every year because organizations are making asses of themselves by assuming they have these adjectives covered. Scammers are fooling smart, seasoned people with plausible scenarios, usually after having done some considerable research on the target.

The details for a verification process are fairly obvious and easily found. The seriousness and tactics of the scams are as well.

What You Need to Do about these Social Engineering Risks

CEO Fraud is like any other cyber readiness issue. Nothing tested, nothing exercised, means nothing is ready! For this reason it is important to be ready for such scenarios.

And, please don’t assume your peers get this. This is why the bad guys are succeeding and their numbers are growing with news of their success. Please help spread the word that while stupid cannot be patched, foolishness and fear can be tested and corrected.

Finally, a tip about testing. It’s effectiveness is proportional to the plausibility of the test scenarios. In other words, you should devise scenarios that are even more credible than those conceived by scammers. After all, they are often thousands of miles away that speak a different language. If you outsource this, do not settle for generic scenarios. Insist on those tailored to your organization. Your adversaries will!

Many weak cyber postures exist due to low urgency. Spread the urgency, and the call to action is “take CEO Fraud seriously”.

Social Engineering Attacks Driving Security Awareness

Social engineering and cybercrime are on the rise around the world. Business owners need to pay attention to current trends in the world of information security (infosec).

In 2005, the United States Bureau of Justice Statistics reported that 60 percent of American companies had detected at least one instance of cybercrime. Tech giant IBM believes that businesses are much more likely to be targeted by cyber attacks than they were 10 years ago.

Despite the sophistication of today’s infosec strategies, the global cost of cybercrime is expected to elevate to $6 trillion on an annual basis by 2020.

The Human Aspect of Infosec

Business executives who are concerned about the security and integrity of their information systems, should start paying more attention to their greatest source of weaknesses and vulnerabilities: their own employees.

Some of the most brazen and successful cybercrime groups take pride in their their social engineering prowess. In mid-September, the FBI arrested two suspects believed to have gained access to the email accounts of CIA Director John Brennan and National Intelligence Director James Clapper. These criminals are part of the cybercrime outfit known as “Crackas with Attitudes”.  They tricked government intelligence employees into giving them username and password credentials by pretending to be Verizon technicians.

Through a series of telephone calls and electronic communications, malicious actors gain entry to networks. These threat actors also harvest key information about how a business operates; this is known as social engineering, and it is something that average employees may not be familiar with.

Preventing Social Engineering Through Security Awareness

One of the greatest weaknesses of infosec is that it often falls short in terms of outreach and employee engagement. IT security procedures are often presented and enforced in a stern and ominous manner. This does not appeal to employees because they don’t know much about it.

Practicing good infosec in the workplace comes down to awareness. Malicious hackers overwhelmingly target employees because they know that the average worker does not know much about infosec. Companies cannot expect entry-level clerks to be familiar with social engineering and read their CIO subscriptions during lunch breaks.  

Employees do not realize that they can unwittingly become attack vectors because they lack situational awareness. In other words, they are not familiar with how cyber-crime groups operate.

Security awareness programs in the workplace need to go beyond drilling employees on their knowledge of infosec policies. Staff members must know why it is important to protect the information of their company, their customers, and their colleagues. The best information security measures will not help a company if employees remain vulnerable. Starting with simple steps can get most employees moving in the right direction.