The term dumpster diving conjures up the image of youngish urban explorer types with flashlights, digging through garbage bins in search of gold - in which the gold includes things such as electronicky bits, books, CD's, and that sort of thing. There are even freegans base their entire life - including nutrition - by harvesting the massive amounts of edible goods that people throw away every day. You can even buy books that purport to teach the skills necessary to be a better dumpster diver!
However, there is a more nefarious type of dumpster diver - one who steals identities and confidential company data. Companies lose millions and millions of dollars worth of data every hear straight from the garbage bin - hard drives with payroll data, proposal documents, human resource lists, and so on. A grey-hat hacker once reported that he discovered a bag of corporate credit cards in the garbage. A little research showed that the company had just been bought out a few days earlier, so it was likely they were all issued cards to reflect the new company name. This same fellow also found, in the same dumpster, a hard drive that he described as "barely working", but after trying the hard drive freezer trick he managed to find the human resources and payroll records from the same company that threw out the credit cards. Pretty good catch.
We could make up all kinds of worse-case-scenereos about this level of data breach. Every company should develop and uphold a Data Destruction Policy, and use tools and techniques to sanitize their sensitive information before tossing their unused and nonworking hardware. Why make it easy for the bad guy?
Friday, April 30, 2010
Sunday, April 25, 2010
Using Embedded Commands in Social Engineering
Using a technique known as preloading, you can convince someone to think of something, even believing that they came up with the thought independently. The reality is that you purposely implanted the very idea in their memory. I can't get into extreme examples here in a blog format, but you already know that when I tell you do not think of a black cat, you will automatically think of a black cat. The phrase "think of a black cat" is there in the sentence you heard well before you received the reasons you should ignore it.
And statistically, you follow the embedded command without question. You ignore all the negative components and consequences, and only listen to the more simple command: think of a black cat. You then think of said lap pet animal, and think the person telling you all this is some kind of psychic freak.
This is a very simple example of a type of preloading used by social engineers to get the information or access they are seeing - subtle suggestions crafted to make a person to feel they have independently come up with an answer that you planned on them providing.
Earlier tonight I was with friends at a bar, and I got an opportunity to test out a few techniques. We bought raffle tickets. However, we didn't plan on staying long enough for the draw, and I decided to give the tickets to someone else. We had 3 sequentially numbered raffle tickets, with numbers ending with 2, 3 and 4. For a little fun and social engineering practice, I played a quick game with the neighbouring table, where the winners win the tickets they correctly choose, and the losers do not. Clever.
I chose to give the valid draw tickets to a group of people if they could guess the last number of the ticket I chose for them. I expected them to get each number in order. That's a 3/4 chance to win once. However I wanted all of them to win.
Here's what transpired. I will refer to F1 and M1, a male an female pair where the female is the mother of the male, and F2 and M2, where the female and male were a couple. I'll be Me. The lady I asked first (F1) said I should ask her son (M1) first.
I held out a ticket toward M1, and I said, "okay, I have 3 tickets, and there are 4 of you. So 3 of you will properly guess the last digit of each ticket, and one will not. Tell me a number from 1 to 4. The last digit of this ticket."
He said 3, and the ticket in my hand, indeed was the one with 3 as the last digit. He accepted said ticket and I then questioned his mother, F1. "You too," I said. "Choose a number".
She said "3". Well that threw me off a bit, but its obviously already taken. So, I continue: "Ah, you messed it up, that number's already been chosen. M2 what is the first number you thought of" and he said "2"
I gave him the ticket in my hand, which of course ended in 2, and said to F2, "You have a 50/50 chance. There's only 4 choices, some that have already been chosen."
She chose 4. Of course, and I handed her the final ticket, which indeed ended in a 4. They were all delighted, and were now in possession of three draw tickets they didn't have to pay for.
How did I do this so smoothly? Pay attention to the words I used to make sure I got the numbers I was expecting. Tell me a number from one, two... four. You two. There's only four...
The takeaway here? If you tell your users "Don't give your password to strangers", what is the embedded command they are more likely to have humming around in their subconscious minds? Please don't post your passwords in the comment section.
And statistically, you follow the embedded command without question. You ignore all the negative components and consequences, and only listen to the more simple command: think of a black cat. You then think of said lap pet animal, and think the person telling you all this is some kind of psychic freak.
This is a very simple example of a type of preloading used by social engineers to get the information or access they are seeing - subtle suggestions crafted to make a person to feel they have independently come up with an answer that you planned on them providing.
Earlier tonight I was with friends at a bar, and I got an opportunity to test out a few techniques. We bought raffle tickets. However, we didn't plan on staying long enough for the draw, and I decided to give the tickets to someone else. We had 3 sequentially numbered raffle tickets, with numbers ending with 2, 3 and 4. For a little fun and social engineering practice, I played a quick game with the neighbouring table, where the winners win the tickets they correctly choose, and the losers do not. Clever.
I chose to give the valid draw tickets to a group of people if they could guess the last number of the ticket I chose for them. I expected them to get each number in order. That's a 3/4 chance to win once. However I wanted all of them to win.
Here's what transpired. I will refer to F1 and M1, a male an female pair where the female is the mother of the male, and F2 and M2, where the female and male were a couple. I'll be Me. The lady I asked first (F1) said I should ask her son (M1) first.
I held out a ticket toward M1, and I said, "okay, I have 3 tickets, and there are 4 of you. So 3 of you will properly guess the last digit of each ticket, and one will not. Tell me a number from 1 to 4. The last digit of this ticket."
He said 3, and the ticket in my hand, indeed was the one with 3 as the last digit. He accepted said ticket and I then questioned his mother, F1. "You too," I said. "Choose a number".
She said "3". Well that threw me off a bit, but its obviously already taken. So, I continue: "Ah, you messed it up, that number's already been chosen. M2 what is the first number you thought of" and he said "2"
I gave him the ticket in my hand, which of course ended in 2, and said to F2, "You have a 50/50 chance. There's only 4 choices, some that have already been chosen."
She chose 4. Of course, and I handed her the final ticket, which indeed ended in a 4. They were all delighted, and were now in possession of three draw tickets they didn't have to pay for.
How did I do this so smoothly? Pay attention to the words I used to make sure I got the numbers I was expecting. Tell me a number from one, two... four. You two. There's only four...
The takeaway here? If you tell your users "Don't give your password to strangers", what is the embedded command they are more likely to have humming around in their subconscious minds? Please don't post your passwords in the comment section.
Friday, April 23, 2010
Dr. David Matsumoto explains Microexpressions
Lie detection has always fringed somewhere between science and outright hooha. Regardless of opinion, where the theories begin to generate reproducible outcomes is quite interesting. Dr. Matsumoto demonstrates how the brain is a bit slower than the initial response mechanisms. You put on a look of disdain while nodding "yes" to a question, then your conscious mind says "Oh wait, I meant to lie here", forcing you to catch up with a more appropriate expression. These brief lapses of disguise are known as microexpressions.
Learning to spot these sudden shifts in facial expressions has been catching on as a new public security trend, and is now even taught to airport personnel. More on this in future posts.
Learning to spot these sudden shifts in facial expressions has been catching on as a new public security trend, and is now even taught to airport personnel. More on this in future posts.
Wednesday, April 21, 2010
Are you smarter than a 3rd grader?
In the 80's, my high school buddy Pob and I used to spend hours, days and weeks getting to know our school's computer network. We were asked to leave our grade 9 class and help teach computer science to the grade 10 students, and similarly help the grade 11 folks when we were in grade 10. For security purposes, our teacher used a longer password (stationwagon) than the lowest scoring student (bird).
Instead of punishing kids who realize at such a young age that people use such obvious passwords, its time to educate them so they get a chance at being the next information security guru. When they're ready, we need them.
Instead of punishing kids who realize at such a young age that people use such obvious passwords, its time to educate them so they get a chance at being the next information security guru. When they're ready, we need them.
Study: Frequent password changes are useless
One of the biggest problems with changing passwords too frequently is that users invariably will forget the new one. Wouldn't it be nice for administrators if they could simply teach users how to construct a stronger password, and then get them to stick to it? Constantly changing complicated passwords causes users to write them down on sticky-notes where others may see them. The reality is if an attacker has a system's password hashes to crack, they already have the access needed to steal data or whatever it is they are up to. Also, once a password has been cracked, the attacker is likely to use it right away - not three weeks down the road.
As Microsoft indirectly points out, companies would save enormous amounts of money if they didn't have to dedicate administrative hours to resetting passwords just as frequently as the policy requires them changed.
However the reality is there are various industry standards that mandate policies on frequent password changes. The bigger your organization is, the more likely you are bound to one of them. This is unfortunate, and thus a well-meaning policy ends up costing companies more than the risks it supposedly mitigates.
As Microsoft indirectly points out, companies would save enormous amounts of money if they didn't have to dedicate administrative hours to resetting passwords just as frequently as the policy requires them changed.
However the reality is there are various industry standards that mandate policies on frequent password changes. The bigger your organization is, the more likely you are bound to one of them. This is unfortunate, and thus a well-meaning policy ends up costing companies more than the risks it supposedly mitigates.
Subscribe to:
Posts (Atom)