Friday, February 28, 2014

Part III-1: Security Terminology


<- Previous Post | Main Post | Book review | Next Post ->

Non-Technology Terminology

          • Maildrop: Rent a mailbox, and them ask victims to send packages or information to the mailbox. 
          • Reverse social engineering: Create a condition to coax victims to call the attacker for help. In this case, the victim has already trusted the attackers. It is very easy for the attackers to ask for information or ask the victims to do something. 
          • Dead drop: A place where you drop an item in order (for you or for others) to retrieve it later; It could be a rented locker, a hidden hole in a wall, or an FTP server in another country. 

Tuesday, February 25, 2014

Part II-3: Social Engineers’ Attack Principles (2/2)



Look for Weakest Link 

Your security is as good as your weakest link. Social engineers know this very well. It can be computer holes in software or it can be a trusting person. This is the place where social engineers aim for. 

Your Outsource

Your outsourcers might not be well trained in security. They may let a social engineer in without proper authentication. 

Do not Burn the Source

        Social engineers listen carefully for the tone of the other side. They do not push too hard to make the other side start to feel uncomfortable. They keep good relationship in case they might need to come back afterward. If they find someone who is willing to give out information easily, they will keep going back to the same person to get more information. If they find a security hole in the server, they will try to return to it later. What they don’t do is to brag about it. They don’t want the victim to know about it. They just don’t like to burn their own bridge.

Decoying Question

        Never start or end the conversation with what you’d like to find out. Fire a few questions to be natural. Then, right before asking for what you need. Ask personal questions, if the other side feels comfortable, you may proceed. After getting what you want, keep asking other questions or chatting for a while. If an investigation takes place, the other side would probably remember the last few questions, which, in this case, is not what you want to know. 

Setting Up Verification

One of a good strategy is to catch a social engineer is to check the name in the database, or call someone you know who can verify the identity of the social engineer. But, this measure is to be used with caution. An articulate social engineer may plant their name in the database ahead of time. When you place a call, you don’t hear what the verifier is saying. All you hear is what the suspect is saying. The suspect may be cook up some facts and speak out so that you can hear. This fact could be believable to you, but could make totally no sense to the verifier at all. After the conversation, the suspect would just hang up. The verification set up by the hacker is more dangerous than no verification at all, since people tend to believe those who pass verification procedures.

Caller ID

Caller ID is the number of the person who calls us. A lot of people use caller ID as identifying information. When a caller ID is known to us, we tend to trust the person on the other side. But, caller ID can be spoofed by a sophisticated PABX, if the operator does not verify it. Relying on caller ID can be quite dangerous, because we tend to trust people from known caller IDs more.

Use Google

Google is notorious for keeping all personal information almost indefinitely. This is where social engineers look for information. The victim could now be very careful. But, he or she might not in the past. The victim might participate in a group collaboration, and the conversation might not be encrypted. A social engineer can look for information like contact number, address, name of friends, relatives, colleagues, bosses, and so on. It is very hard to coax Google into throw away this information. It is better not to trust someone without proper authentication. 
Source: The Art of Deception: Controlling the Human Element of Security
---------------------------------------------------------------------------------------------------------

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into audible.com. You can keep downloading the over and over again.

    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.


Friday, February 21, 2014

Part II-2: Social Engineers’ Attack Principles (1/2)



Research First

The first phase of attack begins with gathering information. Social engineers collect information about the victim and those around the victim. These information would be extremely useful in the next phase of attack.

Posing as Someone Else

Social engineers always posing as someone else to achieve what they need. They may pose as a writer or a movie maker to ask for such information. The excuse is to make the movie or the book more realistic. Another example is to pose as a store manager and try to get customers information.

Context and Innocuous information

  A lot of information seems insensitive. But, by getting more information, the attacker seems more like the insiders, and is likely to obtain more and more information. One information could be sensitive to outsiders but insensitive to insiders. By gaining more information, the attacker changes the context to which the question is asked. When the context changes, the sensitivity changes and the attacker is one step closer to what he or she needs. 

Lingo and procedures

Lingo, i.e., terminology and procedures are what people say and do in an organization. If you know about this, you can pretend to be an insider easily. Think about it. How many acronym your company have? Do you use it everyday? Your customers would probably not know about this. But your people would know about it. So, when someone talks to you with your organization’s lingo, would you assume that they are an insider? Well, I do. But, I usually don’t really trust them, even if they are an insider.

Start with Rapport

Do not start by asking for what you want. Start by placing friendly calls and establish trust and rapport. This is important especially when the required information is sensitive. For example, it could be more difficult to get credit card numbers from a retail store. A social engineer could pretend to be a manager from another branch. But, a careful social engineer would build up trust before asking for the card number. 

Space and Time

Use space and time to avoid the presence of a particular person. For example, a social engineer may make the first call to find out the name of the store manager.  When imposing as the store manager, the social engineer would call other branch or call the same branch later to avoid talking to the same person. 
Source: The Art of Deception: Controlling the Human Element of Security
---------------------------------------------------------------------------------------------------------

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into audible.com. You can keep downloading the over and over again.

    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.


Tuesday, February 18, 2014

Part II-1: Social Engineer



Engineers are those who build things. Social engineers build society for you. They are harmful because the society they built for you isn’t the real one.
Society is comprised of people, and their interaction  around you. Real society gives you purpose of life. Society created by social engineers makes you want to be a part of it, when, in fact, it doesn’t really exists.

Social Engineer in Our Society

Socially engineered schemes are quite common. We often see emails from exotic countries claiming that the senders want to inherit millions of dollars but having legal issues in their countries. They need you to open account for them with, say, 10,000 dollars. In return, they will give you a big portion of their inheritance. If you do what they say, you will never hear from them again. Another common example is when an attacker claims to call from your bank, asking you for your personal information, e.g., date of birth or social security number. If you give out those information, your identity will be stolen.

Thursday, February 13, 2014

Part I: Human Nature



Basic Feeling

        We all have basic feeling like fear, excitement, guilt, and so on. Social engineers exploit the following six traits of our nature to get what they want:
Authority: People tend to believe ones who have more power or authority (especially those in military and law enforcement).

  • Liking: People likes favorable persons, especially those who share the same interest, hobbies, background, personality, etc.
  • Reciprocation: When receiving favors, gift, assistance, or other things, we tend to give something in return.
  • Consistency: People tend to do what they have promised, i.e., consistent with what they said.
  • Social validation: We tend to believe the behavior that is inline with social behavior (e.g., being sympathetic to a new employee).
  • Scarcity: People tend to want to do thing that has limited supply, e.g., final sales, 10 first callers only.

Tuesday, February 11, 2014

[Review] The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick


Rating: 4/5
Learning Level: 4/5
Genre: Non-Fiction, Security
Book Review:
    Kevin Mitnick was one of the world most notorious hackers who has turned into a security specialist. I first heard of him from his another book--Ghost in The Wired. It was interesting learning his story as a hacker, and learning of what he is capable of. And, now, he just turns that knowledge to us.
        Do I like this book? Yes, I do. But, I have a mixed feeling to recommend this book to most readers. Here is why. To me, I think this book consists of two parts. The first part (chapters 1 - 14) is about interesting and exciting stories of hackers. The second part (Chapters 15-16) of this book is about boring security policy. So, I think, most readers would find first 14 chapters very interesting and exciting. If you are one of these people, you might as well skip the last two chapters, because it is more like a text book, and we are not in collage and preparing for security exam.

Thursday, February 6, 2014

[Main] The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick


[This is the First Post | Main Post | Book review | Next Post ->

          This is the main post in the series "The Art of Deception: Controlling the Human Element of Security" by Kevin D. Mitnick
          Here are what I learn from this book:
        • Part I: Human Nature
        • Part II: Social Engineers
        • Part III: Security Checklists
        • Part IV: Miscellaneous
        • Part V: Corporate Information Security Policy

Tuesday, February 4, 2014

[Book Review] Life of Pi by Yann Martel

Rating: 3/5
Learning Level: 2/5
Genre: Novel
Book Review: I first heard of this title from a movie trailer. People said it's good. But I decided to hold back until I read the book. At the time, all I know was that it has an Indian boy and it has a tiger. Now that I read the book, I know that there are a lot more.

Sunday, February 2, 2014

Death, How We Strive to Avoid it, and What We Can Do About It.

Listen to a philosopher, Stephen Cave, talks about death and how humanity has tried to escape death. He left an interesting idea of how alike our life and a book are. Find out below!


          Here are what I find interesting:

Four Forms of Immortality

     Throughout our history, there are 4 categories of what we do we escape death. 
  1. Elixir: Humans has searched for medicine, a fountain of youth, or something of the same sort  that can make us young and live forever. Ancient Babylon, Egypt, and China HD looked for it, and they had not succeeded. Today, we are still searching for it. But we use different terminology like hormones or stem cells. 
  2. Resurrection: Another way to live forever is to rise again after death. The story of Jesus rose after his death is an example of this category. Today, we talked about cryogenic, where we freeze ourselves up and thaw ourselves after a few hundred years when we want to live again.
  3. Soul: The idea is to  leave our body behind and live as a soul. For thousands of year, Buddhist s and Hindus believe that our body is just a shell and our real self is our soul residing within our body. In the digital age, we reinvent this concept by trying to upload our consciousness into a computer and to live in the digital world forever. 
  4. Legacy: This is perhaps the most plausible one. It is what you left behind. It could be tangible objects like a painting  or your children. It could also be intangible things like legend.  Again, today, it us so much easier to leave behind legacy. All you need are great content and internet connection. 

Bias

     We are greatly influenced by bias. We often believe things most people believe, even if it's not rational. Everyone has fear of death, and so do we.
"The fear of death is natural but not rational", because
"When we are here, death is not. And, when death is here, we are gone" 
"Death is not an event in life: We do not live to experience death."--LUDWIG WITTGENSTEIN, a philosopher.

What We Can Do: Be a Good Book

    A book is bounded by its cover. But the story within the book knows no limit. It doesn't matter how long the book is. It doesn't matter whether it is a short column in a newspaper or a multi-column trilogy novel. A good book is judged by the story within its covers.  
      Just like a book, you should not be afraid of life after death. In fact, you should not care about things after death or even before birth. Your life would just be terrific if you have a great story from birth to death.