Category Archives: social engineer

Ep. 114 – Finding Love with Whitney Merrill

What do you get when you mix a lawyer, crypto junkie and a romantic together? Well, none other than our guest for this month, Whitney Merrill. – Feb 11, 2019
Contents Download Get Involved

Download

Ep. 114 – Finding Love with Whitney Merrill
Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form! Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music And check out a schedule for all our training at Social-Engineer.Com Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 114 – Finding Love with Whitney Merrill appeared first on Security Through Education.

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Misinformation is a powerful tool. As we enter 2019 we invite on a fascinating guest, Clint Watts, who has spend his career learning all about how to use it and how it is used. – Jan 14, 2019

Contents Download Get Involved

Download

Ep. 113 – Nutrition Facts for Online Information with Clint Watts

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 113 – Nutrition Facts for Online Information with Clint Watts appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 112

Social Engineering Can Make You a Better Person

When social engineering makes the headlines, it is generally as a negative term where S.E. principles are used to initiate, perpetuate, or assist a large hack that exfiltrates data or distributes ransomware. With headlines like “Social engineering at the heart of critical infrastructure attack” and “Iranian phishers bypass 2fa protection offered by Yahoo Mail and Gmail,” it is easy to see how the term has developed negative connotation . However, here at SECOM and SEORG we utilize social engineering with the goal to “leave others better for having met [us]” while employing, practicing, and curating strong social engineering skillsets. Here, we discussed whether all social engineers are bad people and, though people rarely fall cleanly into the category of “good” or “bad,” this conversation is constantly being debated.

Almost a year ago, I made my newsletter debut examining how SE skills could be used in everyday life. Since then, I look for opportunities to practice my craft, improve my abilities, and be a stronger SE whenever I can. After reflecting on this last year, I can absolutely say that social engineering makes me a better person, and if you choose to social engineer as a white hat, it can make you one too.

How Social Engineering Can Make You a Better Person

As social engineers, we must quickly build rapport with our targets, maintain that rapport, and accomplish our goals without being burnt. We do this via email through phishing, phone calls through vishing, and in person via impersonation. As white hat social engineers, the skills needed to accomplish these goals effectively range from utilizing Dr. Robert Cialdini’s influence principles to awareness of vocal tone, body language, and facial expressions. Let’s examine some of the positive skills social engineering can foster:

  • Reciprocity – the reciprocity principle indicates that people will want to return something, a gift, favor, information, etc., that they are given in equal or greater value. However, it is important to remember that the recipient determines the value of what they have received. To effectively use this, an SE must remember that the target needs to value whatever they are given. In personal life, this causes us to think more about what others value over what we may value. This makes us more conscientious and encourages us to prioritize the other person.
  • Awareness of others – in the field, SEs are constantly looking to pick up queues from their targets. What internal jargon do they use? How do they speak? What is their body during the interaction? Do they seem like they want to get away? Are they in a rush? This has caused me, when meeting new people, to study how they are speaking and attempt neutrality until I understand how to communicate most effectively to the person I am speaking with. Additionally, I pay attention to how they are behaving, whether they seem like they need to go, and respect their boundaries. This creates a safe space for the people you interact with.
  • Speaking less and listening more – As an SE, we are usually on the hunt for information. It is challenging to get information out of someone if you’re the one doing all the talking. At home, I employ reflective questioning and allow my friends and family to get more speaking time and work to truly listen to the information they are sharing. People appreciate when they feel heard. This will strengthen your interpersonal relationships and improve your conversation skills.
  • Empathy – you never know where the other person in the conversation is coming from. They could have just gotten rough news, missed breakfast, or not had enough sleep the night before. While listening, really work to understand the perspective the individual is coming from and assume positive intent. Figuring out where a person is coming from and how they may feel connects you more closely to others.
  • Patience – Jumping into an engagement too hard too fast throws your targets off. In my day-to-day life, I have a tendency to want answers RIGHT NOW. However, the value of waiting for others to get on the same page cannot be stressed enough. I am now far more inclined to lay the foundations of a conversation and then wait for the other party to address topics when they are ready.

Social Engineering can make you a Better Person

Great resources to build social engineering and life skills

If you want to practice these skills in your daily life, as well as your career, here are some great resources to start with:

  • The Social-Engineer Podcast hosts great guests who explain unique skill sets and tools that are used in both life and social engineering.

The intention with which you take an action can determine the quality of that action and, broadly, whether it is “good” or “bad.” Should you use your social engineering skills to exploit individuals for your own personal gain, that action is not good. However, by practicing the skillsets of strong social engineers while attempting to leave others better for having met you, you may inadvertently realize you have grown into a better version of yourself. Social engineering can make you a better person, and I challenge you to look for opportunities to practice these skills for the benefit of others in this new year. If you are curious about how to S.E. for good, check out the Social Engineering Code of Ethics. I hope you see yourself grow in the process!

Be secure and be kind,

Written By: Cat Murdock
Twitter: @catmurd0ck

Sources:
https://www.social-engineer.com/are-all-social-engineers-bad/
https://www.computerweekly.com/news/252454369/Social-engineering-at-the-heart-of-critical-infrastructure-attack

https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/
https://www.influenceatwork.com/principles-of-persuasion/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-101/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-103/
https://www.social-engineer.org/framework/general-discussion/code-of-ethics/

Image: https://twitter.com/tim_fargo/status/628552609360683008

The post Social-Engineer Newsletter Vol 08 – Issue 112 appeared first on Security Through Education.

Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro

Almost 100 episodes have passed and we finally get one of our all time favorite guests back on the show – Joe Navarro. His new book is literally THE encyclopedia of body language and we must discuss it. Join us – Dec 10, 2018

Contents

Download

Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro

Miro Video Player

Get Involved

Got a great idea for an upcoming podcast? Send us a quick message on the contact form!

Enjoy the Outtro Music? Thanks to Clutch for allowing us to use Son of Virginia as our new SEPodcast Theme Music

And check out a schedule for all our training at Social-Engineer.Com

Check out the Innocent Lives Foundation to help unmask online child predators.

The post Ep. 112 – Catching Spies and Paying Parking Tickets with Joe Navarro appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 111

Cyber Threats, Are You Trained to Deal with Them?

As every year passes, the cyber threat landscape continues to evolve and along with that, the need for cyber security awareness training to deal with them increases. This past year was no different. The change is that ransomware declined, crypto-mining has risen, and 92 percent of malware was delivered by email, according to a CSO article. It reported that fileless malware is replacing the old .exe files that were attached to emails. Fileless attacks exploit software already installed on the victim’s computer, such as executing in a browser plugin, MS Office macros, or exploit vulnerabilities in server programs to inject malicious code. The result of this shift in threats has resulted in 1,027 breaches and over 57 million records being exposed as of the October 31, 2018 Identity Theft Resource Center (ITRC) report. When you see the change and increase in cyber threats, how trained are you and your organization to deal with them? 

We see that the threats continue to advance in order to give the cyber criminals the ability to exploit the increased complexity and connectivity of critical infrastructure systems. In addition, cybersecurity risks continue to affect a company’s bottom line by driving up costs, negatively impacting revenue, causing harm to an organization’s ability to innovate, and to gain and maintain customers. With this constant evolution and risk comes a constant need for cyber security awareness training for an organization’s employees. But what makes for an effective training program that both the organization and employees can benefit from? One that will keep the company secure and give it an acceptable return on investment (ROI)? What about those individuals and organizations that can’t run a corporate cyber security awareness training program, what can they do to get training? 

Cyber Threats, Are You Trained to Deal with Them?

Who should receive training?

Training should be provided to anyone with access to the organization’s infrastructure. This includes new employees, longtime employees, executives, and contractors. If you allow someone access to your infrastructure, they need to receive regular training.  

Why are you doing it?

The way to approach creating a successful cyber security awareness training program is to start by establishing clear and definable goals. If you’re going to do training merely for the purpose of having it or just to check a box in an audit, it is not going to have any lasting benefit for anyone. You need concrete outcomes and it needs to be a part of a long-term plan. Change in security awareness will not happen overnight. 

The purpose of this training is to create a strong security culture that will breed employee engagement. In order for this to work it has to come from the top down, from the CEO all the way down the corporate ladder. To get the buy-in from the C-suite one company performed a team building exercise in which they split the executives into red and blue teams. In a gamified environment, one group performed a denial-of-service attack on the Domain Name Server (DNS) while the other had to figure out how to defend against it. (Sounds fun, right?) Once the executives are involved, all members of the organization will follow.  

Culture Shock.

Remember, making a successful cyber security awareness training program involves changing the culture of the organization into a security focused culture. Doing a CBT module once a year will not affect change, more is involved. If you were training to be a boxer or an MMA fighter would you depend on just watching videos before entering a match? Can you imagine the outcome? The same is with an awareness training program, real life exposure is needed, such as using a simulation program to send real phishing emails and to do vishing, in addition to doing CBTs.  

 Everyone in an organization has a stake in keeping it secure. So, even though one person may be the only one officially assigned the task of running the training program, one or more senior leaders need to champion the program. This will help build confidence in the program and make it more visible. You can even involve the communications and marketing teams to help you in creating material and messaging that is engaging and captivating to your audience.  

If one is going to influence change in behavior and culture and allow the training to have a lasting effect, post-training reinforcement needs to be established. Ongoing communications and content should be produced monthly not just once a year. So, build a catalog of content and available resources, build a portal where newsletters can be posted along with alerts and videos, and make the program fun.

What about the little guy?

Building a successful program takes time and resources. What should an organization do where resources are limited or for individuals where they don’t get the training from a corporate training program? Where time and resources are limited, start small and grow as your program gains credibility and more resources become available. Use small wins to demonstrate value. There are also plenty of free resources available. Use resources like the Social Engineering Framework that provides plenty of examples and psychological principles of social engineering attacks, and access to tools such as the Social Engineer Toolkit that can be used to test the human element in an organization.  Another free tool is the community edition of Lucy which can do basic phishing campaigns. If you want to test your network and your users, you can use the free tools from KnowBe4. Subscribe to industry newsletters, such as this one, and follow blogs such as the Social-Engineer.org blog and the Social-Engieer.com blog that discusses timely information on what is happening in the world of social engineering and how to be cyber security aware.   

As a community we can all do our part to help in getting cyber security awareness training to others. One thing I’ve done, to help in training others that may not get the benefits of cyber security awareness training at a company, is to openly discuss with friends and family about phishing, smishing, vishing, and all aspects of social engineering attacks that they need to be aware of. The result is that many will come and show me phish they received or tell me about a call they thought was “phishy”. As you get educated, spread the word to others and this will help everyone get some cyber security awareness training. 

Social engineering attacks will not be ending any time soon and they will constantly evolve. Therefore, we will always need regular cyber security awareness training to combat these attacks. Remember your training program needs to be adaptive when dealing with the ever- changing cyber threats and it needs to continue to train your organization how to deal with them. What is your program going to look like for 2019? Let us know. 

Stay safe and secure. 

Written By: Mike Hadnagy  

Sources:
https://rsmus.com/what-we-do/services/risk-advisory/case-studies/measuring-the-effectiveness-of-security-awareness-training.html 
http://www.govtech.com/workforce/Solving-Cybersecuritys-People-Problem.html?utm_term=READ%20MORE&utm_campaign=Solving%20Cybersecurity%27s%20People%20Problem%2C%20The%20Four%20Myths%20About%20Digital%20IDs&utm_content=email&utm_source=Act-On+Software&utm_medium=email 
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf 
https://cofense.com/building-security-awareness-program-start-strategy-goals/ 
https://securityintelligence.com/how-effective-is-security-awareness-training-for-threat-prevention/ 
https://www.idtheftcenter.org/wp-content/uploads/2018/11/2018-October-Data-Breach-Package.pdf 
https://www.bizlibrary.com/article/employee-training-9-characteristics-of-top-programs/ 

The post Social-Engineer Newsletter Vol 08 – Issue 111 appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 110

Hi, It’s Your Bank Calling

 
 

So, you receive a call and it’s a local number or it’s the phone number of your bank, should you answer it or let go to voicemail? But the caller ID looks familiar, so you answer. Can you trust that the person that is calling is who they say they are? Was this a sales call, a real call or something called vishing?

Vishing???

Many people reason that if the number is showing as a known number, then the attacker is who they say they are. However, the recipient maybe unaware that the caller is looking to vish them. If you are unfamiliar with what vishing is, it is defined, according to The Social Engineering Framework, as the practice of eliciting information or attempting to influence action via the telephone. Vishing can literally be designed as voice phishing. The goal of vishing is similar to phishing in that it is to obtain valuable information that could contribute to the direct compromise of an organization or individual. Attackers can “spoof” their outgoing phone number to appear like a known number and pose as an authority figure, technician, or fellow employee in order to obtain sensitive information that could lead to the compromise of an organization or clean out your bank account.

Vishing has become one of the tools of choice by cybercriminals. An article from Fortune mentioned that the volume of mobile scam calls has increased from 3.7% of total calls in 2017 to 29.2% in 2018. They predict that the number will exceed 44% by early 2019.

Learn by example

To get an idea of what the scammers are doing, let’s look at some incidents that have been reported:

An article by WHNT News 19 discussed how an FBI agent’s mother fell for a call from someone pretending to be a relative that had a DUI and needed money. It also discussed how hundreds of credit union’s clients received fraudulent calls from fraudsters spoofing bank numbers and asking them to validate their cards by providing the 3 numbers on the back.

Another incident involved someone claiming to be from the Woodburn, Oregon police department that called and told the victim to call a second number. That number belonged to a person who claimed to be an attorney for the police department.

The alleged-attorney then directed the person to remain on the phone, go to a retail location, and buy a prepaid debit card to clear their fake warrant. When the person, being directed by the fake-attorney, arrived at the store, a store employee told the person it was a scam. The phone call was then ended. The fraudulent caller used a fake caller ID showing the actual Woodburn PD number.

Some additional scams are the IRS Scam, the Kidnapping Scam, the Social Security Scam, and the Tech Support Scam:

  • The IRS Scam involves someone who is pretending to be an agent of the IRS, they tell you they have a warrant for your arrest unless you pay some money immediately.
  • The Kidnapping Scam is where the scammer tells you he has kidnapped a family member, and that you need to make immediate payment for their release.
  • The Social Security Scam comes in many forms. One variant is where the caller poses as an SSA employee and needs personal information to round out your file. Another is you’re told that the SSA wants to increase your benefit payment but needs additional information to do so. A third variant involves a threat of stopping your Social Security benefits if you don’t give them the requested information.
  • The Tech Support Scam is where the caller attempts to have you pay for fraudulent tech support. Many of my friends have dealt with this and, unfortunately, two of them even fell for the call and paid money to the scammer.

“I’ll never fall for that”

You may reason that you are too tech savvy to become a victim of a vishing call. Many think that way and in the article Voice Phishing Scams Are Getting More Clever by Brian Krebs, he relates several experiences of tech savvy people that either fell for a scam or came critically close to falling for one.

What is it that makes people, even tech savvy people, fall for these calls? Let’s break down the call and see:

  • The caller ID looks familiar;
  • The caller is persistent, calling back multiple times, creating a sense of urgency or importance to get you to answer;
  • The caller uses a pretext that sounds believable;
  • The caller uses rapport and trust to convince you that everything they do and say is for your best interest;
  • The caller has personal information on you that you believe only the legitimate company would know. Information such as the last 4 digits of your credit card or Social Security number;
  • When you combine all these points and the fact that the caller will do all they can to influence you into giving them the information they need, even the most tech savvy person may fall for the call.

Do I need to answer?

What should you do to keep from becoming a victim of vishing? Corporations can help their employees by including vishing training as part of their security awareness program. Training employees to report any suspicious work calls to the appropriate team at the company. As an individual, if the call isn’t from someone in your contacts, let the call go to voicemail. You don’t have to answer every phone call. But if you really feel the need to answer the call then apply the following strategies:

  • Trust your gut. Most of the time, if a call is making you uncomfortable, realize you are probably right. Hang up and report the call.
  • If the caller says they are from your bank, hang up and call the number on the back of your card.
  • If the caller says he is a vendor or client, hang up and call a known number for that entity.
  • If any caller asks you for PII (personal identifying information) do not give anything to any unverified user, despite the threats they may say.
  • If you receive an urgent call from a supposed family member that had something tragic occur, call that family member or other close relatives to verify the story directly before you wire or send any money. (Do this even if they beg you not to)
  • Remember, scammers want to drive you to react emotionally, so if you receive a possible vishing call take pause, breathe, and take a moment to get your critical thinking back in place before you are manipulated into making a poor decision.

Keep these tips in mind as you keep your family, finances and personal information secure and safe from malicious vishers.

Stay safe and secure,

Written By: Mike Hadnagy

The post Social-Engineer Newsletter Vol 08 – Issue 110 appeared first on Security Through Education.

Social-Engineer Newsletter Vol 08 – Issue 109

Teach Early, Teach Often: Cybersecurity Education for Children

 
 

Teach Early, Teach Often: Cybersecurity Education for Children

This month marks the 15 year anniversary of Cybersecurity Awareness Month in the United States, and it is an important time to remember the systems we protect as well as the social systems that affect them. According to National Cyber Security Awareness Month (NCSAM), their theme this year is that “Cybersecurity is our shared responsibility and we all must work together to improve our Nation’s cybersecurity.” This message really resonates with the team here at SEORG, and me in particular. We spend our days and our careers helping clients, friends, and family improve their security posture. We look to provide our clients with tangible data to guide them in the security education of their staff. The human endpoints are often the hardest to secure, as each human learns in different ways, some need more instruction than others, and they have varying degrees of prior information security and systems knowledge. This last point is critical; to date, the world over, there is little, regular exposure to STEM and cybersecurity in educational systems.

Adults in the information security industry could have entered their roles more prepared had educational systems provided curriculum that mirrored real world needs through an increased focus on STEM curriculum and the accompanying cyber security education users of technology should, ideally, receive. So, while we are teaching our adult learners to improve their security stance, let us not forget about the needs and positive, lasting effects of exposing children to technology, engineering, and cybersecurity skills early and often. Exposing young minds to quality STEM and cybersecurity education will strengthen all of our companies and human endpoints but failing to provide this instruction to today’s youth will result in a workforce that struggles to keep up with the information security needs of the future.

Connecting education and information security

Children today will be the information security professionals who will secure our retirement, secure our increasingly connected healthcare systems, and inherit our digital world. We must begin preparing them from elementary school ages for the ever-quickening pace of technology, and the security needs that come with it. Unfortunately, this is not the status quo in many schools across the globe and that may not change within education systems themselves for many years. While some schools and nations provide better technology programs to children than others, the vast majority of students the world over are not receiving early education on cybersecurity and STEM related skills. This will leave our young learners and future leaders at a disadvantage in the future work force.

Unfortunately, many young students are victims of the ever broadening “opportunity gap,” or the fact that being born into certain zip codes and societal constructs negatively affects the educational opportunity and lifelong opportunity of children. While this phrase is often used in terms of America’s school systems, the concept of the opportunity gap affects students and children globally. Many students are not receiving early or regular exposure to quality science, technology, engineering, and mathematics (STEM) curriculum that provides the foundation for cybersecurity education and an understanding of informational systems.

Networks, organizations, and security departments are all systems. These systems recruit their human endpoints, their people, directly from educational systems; educational systems which desperately underserves many students thus widening the current opportunity gap. The information security industry will struggle to secure its people as long they come out of systems that are under-preparing them for the modern world and modern opportunities. And yet, despite a lack of exposure, children are some of the best and most determined little hackers I have ever met.

Immediately after college, I taught 4th and 6th grade math and science in a rural school district in eastern Arkansas as a corps member with Teach for America. The concept of the program is to take individuals with proven track records of success, either in their academic or professional careers, and train them to teach in low-performing school districts quickly. Corps members make a two-year commitment, and then return to their previous careers, stay in education, or pivot to a new endeavor. The school I taught in had received a grant from Apple for all students to have access to a computer, which then required a staff member to become the IT administrator of the school so hundreds of students with computers had oversight. When the admin would release a new security protocol on the network, it would take mere days for at least one of my very young students to find a way around it and access their favorite YouTube channels and online games. The IT admin would constantly lose their blue teaming endeavors to creative, red teaming children with zero experience. Every. Single. Time.

What can you do?

Kids are hungry to learn. They are ready for challenging STEM and cybersecurity curriculum. They are ready for puzzles, cryptography, and exposure to critical thinking exercises and cybersecurity education for children, but so many of them are denied the opportunity to learn these things based on circumstances they have no control over, circumstances they were born into.

Our industry needs critical thinkers. Our industry needs diversity. Our industry needs a future with qualified professionals. Fortunately, there are a wealth of curious, diverse minds out there waiting for interesting learning opportunities. For the 15th anniversary of Cybersecurity Month, I challenge you to impart your skills to young, hungry minds. An added benefit is many employers will allow their employees to take volunteer days, and, even if this does not apply to you, volunteering looks great on your resume and is very emotionally rewarding. To get involved, here are some ideas:

  • Volunteer to speak at a local school and/or plan interactive games to teach children about protecting their online identities, cryptography, and other cybersecurity and critical thinking skills.
  • Get involved with, or plan, outreach events like the SECTF4Kids and the SECTF4Teens that introduce children and teens to social engineering, puzzles, problem solving, and critical thinking.
  • Educate children in your nuclear and extended family early and often about cybersecurity, their online safety, as well as how the internet is connected, and information is stored. PBS offers a great learning lab aimed at teaching children and teens about securing networks and what types of information attackers are interested in.
  • Provide students and children a safe reporting environment, where if they encounter something alarming online, they have a safe place to tell a knowledgeable adult.
  • If you have children, have them work with you when updating or changing your home network. Talk them through the steps and expose them to the concepts.

It’s never too young to start teaching children the skills we wish all of our end users had. It’s never too young to start teaching children about their online safety. And it’s never too young to begin raising the industry leaders of the future.

Go forth and share your knowledge with the little people.

Written By: Cat Murdock

The post Social-Engineer Newsletter Vol 08 – Issue 109 appeared first on Security Through Education.