Playing mindgames

Countdown to System Infection (Infographic)Social engineering involves tactics that make individuals let their guard down.

When is the last time that you received a phone call from a person claiming to be from a bank and needed you to give your PIN number to validate your account details? Social Engineering attacks can take all forms and trick you into divulging information about yourself or comprising the security of your organisation? Attackers take advantage of emergency situations to get access to controlled resources, such as pretending to be a first responder (police officers, medics, etc.).

A senior looking person asks to be let in your office premises claiming that s/he is late for a meeting with the CEO. A person who speaks authoritatively asking for details such as the key code for the door? Would you divulge the code? Or would you challenge the lady who is about to tailgate you?

Your social media sites are a great place for a hacker to start looking for information such as your email-id, phone number, likes, family, friends among other titbits of information.

Did you get an email from someone with a position of authority? Spear phishing relies on the ’colonel effect’ to get you to reveal data. This will be more prevalent for employees that work with defence contractors, government and the military.

Do you trash confidential papers without first shredding, pulverising them? Dumpster divers get your credit card details, addresses and other private information from the trash.Using the information gleaned from these methods, hackers can then work their way to collecting more information about you. Just because you do not do it, does not mean hackers will not do it. There are sites that teach you how to dumpster dive.

A hacker could also leave pendrive/usb sticks in public places with the logo/label of a Fortune500 company with a title ‘Salary Review – Senior Management’. Plug the USB stick and your machine is compromised.

Cultures in some countries such as India may also allow a hacker to gain access to secure locations. For example, a speaker at a security conference claimed to have tested a social engineering tactic at a secure data centre by ‘threatening’ a lowly security guard that he would call the CEO if he was not let in. He also managed to gain access to the secure data processing area by talking to employees. Would that mean that all foreigners are allowed access to secure areas without a second thought? I think not!!

Beware of shoulder-surfers, the ones that try to get your password/PIN by looking over your shoulder and spot the keys that you type in. They may casually approach you at the ‘right moment’. A good training and awareness programme for all employees is necessary to reduce the number of incidents in the office and this awareness also needs to spread to your friends and family. Unsolicited phone calls, visits or emails asking for information should always be suspect. Verify the person by using your own resources not the number or device given by that person. Do not click on any links in an email, on a social media site. Check the URL of the website, this may look identical but keep an eye out for a mispilleng. Ensure that your antivirus and firewalls are installed correctly and up-to-date.

New methods of social engineering are always being tried and tested, be aware, stay secure, keep your family safe.

Further Reading
Track a fake Facebook account
Baracuda Labs Social Networking Analysis

Advertisements

Learning to say no – stay digitally secure

Think, before you click!!

Click responsibly!

When is the last time we said YES!!

Was it when we opted for a popular app on  a social networking site or when we downloaded the latest toolbar on our browser which promised us a whole new experience or maybe it was the app which said “download me now and I will make everything work like magic!”
Many of us click on end-user agreements, say yes to any software that we want without reading the agreement, because we want to get on with our work and games.

On a popular social media site, we usually like to play a game or two, and so we click on the button and then we cast a glance at the next screen that says “All your details will be passed on to THE-GAME” and within a flash we have clicked “ALLOW” without even thinking about the line, by the time the reality of the message has reached our brain it is too late.

We open attachments in emails before reading its contents or reading the title which says it is SPAM, or we think it has come from a friend so it must be good safe to read. Remember, your friend did the same and within seconds their email account was compromised, and now when you open that attachment so will yours and those in your address book. Would you like your friends to be spammed and their information compromised?

You could be an innocent victim of e-Espionage, contribute to the spam that is out there or may be an unwilling suspect in an eCrime. If we pay attention to cyber-security we can win the game of staying safe in cyberspace.

Weren’t you warned before?? Look before you leap!!!

  1. Be aware, check what links you click on.
  2. If you are not sure about the software that you are downloading do a quick check about it on your favourite search engine.
  3. Clean up your phone for apps that are not in use, do it now before your address book is hacked or your phone becomes a listening device.
  4. Avoid the use of pirated/cracked software on your machines.
  5. Make sure that your Operating System and the applications are patched with the latest updates and the firmware is updated on the same day itself. Set a schedule, zero-day exploits make you vulnerable if your patching schedule is every 30 days.
  6. Invest in a personal firewall/antivirus software and keep it updated!!

Say No!!! to YES!

Further reading
Stuxnet, Flame just the tip of the weapons-grade malware iceberg