Ross Anderson's Home Page Ross Anderson [Research] [Blog] [Politics] [My Book] [Music] [Contact Details] What's New Security protocols and evidence: where many payment systems fail analyses why dispute resolution is hard. In a nutshell, the systems needed to support it properly just don't get built (blog). Social engineering, hacking the human OS. Social engineering, sometimes called the science and art of human hacking, has become quite popular in recent years given the exponential growth of social networks, email and other forms of electronic communication. In the information security field, this term is widely used to reference an array of techniques used by criminals who obtain sensitive information or to convince targets to perform actions that could compromise their systems. With so many security products available today, it´s the end user who has the power. Be it a set of login credentials (username and password), a credit card number or bank account, most of the time the weakest link in the chain is not technological but human and when psychological manipulation takes place it’s extremely important to know what types of tricks are being used and how to prevent them. Social engineering is not new. “What I did in my youth is hundreds of times easier today.
Security engineering Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts. It is similar to other systems engineering activities in that its primary motivation is to support the delivery of engineering solutions that satisfy pre-defined functional and user requirements, but with the added dimension of preventing misuse and malicious behavior. These constraints and restrictions are often asserted as a security policy. In one form or another, security engineering has existed as an informal field of study for several centuries. For example, the fields of locksmithing and security printing have been around for many years.
The human OS: Overdue for a social engineering patch. It sounds like the operating system that really needs some serious security patches is the human one. While technology giants like Microsoft, Google and Apple regularly crank out updates, patches and fixes for zero-day vulnerabilities and other threats, the weakest link in the security chain – the careless or clueless employee – remains the weakest. That is in large measure because there is no technology that can prevent someone falling for increasingly sophisticated social engineering attacks. As has been regularly reported during the past year, some of the biggest data breaches in history have been launched by attackers fooling an employee. And that is despite years of exhortations by experts that worker security awareness training needs to be much more than a perfunctory lecture or PowerPoint presentation once every six months or so. In short, human hacking continues to be far too easy.
Schneier on Security Four of the newest (and lowest) Social Engineering scams. Your computer files are being held for ransom. Pay up, or lose them. Your bank account is being emptied, so click here to stop it. Your friend has died, click on this funeral home site for more information. Social engineering thugs have reached new lows. Social engineers, those criminals who take advantage of human behavior to gain access to data or infiltrate businesses, were once content to trick people with free offers or funny videos before unleashing their scams.
What Is Social Engineering? [MakeUseOf Explains] You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room – but how do you protect a company from the threat of social engineering attacks? From a social engineering perspective, employees are the weak link in the chain of in place.
Social Engineering: Attacking the Weakest Link in the Security Chain It’s happened to major corporations, and even the U.S. Department of Defense--falling victim to data breaches that resulted from attackers exploiting employees or company vendors. Unfortunately, along with exposing millions of identities these attacks also reveal what is often the weakest link in enterprise data security – the human element. Over the past decade, an increasing number of users have been targeted with spear-phishing attacks and the social engineering has grown more sophisticated over time. The Limits of Big Data: A Review of Social Physics by Alex Pentland In 1969, Playboy published a long, freewheeling interview with Marshall McLuhan in which the media theorist and sixties icon sketched a portrait of the future that was at once seductive and repellent. Noting the ability of digital computers to analyze data and communicate messages, he predicted that the machines eventually would be deployed to fine-tune society’s workings. “The computer can be used to direct a network of global thermostats to pattern life in ways that will optimize human awareness,” he said.
New Web vulnerability enables powerful social engineering attacks Users who are careful to download files only from trusted websites may be tricked by a new type of Web vulnerability: this one cons them into downloading malicious executable files that are not actually hosted where they appear to be. The attack has been dubbed reflected file download (RFD) and is somewhat similar in concept to reflected cross-site scripting (XSS) attacks where users are tricked to click on specifically crafted links to legitimate sites that force their browsers to execute rogue code contained in the URLs themselves. In the case of RFD, the victim’s browser does not execute code, but offers a file for download with an executable extension like .bat or .cmd that contains shell commands or script files like JS, VBS, WSH that will be executed through the Windows-based script host (Wscript.exe). The contents of the file are passed through the attacker-generated URL that the user clicks on, the website reflecting the input back to the browser as a file download.
Social Engineering Grows Up Fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat. The wildy popular DEF CON Social Engineering contest this year in Las Vegas will feature a new twist: Each contestant will be assigned a teammate to whom they must hand-off during the live event where they cold-call targeted corporations. "We needed to create an event like the real world," says Christopher Hadnagy, chief human hacker at Social-Engineer.org , and organizer of the contest, now in its fifth year. "In the 30 minutes [of the live call], you have to tap out at least twice" so that each teammate will have a role in the live call.