Social Engineering

An attack vector most intricate to handle!

Preface

This document covers information aspects on how does Social Engineering work and its countermeasures to prevent from Hacker Techniques and exploits.

Introduction

What is 'Social Engineering'? Social Engineering is probably most succinctly described by Harl in 'People Hacking':

“ The art and science of getting people to comply with your wishes."

 “Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick a person into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are weakest link” in security and this principle is what makes social engineering possible.”

“In 1994, a French hacker named Anthony Zboralski called the FBI office in Washington, pretending to be an FBI representative working at the U.S. embassy in Paris. He persuaded the person at the other end of the phone to explain how to connect to the FBI's phone conferencing system. Then he ran up a $250,000 phone bill in seven months.”

Bruce Schneier “Secret and Lies”

How does the Social Engineering attack cycle work?

1.      Information gathering:

There could be variety of techniques which is used by the aggressor to gather sensitive information about the target(s). Once this information is gathered, it can be used to build a relationship either with the target or someone who is important to the success of the attack.

Information that might be gathered includes, but is not limited to only:

·         A birth date

·         A phone list

·         An organization’s organizational chart

2.Developing Relationship

An aggressor will first try to build up a good bonding with the target. He makes sure that he gains the trust of the target which he’ll later exploit.

3.Exploitation 

The target could then be manipulated by the ‘trusted’ attacker to reveal their sensitive information like password to carry out an action (eg. Re-enter your username pass for reversing Facebook policies) this normally occurs. This action could be the end or the beginning of the next phase.

4.Execution

Once the target has finished the task requested by the attacker, the cycle is complete.

General Attack vector Facts and figures

There are two types of Social Engineering attacks

Technical attacks
Non-technical attacks.

“Technical attacks are those attacks that deceive the user into believing that the application in use is truly providing them with security which is not the fact always.”

The most Technical attacks

Phishing

Phishing is a new term of the century which is used to take over a private information from a user. Your natural response to this statement is, of course, "yea but I am not so simply fooled." And of course you aren't.This is why phishers use a technique called "social engineering".

This is generally used for cybercrimes but sometimes it is also done through the telephone/mobile phone. The information which is obtained is then used to commit crimes-such as logging into your Facebook account and posting vulgar or illicit data on your wall or taking over full control of your bank account and then transfer money. In phishing, the aggressor never come face to face. The appearance and logos are almost same like the original one or sometimes same as the original which requests a user to “verify” the information and if not followed, it will lead to serious consequences. These kind of emails appear to have come from a legitimate business organization.

Spam e-mails

This is a mass e-mail system. Hundreds and thousands of e-mails are sent to the victim. This is tightly related with phishing attempt.

The Non- Technical attacks

“Non-technical attacks are those attacks that are purely perpetrated through the art of deception.”-peer to peer

Support staff

The attacker acts as a clean support crew to help users to fix any problem. During this process they ask for their credentials and after this procedure their account is compromised by the aggressor.

Hoaxing

It is a trick to make the user believe that something false is real. Unlike a fraud or con, a hoax is perpetrated as a practical funny story, to cause humiliation or to provoke social change by making aware of something.

Authoritative Voice

The attacker can call up to the organization’s computer help desk and pretend to have trouble accessing the system. He/she claims to be in a hurry and needs his password reset right away and also demands to know the password over the phone. If the aggressor adds little credibility to his story with information that has been picked up from other social engineering methods, the crew is more likely to believe in the attacker’s fake story and do as requested.

Countermeasures to prevent Social Engineering

The question might arise in your mind. How can you fully protect against Social Engineering attack? Is there a way? The answer is almost ‘No’. For the simple reason that no matter whatever controls are implemented, there will always be the possibility of the human exploitation being influenced by a social, political or sophisticated behavior.

Nevertheless, as with any risk, there are ways in which we can diminish the risks by following some useful tricks. But one can never guarantee that he/she will never be a victim/target of Social Engineering attack.

However, you can follow the following ways to protect against Social Engineering. Do never reveal information like:

Ø  Usernames

Ø  Passwords

Ø  ID numbers

Ø  PIN numbers

Ø  Server names

Ø  System information

Ø  Credit card numbers

Ø  Schedules

Summary

The skilled application of Social Engineering can be a danger to the protection of any organization. As a security professional, it is vital to understand the significance of this hazard and the way in which it can be manifested. Only then can appropriate countermeasures be employed and sustain in order to guard an organization on a regular basis.

What steps do you or should take to Backup your Computer and Personal Data?

“Being a well-known architect, creating design is my passion and my work. In this competitive world, it’s not easy to sustain in the market if you don’t have your unique stuff. I always save my designs and work on the regular basis so that I don’t lose them at any point. Once I was little tired and told my honey to give me a glass of coffee on my desk. Accidently when she handed over the coffee mug to me, it's fallen down on my machine and my machine stopped working immediately and my things were smashed. Bang!! My frustration was disallowing me to believe that I have lost a treasure like data just in a moment. Oh, I could have taken a Backup of my data!”

In this increasingly digital world, various types of data files i.e. financial records, family pics, multi-media, personal and business contacts chock full of irreplaceable data. Dangerous yet undeniable hard-drive can fail at any point of time. And if it isn't equipment failure that does it in, fire, floods, theft and even user error all pose serious, viable threats to your data as well. Subsequently, backing up your computer is crucial.

Decide what you need to Backup

From your computer hard drive, decide what you want to Backup. By eliminating unnecessary data from backup efforts, you can save storage space. Answer yourself what you can afford to lose.

Understand your data environment

Once you are sure, what want to Backup, you’ll need to determine where it is located; which type of data it is and how long it needs to be backed up.

Craft the processes and procedures you'll need to ensure backups are completed properly

This includes the responsibility to ensure that data backup is completed properly and data is not corrupted or damaged while backing up.

Ensure that backup copies are valid and can be successfully restored

This requires that you rank the importance of your data and establish better ways that the most important data is backed up first and restored first. Be sure that you have enough time to back up all your data which is vital to your business. Check regularly your backup and ensure that it’s not corrupted or damaged and can be restored whenever required.

Regularly revisit your backup/restore risks, procedures, and technologies

This is to make sure they are adequate as business needs and conditions evolve.

Dispose of backup media carefully

Make sure that data which you have deleted are destroyed completely so that their contents cannot be read by any illicit.

Finally! The best home backup plan options - A complete backup strategy

Shadow Copy

This will provide you time to time snapshot of your files that can be reverted back to you  which have  been accidentally removed or deleted. On Windows, this means turning on the Volume Shadow Copy Service. On Mac OS X it involves setting up Time Machine.This automatically creates the backup of your files. If any kind of accident or deletion takes place, this helps to restore the files and documents.

External Drive

This method serves as a heart of your technology of your backup strategy. It’s quick, storage is plenteous (in most of the cases), and it’s relatively inexpensive. CDs and DVDs are the simplest and cheapest way for a user to backup (however CDs/DVDs are almost obsolete technology for backup media). Flash drives also known as USB (Universal Serial Bus) is an option for backing up data. This is a tiny device and can be easily carried in a pocket. It can hold a large sized data depending on the storage capacity of the drive. It is pricier than optical media; running anywhere from $20 to $120 (depends upon the storage volume of the device).

Cloud Backup

A growing number of consumers and small businesses are opting to back up their data online – and for good reason. First-rate online backup services, including ZipCloud, SugarSync and SafeSync, offer distinct advantages over conventional on-site backup methods such as backing up to external hard drives. For instance, most have convenient schedules, allowing you to schedule backups to automatically occur at a set time or whenever changes are made to already backed up files. Remote backup services also tend to be more secure, employing cutting-edge asecurity measures and technologies, like military-grade encryption, to safeguard your data. Lastly, keeping backups off-site "in the cloud" ensures you have accessible copies of your data should something locally wipe out or damage your computer (think a fire or natural disaster). 

Recommendation

You may go through an online resource to decide which could be the best cloud based backup can fit your budget and organization. i.e. Top ten backup service comparison and reviews.

Is Personal Privacy a casualty of the Modern Age?

“Gone are the days where people used Internet actually as Internet.”

“Being a scientist, I am researching on a topic through which I want to earn some good revenue and royalty from my pattern. I used to save my daily progress and documentation on my local drive of the machine; So, I was in the impression that I am safe and my research is private to me “only”. And now I got to know that my local drive is actually not local and being spied by Government agencies just to confirm that my research is not involved with any malicious or unhealthy community like Terrorism. Huh, now my project was not private to me only, knowingly or unknowingly it has been disclosed. Where has my privacy gone? Huh, sounds scary, doesn’t it?”

Well, it was a layman example to realize that how much concerned we are about our privacy and confidentiality. Even we are so much concerned about the privacy of garbage, then why not with the privacy of virtual life in the modern age?

Internet is designed to share, collaborate and communicate together. Internet made things pretty simple; socialization became so effective and quick. People actually started leveraging such services offered by giant social media players such as Facebook, Google, Microsoft and nevertheless Twitter. We put most of our private data using different or same social media on cloud including our Emails, contacts, Photographs, Business plans, Marketing strategies and other private or public stuff.

On top of this, we try our best to protect our data being hosted on “trusted platform” like Facebook, Google etc by enabling Mobile notification to monitor any unexpected activity, control users, hide your profile from being search, disallow anyone to write on your wall etc. In fact We try to follow industries best practices to control our data by accessing sites only over secure protocols such HTTPs using strong cipher suite etc. The bottom line is to keep our data private and only private!

What is Privacy actually?

Privacy is a basic human right. A requirement of maintaining the human condition with dignity and respect. Theory says that “The state or condition of being alone, undisturbed, or free from public attention, as a matter of choice or right; freedom from interference or intrusion”.

We always consider ourselves safe yet our privacy is often breached. US had begun a project in early 2007 named PRISM, executed and managed by the NSA (National Security Agency). PRISM is a security surveillance program. PRISM collects mass data and isolates them from nine participating internet companies. These companies had to join PRISM under government law enforcement. These companies have joined this program within the last 6 years include: Microsoft (2010), Yahoo (2008), Google (2009), Facebook (2009), PalTalk (2009), YouTube (2010), Skype (2011), AOL (2011), and Apple (2012). The massive data collection as recorded on April 5th 2013, showed about 117,675 active investigation targets were recovered from the participating companies.

The process of PRISM interface begins as an NSA supervisor gives the go signal for the called “selectors”. Selectors are based on the criteria that each target is at least 51% under “reasonable belief” to be likely a foreigner who is not within the US territory at the time of data gathering. We can clearly see that our virtual life is in a cage and under control by PRISM. Communication medium including Live chats, Personal Messages (which are no longer personal now), pictures, VoIP calls and Financial Transaction.

Reduced privacy is the fact of modern life.

Doesn't it sound as “Hey, you got the news? The age of privacy is over.”?

By considering the facts, I believe that we all should follow the privacy as a casualty. However, your personal ethics must guide your decisions concerning Technology.