Social Engineering – What exactly is it and who might be victims?

Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.

Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.  In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know.  In other words, they hack information or access it from an individual.

More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.

The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard.  Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.

The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords.  The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.

Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site.  Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack.  When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.

As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider.  The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.

Human nature enables social engineering to develop and become increasingly sophisticated as well as technical.  It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.

 

Further information on Social Engineering and Insider threat can be found on our Slideshare account here http://www.slideshare.net/Advent_IM_Security/social-engineering-insider-and-cyber-threat you will need sound

Stolen TARGET Credit Cards and the Black Market: How the Digital Underground works By Ken Westin

29/12/2013 07:19

With the Target data breach, many are wondering how criminals can profit from the use of the stolen credit cards. The card holders themselves will not be responsible for any of the charges, so how is it that criminals are able to make money from stolen credit cards?

I have been involved with several cases where organized crime rings have been unveiled, many of these have had connections to Russian and Eastern European groups. These groups generate a significant profit through stolen property acquired through burglaries, shoplifting, identity theft, credit card skimming and carding. Many underestimate the complexity of some of these networks and the revenue they generate.

The United States is a mecca for carders, simply because of the fact we are one of the last countries to rely on magnetic strip credit cards that are easily cloned and lack the security of newer chip and pin. The reason the U.S. is still using the technology from the 1960′s is a topic for another blog post altogether.

 

Buying Stolen Credit Cards Online

First the card numbers are sold to brokers who acquire the stolen card numbers in bulk. These are then sold to carders. The price for valid credit cards can be as high as $100 per card depending on the amount of information available with the card, type of card and known limits of the card. Many of these sites offer guarantees on the validity of the cards and will provide a valid replacement if it is blocked. Now that is customer service.

 

The Credit to Gift Card Shell Game – Find the Fraud!

One lucrative method of “carding” involves a shell game, where stolen credit cards are used to charge pre-paid cards. These cards are then used to purchase store specific gift cards, such as from Amazon for example.

 

 

Shopping & Reshipping

The carder then uses that gift card to purchase high value goods, usually electronics such as cell phones, computers and game consoles. This process makes it difficult for companies to trace. By the time it is figured out and the cards blocked the criminal is in possession of the purchased goods.
 

 

These packages are usually then shipped via a re-shipping scam. Unsuspecting individuals are recruited as Mules (re-shippers) usually through legitimate channels such as Craigslist job listings promising “easy work-from-home jobs” and usually in the United States as it raises fewer red flags.

The re-shipper then assembles multiple packages and ships them usually outside the country, or directly to someone who purchases the goods from an auction site the fraudster has posted the goods to.

Reselling Goods for Profit

The carder may then sell the electronics through legitimate channels such as through eBay, or to avoid risk can sell the goods through a hidden underground “deep web” site. Most people know the “deep web” from the Silk Road, which was recently shut down by the FBI, reappeared and then vanished again

The Silk Road was a marketplace for illegal products such as drugs online. However the Silk Road had somewhat of a code of ethics, as certain products were restricted from sale such as pornography, weapons, personal data (stolen credit cards, passwords etc), poisons, or weapons.

There are many hidden services available that do not have such scruples. There are numerous places on the deep web that sell stolen credit cards and goods acquired through carding.

On these hidden illegal websites the goods are usually sold at deep discounts on the black market, usually around 50% of retail and reshipped or sent to a secure drop (vacant house etc) a purchaser has setup for this purpose.

Right now the entire carding underground is busy, as banks scramble to monitor fraudulent activity on the stolen Target cards, the carders need to stay a step ahead and move quickly. Much of the credit card charges have already been made and thieves have already cashed out.

This process of detecting fraud by the banks is furthered hampered simply because of the holiday season and the high volume of transactions that are occurring. It is going to be tough time for fraud analysts this holiday season.

 

Source:http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-credit-cards-are-used-on-the-black-market/?utm_source=buffer&utm_campaign=Buffer&utm_content=buffer28417&utm_medium=twitter

 

 

15 Tips to Better Password Security

Protect your information by creating a secure password that makes sense to you, but not to others.

Most people don’t realize there are a number of common techniques used to crack passwords and plenty more ways we make our accounts vulnerable due to simple and widely used passwords.

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research. When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

How to make them secure

  • Make sure you use different passwords for each of your accounts.
  • Be sure no one watches when you enter your password.
  • Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  • Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  • Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  • Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  • Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  • Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  • Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.
  • Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.
  • Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.
  • Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”
  • It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.
  • You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”
  • Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

 

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. 

See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Source: http://robertsiciliano.com/blog/2011/07/07/15-tips-to-better-password-security/