What is obvious is that people nowadays seem to love sharing every little aspect of their lives with the whole world. From social networking sites like Facebook to people like Jennifer Ringley whose famous JenniCam site broadcasted unedited and uncensored footage of Jennifer from 1996 – 2003.

Another possibility is that people consider social networking sites to be fun and are therefore carefree in their usage. Stories such as employees getting fired due to comments about their current employer seem to suggest this is indeed the case. In this case I would assume that Farm Boy employees thought that being a ‘members only’ group would keep their comments private, but in a world where secret treaties are leaked can anyone really expect that limiting access is protection enough? Apparently some people are willing to bet their jobs that it is. Worse yet it’s not an isolated case as there are many known cases of people incriminating themselves on social sites.

It’s not just about knowingly sharing your personal details with the world either. Nowadays no one thinks twice about buying items off the internet; it’s convenient and easy but not everyone understands the privacy one sacrifices in doing so. When buying online you’re sharing a lot of confidential information including credit card number, name and address. We’re trusting that those details will be kept safe, that they will not misused and that the company we’re buying from is secure. Unfortunately this isn’t always the case as I myself discovered when one of the credit cards I use exclusively online was used to buy services on the other side of the globe. None of the companies I bought from advised me of any breach they suffered which compromised my credit card number and there were no reports on the media either. That said I still didn’t stop buying online even after falling victim to the dangers involved.

On one hand we live in the information age; no matter how much you value your privacy it’s impossible to keep everything secret. Every subscription, online purchase, bulletin board registration, social networking site participation, government institution and more will record your details and store them in some form or another. Whether we want to or not we have to trust that these entities will keep this data safe from threats both outside and within their infrastructure.

On the other hand we do not want to make an already bad situation worse. Going back to Jennifer Ringley (the person who started the trend of lifecasting) we have someone who didn’t mind sharing every intimate moment of her life with the whole world yet was still annoyed when, after reciting her phone number over the phone and streaming it to everyone watching her cast, it resulted in people calling her.

The truth is that most of the time we’re better off if certain details remain private. Every piece of information which becomes public could potentially be used by social engineers. Think of something as trivial as an internal telephone list where a social engineer has a list of employees, their title and telephone number. Let’s assume the social engineer wants to gain access to credit card details. He first needs to log in and for that he requires credentials. With a phone list he could try a simple social engineering attack – he calls up the sales manager and asks for an employee who works in sales, when the manager says he got the wrong number he asks to be forwarded to the person (in this case his victim) and tells the victim that he is sitting next to his (the victim’s) manager and they’re running an audit (or any other excuse) and asks for the victim’s credentials. The victim knows the call is coming from his manager’s office (because it was forwarded), this person called him by name and would therefore assume the attacker is sitting next to his manager while asking for his credentials; he is therefore very likely to comply with the request. A simple attack and all that was needed was a phone list.

A lot of information can be used by hackers to launch targeted attacks. If one of your employees posts on Twitter that your company still refuses to upgrade from IE 6 even though everyone knows how insecure it is (an actual post I came across) an attacker who has exploits that target IE 6 knows which company to launch an attack on.

Social sites have made people want to share every detail of their lives with everyone and in turn they’ve become more trusting. In itself it’s a nice concept; sharing is good but it can also be dangerous to a person or an organization.  When something is shared with the world, it’s gone public and in most cases is impossible to take back. That being said it is also important to understand that in most cases privacy only helps in hiding the problem. If the employee didn’t post about his company using IE6, it would still have used IE6 and it might still be vulnerable. If Farm Boy employees didn’t write about their unhappiness with their work place they’d still be unhappy.  A social engineer with no access to a phone list can still call up a company and social engineer his way to potential victim’s details such as the manager’s name and phone number.

Privacy might only buy you some time while fixing the real problems; however, it still remains a core value that we should retain as important, especially online.

If such an event were to occur in the workplace I am pretty sure the victim wouldn’t think twice about paying, believing that if he doesn’t this will surely lead to his dismissal once the situation escalates into a lawsuit. Granted that if an employee is browsing pornography in his workplace he might deserve that; however, scams tend to evolve and it’ll only be a matter of time before we start to see variations on this theme.

I also think that the monetary damage caused to employees is not the only danger which a company might face. One must consider that these scammers are trying to make the victim believe that they are in contact with a lawyer. The scam preys on the fact that the victim has done something bad and potentially illegal and that lawyers have gotten wind of it and are thus trying to punish him. Additionally listening to the news makes it known that generally ignoring lawyers when they are threatening you will far from make the problem go away.  Thus one can be sure the victim will make contact with the attacker. What we would have at this stage is a dangerous connection that can lead to an even more dangerous social engineering attack.

What’s a social engineering attack?

If an employee did something bad and believes he broke the law and got caught, then he will also be afraid that if his employers were to know about it he would lose his job. On the other hand if he believes that he is in contact with lawyers who are willing to make the problem go away, then there is no threat about him getting dismissed from work. And this is what makes the perfect recipe for a successful social engineering attack. The victim will do anything to keep the lawyers (attacker in disguise) happy. He will try to accommodate all their requests to prevent this from escalating as he believes that if he fails to reach a settlement then a lawsuit against his workplace will be what comes next.

The final question is: What can an attacker have the victim reveal? That’s hard to tell as it often depends on the particular situation; however, let’s assume that this all started because of copyright infringement (maybe the victim was looking for music, or software).

The victim could be persuaded to hand over the license keys that the company uses for all its software as ‘proof’ that this was a single, isolated case. Taking it a step further, the attacker might ask for login credentials in order to do an “audit” and confirm that the company is not using other unauthorized software.  A daring attacker might even ask for source code, blueprints, designs and other such things under the false premise that the attacker (i.e. who the victim thinks is actually a lawyer) just wants to ensure that no patents from the clients he is representing are being infringed.  Employees will generally not fall for such attacks, however, in a situation such as this it is very likely that an employee will comply believing that what he is doing is safe (in his eyes its lawyers running a routine audit) and will also help avoid him getting fired.

How can a business protect against such a situation?

There aren’t too many options against this kind of attack.  Making employees aware of these kinds of attacks can offer some protection; however, if an employee is not concerned with company policies then it’s not very likely that he’ll be willing to risk his job by reporting the incident (since this likely resulted from him breaking company policy in the first place).

My belief is that in such a situation the only effective option would be monitoring.  There are various monitoring techniques that apply to this scenario. Internet monitoring and possibly running a virus scanner on anything downloaded in the workplace might help protect employees and prevent them from becoming victims. Monitoring logs and outbound file transfers can detect when such an attack is in progress and hopefully be stopped before too much damage is done. Finally, monitoring user activity, while it might have a negative impact on employee morale, could actually prevent these kind of scams from escalating, thus safeguarding the employee’s job.

Some time ago I wrote an article about preventing virtual theft – theft of goods from a virtual world (such as a game) by compromising the machine from which you play the game – and loyal reader John Mello pointed out how it’s not only gamers who have to worry about virtual theft but also mobile phone users who are being increasingly targeted by malicious hackers.

The following series of articles will focus on a risk that is often neglected – having your company compromised through devices instead of its computers. In this first article we’ll focus on a device that is found in every company – the mobile phone.

Mobile Phones

Mobile phones are indeed an essential part of every worker’s life nowadays. With the improvement in technology mobile phones are now used as personal organizers and as such being used as a direct business tool that contains secrets that need to be closely guarded.  Every modern mobile phone nowadays includes Bluetooth. Bluetooth is a useful wireless connection protocol that enables your phone to connect to devices without any cables. Unfortunately a number of issues in Bluetooth enabled hackers to exploit some implementations. Tools are available that can do a range of things from harvesting information about the phone to stealing confidential information such as the phone book. It doesn’t end there either.

BlueBugging

How about going all out and turning a mobile phone into a 007 style gadget? In 2004, a German researcher named Herfurt discovered a bug in some Bluetooth implementation that, when exploited, allowed a PC to convince a vulnerable mobile phone that it is its legitimate wireless headset and thus give nearly total control of the phone to the program. This practice became known as BlueBugging and it provided some interesting options. For example, this exploit could be used to have a phone silently dial another phone effectively turning that phone into a mobile spying device, whereby the attacker could silently listen in on any conversation within reach of the phone. Other uses could be to set up call forwarding where calls intended for the victim are forwarded to the attacker. This can also be effectively used to steal money by having calls forwarded to premium numbers under the control of the attacker. The risk to the company here is that the victim’s mobile phone could be used to spy on meetings and steal the contact information of high profile clients / contacts.

Bluesnarfing

Another insidious risk is a practice called bluesnarfing. Bluesnarfing involves the use of Bluetooth to hack into a mobile phone and copy information; this varies from the address book to stored emails, photos and text messages. If the mobile phone is used for business related activities, contacts and text messages might include sensitive information that a company would not want compromised.

Social Engineering

High tech direct attacks on a mobile phone are not the only way to get access to sensitive information. Sometimes hackers target the phone company itself and convince an employee to give them access to the victim’s account. With some mobile phones storing information on the telecom company itself, this can be quite risky (as the very famous episode with Paris Hilton has shown). The Washington post article reports that the hack itself involved hackers phoning and using a social engineering attack on a sales rep of T-Mobile to give them the information needed to access Paris Hilton’s online storage and copy her pictures and contacts.

Physically tampering with the mobile phone

In cases where Bluetooth is not available and a social engineering attack on a telecom employee will not work, a malicious person has yet one last option available to him. There are spy applications for mobile phones that once installed lie there stealthily gathering information and uploading it whenever they have a chance (the mobile connects to an internet connection either via Wi-fi or GPRS). More advanced spy applications allow for access to the microphone, call interception and GPS location data. The only challenge for the attacker here would be to gain physical access to the mobile phone for around 3 minutes to install the spy application but after that he has access to all the mobile phone data from anywhere in the world.

How to protect oneself against such attacks

Bluetooth attacks can be mitigated by disabling Bluetooth if you do not really use it. If you use it for devices such as a hands free set then make sure you monitor and update your mobile firmware whenever a security update is released. Most of these attacks are generally patched when they go public but unfortunately not a lot of people update their mobile phone firmware because doing so generally wipes the mobile phone which can be a hassle for the customer.

Always keep your mobile phone with you. Leaving your mobile phone unattended can give a malicious person the time that he needs to compromise it. Don’t forget it only takes 3 minutes for a malicious person to compromise your phone and give him the ability to spy on you whenever he wants.

If your mobile phone stores information online at the telecom company site, keep in mind that your data is potentially at risk on two fronts, one of which you have no control over.

In any case I recommend that you change your password/secret question at once should you own an account with these systems.  Furthermore it is always wise to use a different password for each system and ideally the password should never be written down.  If you need to store the passwords because of many accounts ensure that your password repository is well secured. Keep in mind that if anyone were to get his hands on your password repository everything you use that requires security has virtually had that security disabled.

It is very important that this issue is not ignored. I have seen some posts on forums of people claiming they don’t care if their account was compromised and that they are not worried; however, I think they’re underestimating the impact that this can have.  The obvious risk here is identity theft/social engineering. If you use this account to communicate with other people, any emails sent from this account (even if not by you) will be considered by the recipient as coming from you. This can be especially dangerous if you have an address book which has people labelled by relationships. Also the same credentials might give access to other services such as messenger services. Again here people might login using your account and interact with your friends/family with them thinking they’re talking to you.

Consider someone who accesses your email and from the address book gets the email addresses of relatives. He uses your account again to get on your messenger service and checks which of your relatives are online. Subsequently pretends that he (you to the victim) is in trouble and needs money urgently and tries to get credit card details from them. It could happen. Social engineering is a real danger and getting an identity that has “high level access”, so to speak, with his victim is a powerful advantage for any social engineer.

Another danger would be for the perpetrator to use your email account to commit crimes which will then be traced back to you.

Treat this as a serious issue and change your password as quickly as possible. As they say, better safe than sorry.

There are many ways as to how the human element can be exploited; some are obvious and people can be trained to easily identify them and cater for them, some require constant vigilance and can be catered for by policies and then there are those that can be devious and very tricky to cater for and which might require a mix of policies and training.

Protecting against the Simple Threats

There are a number of attacks that can be performed on the human element of the IT infrastructure. The most common attack is most likely using the email vector to convince a person to click a malicious attachment that will install Trojans or other malicious software. This attack vector can easily be tackled by installing security software to protect the email system, and also more importantly by educating employees to never open attachments which do not have a legitimate business purpose as well as to identify those that pretend to be business related but in truth are not.

It’s also important to teach employees to respect and protect confidential information. Things like passwords are there for a reason and people should be trained to respect that reason; this will prevent instances where employee see passwords as a nuisance and to avoid having to memorize them they end up writing them on a sticky note that they would then affix to their monitor. This would also protect against employees leaving confidential documents running around and make them appreciate the need to shred documents and not just throw them away where they can be intercepted from the garbage through the practice of dumpster diving.

Another important aspect of security is hardware control. Protection here is once again a mix of both software and user education. Employees should be taught about the potential dangers of getting portable storage from home (the risk of virus transfer) and connecting devices such as laptops or wireless routers that can leave your organization open to great risks from outside access to your inner networks. Employees should be taught to appreciate the risks of these practices and why they shouldn’t be done. Often employees are not aware of the risks involved and do things as a personal initiative to try and boost productivity but despite the good intentions, the risks still remain.

Protecting against the Complex Threats

The biggest danger and by far the most difficult to cater for is a targeted attack. Social engineering is probably the most insidious threat that the human element in an organization will suffer. It is not difficult to teach employees to detect general attacks such as phishing emails because it is easy to identify their general nature; however, when attacks are targeted it is a different matter altogether and becomes far more difficult. Let me illustrate through an example.

Let’s assume that I am a malicious person trying to get access to a sales database and I want to get hold of a user name and a password to steal credit card details. I can assume that it’s a safe bet that sales personnel might have an account to the database. My first step would be to get hold of the name of someone working in sales. Easy, one just needs to send a sales query to that company by email and you’ll get a name of a sales person with the reply in nearly all cases. Next I need the phone number of someone who is not in sales. It shouldn’t be too hard to get that – I subsequently call that number and when that person answers I can pretend to have dialled the wrong number and ask that person to please forward my call to the sales person whose name I just got. When the sales person answers I would then introduce myself as someone calling from IT, invent a fictitious name (unless the company is really small there is a very good chance that this will not raise a red flag and if it does I can always claim I am new), address that sales person by his/her name and come up with any excuse that might seem legitimate (e.g. we’re running an inventory of login and passwords for the sales database and I need to know their login details to verify that they are correct) to try and get that person’s login name and password. There is a very good chance that if the person whom I phoned doesn’t have any security training, s/he will not doubt me and give me the information that I asked for. After all this is seemingly an internal call, I know his/her name, I work in IT and I asked an IT-related question. It’s evident that this attack would be quite insidious and difficult to detect especially for an untrained person.

How can you really educate users to protect them against these types of attacks? As mentioned before, this needs to be a mixture of education and policies. A policy should be implemented instructing that no one should give his/her password to anyone. Employees should also be taught not to trust calls as being internal just because they seem so, especially if they are forwarded. Even if a person works with the company confidential information should still be treated as confidential and even if an employee thinks that the person requesting any confidential data should have access to that data s/he should not give it out unless s/he is authorized.

In conclusion the human element is an attack vector to an IT infrastructure as much as anything else and security needs to be in place to protect it. This is generally a mixture of software and education. In some cases it is an aspect that is overlooked but when that happens it becomes just as dangerous to an organization as any other security breach, after all it’s easier to access a person in an organization than a specific machine.