February 25, 2012

Social Engineering

"[Social engineers] use the same methods they always have -- using a ruse to deceive, influence or trick people into revealing information that benefits the attackers. These attacks are initiated, and in a lot of cases, the victim doesn't realize. Social engineering plays a large part in the propagation of spyware."
                                                                  - Keven Mitnick, CNET June 14, 2006  

Social Engineering...within the past 15 years or so, this previously exclusive psychological term circulated the security realm. I read many articles referencing this term, but very few take the time to provide an explanation. With the social engineering techniques growing in popularity within the hacker community, it is certainly a term a basic computer user should become familiar with. So really, what is social engineering?

Image from hackerthirst.com
It is at the heart of any con or scam. A simple definition of social engineering: primarily the subtle psychological manipulation of a person in order to obtain unauthorized information and/or access. Regardless of how automated our world becomes, every system must somehow interact with the emotional human element. A system is only as secure as the weakest link, which usually is the human user. Technical vulnerabilities can be patched, but the human vulnerability will continue on. Why take on the fancy firewalls and state-of-the-art security systems when you can easily bypass it?

Some refer to social engineering as the art of human-hacking.

Successful social engineers use deceptive tactics to appear as a legitimate, trusted source. "All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called 'bugs in the human hardware,' are exploited in various combinations to create attack techniques..." 1

The basic elements to successful psychological manipulation requires the manipulator to:
-conceal aggressive intentions and behaviors.
-attack a known or suspected psychological vulnerability.

Basic Techniques:
Image from martinspribble.com
"Friend" you through the Internet. The Internet provides an element of anonymity, so it's difficult to know whether the person on the other end of the monitor is who they claim to be. By building a rapport with you, the scam artist gains an element of trust. This is the basic premises of the "Online Dating Scams" the FBI warns of in their "Looking for Love? Beware of Online Dating Scams" story.

A spin-off of the above techniques is pretending to be somebody you already you know. Why go through all the work to build that trust with you when they could easily be somebody you already trust? In our "Social Malware" post we warned about a computer worm targeting Facebook log-in credentials. Using these easily obtained usernames and passwords, attackers transmitted malicious links to the compromised accounts' friends. Since you don't think twice about clicking on a link a "friend" sends you, it provides a great venue for attacks.

"Hi, I'm from the help desk." Before the spam, phish, and social media, hackers used the phone. Some nostalgic for the old art still resort to this technique. One of the more famous social engineers, Kevin Mitnick used this technique to "fool users into handing over sensitive information." 2

Some definitions circulating claim that the attacker does not come face-to-face with his/her victim. While today's general social engineering exploits from an information assurance or system security standpoint support this assumption, it is not limited to non-face-to-face interactions. The video "Through a Social Engineer's Eyes" from CSO Online expands on how social engineers exploit other avenues.

1 "Social engineering (security)" Wikipedia. Retrieved from http://en.wikipedia.org/wiki/Social_engineering_(security) (accessed 24 February 2012).

2 "Kevin Mitnick, the great pretender" CNET June 14, 2006. Retrieved from http://news.cnet.com/Kevin-Mitnick%2C-the-great-pretender/2008-1029_3-6083668.html (accessed 24 February 2012)

February 22, 2012

Online Tax Software: Buyer Beware!

In the United States it is that dreaded time of year, TAX SEASON!

Many do-it-yourself filers may search for tax software to simplify the process, but when searching the internet, it is a buyer beware market. One filer from the Krebs on Security blog post "How Not to Buy Tax Software," unfortunately learned this lesson the hard way. Instead of buying online from a known source, our buyer decided to save a few bucks by buying and downloading from an unknown source (Blvdsoftware.com) listed in some online advertisement he saw.

According to Brian Krebs, "Buying software from random sites or companies you know nothing about and haven’t researched is a bad idea all around. But fail to do due diligence on a bargain site that sells tax return software and you could be handing your identity and computer over to cyber thieves."

While it first appeared as a great deal, it quickly turned into a lemon sale. After purchasing the download, the website disappeared five days later.

There were other clues that raised the proverbial red flags. When purchasing the software download, our buyer was never provided a license key.  Doing a quick domain search shows the website was established in October 2011, which doesn't support Blvdsoftware.com's claim of being around since 2005.

Save yourself the headache:

-only purchase from known sources.

-if purchasing from a new source, research, research, research! A little diligence now could pay off in the future.

-use a credit card instead of debit card which provides you an avenue to dispute the charges.

-if your annual income is $57k or less, use FreeFile offered by the IRS. If you're lucky to earn more, check out the IRS' article "Authorized IRS e-file Providers for Individuals" to find somebody to assist you in filing.