Great, detailed ways of protecting your organization agaist these pesky social engineers. In stead of just recapping what Steve has so eloquently laid out for us, I would like to offer a funny ending to this blog.
The main thing that I will take away from reading this book is to BELIEVE NO ONE!!!!!
Did any of us ask for some proper identification from our own Molly Wasko? If that is even her real name. She could of been cleverly collecting social data on us from the very beginning. We have all given up so much personal information along the way in this course. She could use this information against us after we graduate and create our own small businesses and strike it rich. We are investments if you will. She knows some deep secrets about us all and she clearly knows how to use them. She read Art of Deception as well. She could, or have one of her children, call one of us and say that she is our vet and that our precious 'boo boo' doggie has been hit in car accident and the only hope for survival is to give all of your pin numbers pass codes and your mothers' maiden name. It could happen. Watch out.
Tuesday, November 27, 2007
Chapter 15
One one more to go after this one. YEA!!!
Finally we are getting to the real solution portion of the book. The examples, though entertaining, are getting harder and harder to stay focused on because they are very repetitive. This chapter starts the problem solving strategies through awareness and training. I think I mentioned it back in chapter three or four about starting a company that tries to break into companies, well looks like I am behind the times. Businesses like that already exist. If I were shopping for my own organization I would definitely look for a program that combines that technological aspect with that of human touch. I love to hear stories of casinos that hire ex-cons to help them learn how they can get ripped off. I looked up Mitnick on Wikipedia and he himself was quite the social engineer himself. I actually did this before chapter fifteen, but it is applicable to blog about it now. The criminal is the best resource to ward against theft.
What do you guys think? Would you hire an ex-con to help secure your company? How would you know if they were helping or hurting your cause. I am so scared of the unknown and all this technical stuff is well out of my learning range. I could learn to be more skeptical, but I would still need to rely on a strong IT person to help me decipher all the possible ways I could get scammed.
Finally we are getting to the real solution portion of the book. The examples, though entertaining, are getting harder and harder to stay focused on because they are very repetitive. This chapter starts the problem solving strategies through awareness and training. I think I mentioned it back in chapter three or four about starting a company that tries to break into companies, well looks like I am behind the times. Businesses like that already exist. If I were shopping for my own organization I would definitely look for a program that combines that technological aspect with that of human touch. I love to hear stories of casinos that hire ex-cons to help them learn how they can get ripped off. I looked up Mitnick on Wikipedia and he himself was quite the social engineer himself. I actually did this before chapter fifteen, but it is applicable to blog about it now. The criminal is the best resource to ward against theft.
What do you guys think? Would you hire an ex-con to help secure your company? How would you know if they were helping or hurting your cause. I am so scared of the unknown and all this technical stuff is well out of my learning range. I could learn to be more skeptical, but I would still need to rely on a strong IT person to help me decipher all the possible ways I could get scammed.
Chapter 14
This is short one, so I am sure the post will follow suit.
I enjoyed the Rick Daggot story. What a charmer. We had a joke at Borders about the authors. Many times an author would come into the store and just grab their own book off the shelf and sign them. Or they would ask the book sellers to direct them to the title just to see if they had ever heard of the book. I guess this is how authors can feed their egos. Anyway, we said we would tour the country posing as authors and signing books. Not much money to made by this, but it is a nice form of revenge or sabotage.
Sammy Sanford, what a coward. I have more respect for the thief that steals from me face to face. These social engineers are very cowardice. Except for good old Rick Daggot, he had some guts. I like that.
I enjoyed the Rick Daggot story. What a charmer. We had a joke at Borders about the authors. Many times an author would come into the store and just grab their own book off the shelf and sign them. Or they would ask the book sellers to direct them to the title just to see if they had ever heard of the book. I guess this is how authors can feed their egos. Anyway, we said we would tour the country posing as authors and signing books. Not much money to made by this, but it is a nice form of revenge or sabotage.
Sammy Sanford, what a coward. I have more respect for the thief that steals from me face to face. These social engineers are very cowardice. Except for good old Rick Daggot, he had some guts. I like that.
Chapter 13
I do not think we should have to do this one. Bad luck and all.
Shocker that caller 'ID' can not be trusted. Now I have lost all faith in modern technology.
I wish that I had read this book or at least this chapter years ago. I have had more than my fair share of traffic violations. I am good at a lot of things, but driving is not one of them. It is generally not for speeding, more like careless driving. I am the person that is easily distracted(go figure) and drives other drivers crazy. I have heard that if officers do not show for the court date that you have a greater chance of winning your case. If the other witness is not there to defend their side that makes sense. This has never been the case with myself. The officer always shows up, and I always lose. Paul Durea's scam would of come on handy.
Oh my goodness, our first female social engineers hit. Of course they use their seductive voice. Not sure how I feel about that. I am all for Samantha and her revenge. What a waste of a clever employee. They could of benefited from her ingenious if they would have not been so sexist.
Shocker that caller 'ID' can not be trusted. Now I have lost all faith in modern technology.
I wish that I had read this book or at least this chapter years ago. I have had more than my fair share of traffic violations. I am good at a lot of things, but driving is not one of them. It is generally not for speeding, more like careless driving. I am the person that is easily distracted(go figure) and drives other drivers crazy. I have heard that if officers do not show for the court date that you have a greater chance of winning your case. If the other witness is not there to defend their side that makes sense. This has never been the case with myself. The officer always shows up, and I always lose. Paul Durea's scam would of come on handy.
Oh my goodness, our first female social engineers hit. Of course they use their seductive voice. Not sure how I feel about that. I am all for Samantha and her revenge. What a waste of a clever employee. They could of benefited from her ingenious if they would have not been so sexist.
Chapter 12
Oh the poor, poor pitiful entry level employees. They are certainly getting the brunt of the examples of ignorance in this book. This is a point that Steve has made painfully clear. TRAIN those entry level employees until you run out of money.
It seems as though much is said about the con and how to commit these crimes. In great detail I might add. What about the punishments? You can not have the crime without the punishment. What is the author doing to detour this behavior. He does suggest safe guards along the way and I know he gives many solutions in the end, but the consequences would be nice to hear along the way. I read about Steve's time in the 'big house' on the Internet. What about Bill the bank robber that wanted to retire at 24, Joe Harper the 17 year old trill seeker or Anthony Lake the lazy businessman? Where are they now? Behind bars or behind lap tops finding more ways to scam us?
The Kurt Dillion story made me think if we could hack into the 'turnitin' web site we would have an artillery of academic resources at our mouse tips. More fun might be to get a hold of someones case study before they turn it in. This is not too hard because many of the MBA's leave their blackboard up on the computers in the lab. I have even seen a credit card account up on a screen one day. True story, ask Jenna. Once we have acquired the paper before they turn it in we could post some of the material on line. Then when they 'turnitin' it will come up as a stolen piece of material.
It seems as though much is said about the con and how to commit these crimes. In great detail I might add. What about the punishments? You can not have the crime without the punishment. What is the author doing to detour this behavior. He does suggest safe guards along the way and I know he gives many solutions in the end, but the consequences would be nice to hear along the way. I read about Steve's time in the 'big house' on the Internet. What about Bill the bank robber that wanted to retire at 24, Joe Harper the 17 year old trill seeker or Anthony Lake the lazy businessman? Where are they now? Behind bars or behind lap tops finding more ways to scam us?
The Kurt Dillion story made me think if we could hack into the 'turnitin' web site we would have an artillery of academic resources at our mouse tips. More fun might be to get a hold of someones case study before they turn it in. This is not too hard because many of the MBA's leave their blackboard up on the computers in the lab. I have even seen a credit card account up on a screen one day. True story, ask Jenna. Once we have acquired the paper before they turn it in we could post some of the material on line. Then when they 'turnitin' it will come up as a stolen piece of material.
Monday, November 26, 2007
Chapter 11
I think I am just a skeptical of hackers getting into a prison system as I am of them hacking from prison. Remember Shawshank redemption? Tim Robbins was a clever social engineer. He befriended his way into working for the Warden in a variety of ways. He was given a great deal of responsibility and clearance into the financial and person portions of the employees of the jail. These tactics exemplified the definition of a social engineer on page 173 'a social engineer lives by his ability to manipulate people into doing things that help him achieve his goal.'
The cleaning people point came up in a conversation with my brother over the weekend. He works for the Air Force in an extremely high security confidential project. They are not allowed to even bring their cell phones into the building for fear of infiltration. He and I thought that the best approach to stealing information would be to dress up like a janitor and have a camera in our mop. He told me that cleaning people just blend into the terrain and no one would even notice their existence. Many of the programmers regularly leave information up on the screens. We could also bug the room when no one was looking. He did say however that the information along is not that valuable. The combination of the information is worth much more. They separate the projects so that only a small few actually have access to the project as a whole. That seems like a good strategy for security.
The cleaning people point came up in a conversation with my brother over the weekend. He works for the Air Force in an extremely high security confidential project. They are not allowed to even bring their cell phones into the building for fear of infiltration. He and I thought that the best approach to stealing information would be to dress up like a janitor and have a camera in our mop. He told me that cleaning people just blend into the terrain and no one would even notice their existence. Many of the programmers regularly leave information up on the screens. We could also bug the room when no one was looking. He did say however that the information along is not that valuable. The combination of the information is worth much more. They separate the projects so that only a small few actually have access to the project as a whole. That seems like a good strategy for security.
Friday, November 23, 2007
Chapter Ten
I was wondering how challenging it is for hackers to penetrate the blackboard system and change their grades. For an MBA trying to get a job on Wall-Street straight A’s are extremely valuable when getting the pay that you want.
Former employees seem like the most dangerous threat. Disgruntled employees are known for heinous acts up to and including murder. Stealing from an ex-employer that the employee feels has wronged them almost seems justifiable. Having staff members change all passwords after a termination is a great idea. I can tell you about three combination/passwords from former employments that I can almost guarantee still work. I know how bad I hate changing my personal ones. I have over 15 different accounts that require log-ins and passwords. It would take about an hour month if I changed them that frequently. I know for a fact that my ex has the one for my e-mail account, and knowing this changes some of my e-mail behaviors. I could change it, but I actually like that they still tap in sometimes. I will give them the information that I want them to know. I am starting to sound like a small time social engineer myself.
Former employees seem like the most dangerous threat. Disgruntled employees are known for heinous acts up to and including murder. Stealing from an ex-employer that the employee feels has wronged them almost seems justifiable. Having staff members change all passwords after a termination is a great idea. I can tell you about three combination/passwords from former employments that I can almost guarantee still work. I know how bad I hate changing my personal ones. I have over 15 different accounts that require log-ins and passwords. It would take about an hour month if I changed them that frequently. I know for a fact that my ex has the one for my e-mail account, and knowing this changes some of my e-mail behaviors. I could change it, but I actually like that they still tap in sometimes. I will give them the information that I want them to know. I am starting to sound like a small time social engineer myself.
Chapter 9
This chapter was on the lunatic fringe of redundancy. The author had already addressed most of these concepts.
Getting the victim to come to you is age old and reoccurring in nature. Within the lion community they utilize a strategy known as run toward the roar. They old decrepit lion chills in a secure spot and when prey stumbles upon the group his job is to roar as loud as he can. This sends the prey running the other direction into the open arms of the younger stronger lions. If the prey would run toward the roar they would only have to fight the old guy. The social engineer sends the victim running from the potential threat into a even more dangerous trap. In this chapter the social engineer cleverly creates chaos where no problem previously existed. They are taking advantage, again, of the helpful employee. The victim does not want to be challenging or unhelpful. Before the attacker called there was not even a problem to deal with. Employees need to be trained not to fall into the fix it syndrome. Verification is the key to elude this attack as well as many previous attacks.
Getting the victim to come to you is age old and reoccurring in nature. Within the lion community they utilize a strategy known as run toward the roar. They old decrepit lion chills in a secure spot and when prey stumbles upon the group his job is to roar as loud as he can. This sends the prey running the other direction into the open arms of the younger stronger lions. If the prey would run toward the roar they would only have to fight the old guy. The social engineer sends the victim running from the potential threat into a even more dangerous trap. In this chapter the social engineer cleverly creates chaos where no problem previously existed. They are taking advantage, again, of the helpful employee. The victim does not want to be challenging or unhelpful. Before the attacker called there was not even a problem to deal with. Employees need to be trained not to fall into the fix it syndrome. Verification is the key to elude this attack as well as many previous attacks.
Chapter 8
Skilled social engineers are adept at developing and exploiting the feelings of guilt. This one seems pretty easy to me. As I stated before, I am a poker player and I rely heavily on the ability to read people. After the read, comes the manipulation, and guilt is one of the most powerful of emotions to exploit. I will give you a lovely everyday kind of example. I was in line at Sam’s, or Santa Sam at my house, buying one box of cold medicine. The woman in front of me had an overflowing cart. When I saw her turn to look in my direction I subtly played with the box, avoiding eye contact. She responded with, ‘honey, is that all you have? Go in front of me.’ I graciously thanked her and saved probably twenty minutes of my valuable time. The time I saved I spent on this book club blob of course. There is a skill associated with the passive aggressive social engineer. They cannot be too obvious. They have to make the victim feel it would be wrong not to help them out.
Chapter 7
You do not get something for nothing. I could not agree more with Mitnick’s comment on page 97. Mankind has invented so many things to improve our lives. This improvement comes with a high price to pay. These conveniences have brought on more and more ways to penetrate our safety. Though time can be saved through technology viruses will drain that precious time we accumulate. Not to mention the stress from going through a virus can take away minutes of my life that I will never get back. Last month I got a virus on my laptop from trying to close a pop-up with the usual X box in the right corner of the advertisement. Little did I know that those social engineers would disguise that X box as an agreement to open a virus. Now, I am forced to call for help. I was on the phone with a Dell tech help person from India for 2 hours. I ended up buying the two hundred dollar support package and wasted two precious hours of my life. This brings me to another point. How can I know for certain that the person I called was from Dell? A clever social engineer could patch calls going to the Dell help line and send them directly into the lion’s den. They could also set up lines that are only one number off from the actual number and wait for ‘wrong numbers’ and then attack them.
Chapter 6
I loved the term ‘candy security’, hard shell exterior with a mushy interior (not much unlike myself). I try to look tough, but enjoy romantic comedies just like the rest of the world’s softies. This ‘candy security’ concept brings us back to the concept that your company’s’ Achilles heel is your internal staff. I hope I haven’t mentioned before now, but I had a boss once that used to say that ‘your best employee is your worst employee.’ The best employees are the ones that are given more responsibility and are trusted more with valuable information. They are also the ones bright enough to use that information against you. They did not get to be your favorite employees without being bright and competent. There are many people out there that are capable of this scam. Systems that are designed to protect your company are developed by none other than people. These people know exactly how to manipulate the system, they created it.
Monday, November 19, 2007
Chapter Five
A thought that occurred to me in this chapter is why are the front line people always the easiest to infiltrate? I have seen this in many organizations. The cashier, receptionist, accounts payable, accounts receivable...these are generally low paid personnel in trusted with a valuable information. The more educated, less susceptible to the con are higher up the chain They generally do not posses the valuable detail information that the social engineer is after, that is what the front line is for. As in the con with Craig Cogburn, a receptionist was the first victim. Receptionists are extremely eager to please the boss and fall into the role of 'helpful, team player' quite naturally. The helpful nature is what makes for good receptionists, but also makes them gullible to the attack.
I completely agree that education and training are the only viable solutions. The big wigs do not have the time to deal with the detail information, nor should they have to. The front line employees should be educated on the various forms of attacks. They should be required to read this book. They should be tested occasionally. A set-up social engineer randomly 'attacks' the individual once a month. Kind of like a secret shopper, but a secret infiltrator if you will. This sounds like the making of a fun and profitable consulting firm. What do you think guys? We could test a firms security, train the employees on how to handle various situations, then evaluate the success through random screenings.
I completely agree that education and training are the only viable solutions. The big wigs do not have the time to deal with the detail information, nor should they have to. The front line employees should be educated on the various forms of attacks. They should be required to read this book. They should be tested occasionally. A set-up social engineer randomly 'attacks' the individual once a month. Kind of like a secret shopper, but a secret infiltrator if you will. This sounds like the making of a fun and profitable consulting firm. What do you think guys? We could test a firms security, train the employees on how to handle various situations, then evaluate the success through random screenings.
Thursday, November 15, 2007
Chapter Four
Quite ironically, just one page prior to the note on page 42 I was questioning why the author was always referring to the 'social attacker' as he. Mitnick qualified his point beautifully. Is it that statistically guys are more deceptive or are women better at not getting caught?
I totally agree that humans naturally want to trust and that we must train ourselves to be more skeptical. Trusting wisely is an applicable theory for interpersonal relationships as well. I have been divorced once and through numerous breakups, one of which after a ten year relationship. I am what my friends refer to as a 'serial monogamist.' The purpose of this personal disclosure is to illustrate the human (my) trait of unwise trust. I have so unwisely trusted in other humans that i have lost three couches, a set of Kate Spade plates, one beautiful dog, numerous cd's and books and countless dollars.
Page 53, middle of the page puts it perfectly. 'Yet the more trusting we are, the more likely that the next (insert whatever here) to arrive to town will be able to deceive us into giving up our (insert whatever here).' This is good stuff. I pay over $100 bucks an hour of therapy for this kind of advice.
I totally agree that humans naturally want to trust and that we must train ourselves to be more skeptical. Trusting wisely is an applicable theory for interpersonal relationships as well. I have been divorced once and through numerous breakups, one of which after a ten year relationship. I am what my friends refer to as a 'serial monogamist.' The purpose of this personal disclosure is to illustrate the human (my) trait of unwise trust. I have so unwisely trusted in other humans that i have lost three couches, a set of Kate Spade plates, one beautiful dog, numerous cd's and books and countless dollars.
Page 53, middle of the page puts it perfectly. 'Yet the more trusting we are, the more likely that the next (insert whatever here) to arrive to town will be able to deceive us into giving up our (insert whatever here).' This is good stuff. I pay over $100 bucks an hour of therapy for this kind of advice.
Chapter Three
This may be a stretch, but as I read this chapter I could not stop thinking about the BB bandits in town. They have been hitting cars at night with bb guns and breaking out the windows. Over 70 cars were hit in only three nights. You may have noticed the glass piles on Dewy street. They were not stealing anything, only doing it for fun or just because they could. The police department stated that they were choosing lightly traveled roads with easy access. This seems like the same approach as the social engineers in chapter three. Most of the information obtained was over the phone, which is a very easy way out.
Protection from this type of attack is to be more skeptical and require verification. People that get irritated with having to prove who they are, are probably up to no good. I recall this from bar tending. It was paramount that we checked IDs. We could lose our jobs and be fined. Neither of which was a fun prospect in college. The people that rose a stink about showing you and ID were either European or under aged.
It occurred to me that not only is there a plethora of information out there for the attacker, but the general public as well. Too many times people take for granted the information that they can obtain if they just asked the right questions to the right people. This kind of information could be very valuable to both your firm or to yourself.
Protection from this type of attack is to be more skeptical and require verification. People that get irritated with having to prove who they are, are probably up to no good. I recall this from bar tending. It was paramount that we checked IDs. We could lose our jobs and be fined. Neither of which was a fun prospect in college. The people that rose a stink about showing you and ID were either European or under aged.
It occurred to me that not only is there a plethora of information out there for the attacker, but the general public as well. Too many times people take for granted the information that they can obtain if they just asked the right questions to the right people. This kind of information could be very valuable to both your firm or to yourself.
Oops...sorry
My apologies for the last post. I forgot to run spell check. Enjoy the content, but don't judge the grammar and spelling.
Chapter Two
This chapter highlights just how incredibly easy it can be to obtain information. I am a gambler, a poker player more specifically. I found some of the 'attacker' tactics informative and helpful. Much of the skill in playing poker is in the read of the other players. Another important skill is in knowing when you are being read. Once the latter happens, it is time to change strategies or just simply move tables. Social engineers are talented at knowing when to pull the plug on their scam.
I know that personally I give way too much information out to people that sound like they know what they are talking about. Confidence and information can give social engineers just the amunition that they need to destroy their victims. I am a sucker for someone that is sharp and has done their home work. I know better now after reading this book. Don't mess with me now social engineers, you missed your window of opportunity.
In the 'preventing the con' section the information is good, but I feel a greater threat is the digruntled employee. I worked for a woman once in the restaurant business that said 'your best employee is your worst employee.' She had been in the biz for over 20 years and seen her fair share of the smart good employees gone arye.
I know that personally I give way too much information out to people that sound like they know what they are talking about. Confidence and information can give social engineers just the amunition that they need to destroy their victims. I am a sucker for someone that is sharp and has done their home work. I know better now after reading this book. Don't mess with me now social engineers, you missed your window of opportunity.
In the 'preventing the con' section the information is good, but I feel a greater threat is the digruntled employee. I worked for a woman once in the restaurant business that said 'your best employee is your worst employee.' She had been in the biz for over 20 years and seen her fair share of the smart good employees gone arye.
Chapter One
I have worked for some extremely vulnerable companies. The most being The Fresh Market. The growth that they were experiencing at the time was almost paralyzing. They were putting technologies in place to try to help with efficiencies, but they were not tested well enough in our environment to keep them safe. Some savvy employees learned to "break in" if you will. I will give you an example if you promise not to tell. Promise? Okay. I was an energetic and eager young recruit that wanted desperately to get ahead and be promoted to the store manager level. I was currently working for a DM that had not heard how cool feedback was. We were in the dark with how well we were or were not doing. On a trip to Tallahassee, he had left his e-mail up on our computer. In his sent box was a spread sheet ranking all of the assistant managers including their strengths and weaknesses. I looked at mine and my greatest competition. I worked hard on my weaknesses and was still passed up the first time the promotion was available, but got it the second time. I know we would all love to say that we wouldn't do that if they were in my position, but I'm not sure how many would turn down that opportunity. This story is a little off the mark of chapter one because I wasn't trying to break into a firm for malicious reasons, but rather I had justified my actions based on the poor management of my supervisor. Isn't that how most internal security is rationalized?
So many companies take for granted the level of security that they are currently at. It is a cost the they are not willing to pay for. As we read in chapter one, securities weakest link is is the 'social engineer.' In my personal example I felt that I was a positive 'social engineer.' The more I understood my strengths and weaknesses the more valuable I could be to the firm. Other 'social engineers' have more malicious intentions. I feel that the cost of such attacks by the bad 'social engineers' will clearly outweigh the original cost of making your firm more secure.
So many companies take for granted the level of security that they are currently at. It is a cost the they are not willing to pay for. As we read in chapter one, securities weakest link is is the 'social engineer.' In my personal example I felt that I was a positive 'social engineer.' The more I understood my strengths and weaknesses the more valuable I could be to the firm. Other 'social engineers' have more malicious intentions. I feel that the cost of such attacks by the bad 'social engineers' will clearly outweigh the original cost of making your firm more secure.
Wednesday, October 3, 2007
Subscribe to:
Posts (Atom)