Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/30/2014
10:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail vvv
50%
50%

How To Hack A Human

Check out social engineering expert and founder of the DEF CON Social Engineering Capture the Flag contest Chris Hadnagy's recent interview on Dark Reading Radio.

It happens every day, several times a day: An end-user opens an email attachment or clicks on a URL in an email thinking it's legit -- or just out of curiosity -- and boom, malware infects his or her machine, and the attackers get a foothold into the victim's corporate network.

Duping users is just too easy, and that's what makes social engineering so pervasive and dangerous. Most cyber espionage campaigns and financial-stealing malware attacks start with a clever, and sometimes ridiculously simple, phishing email, which ultimately leads to a major data breach.

Chief human hacker Chris Hadnagy, a social engineering expert and author from Social-Engineer.com, sees these scenarios play out every day while working with corporate clients to help them prevent their users from falling victim to these attacks. Hadnagy also hosts the annual Social Engineering Capture the Flag contest at DEF CON, which this year focused on retailers -- particularly employees at some of the nation's biggest big-box stores (including Home Depot) who gave away troves of potentially sensitive information to cold-callers posing sometimes as the IT department.

[Famed annual contest reveals how many retailers lack sufficient defenses against social engineering. Read Home Depot, Other Retailers Get Social Engineered.]

Hadnagy joins Dark Reading Radio on Wednesday, October 1, at 1:00 p.m. New York time (10:00 a.m. in San Francisco), to talk about the latest social engineering ploys, including those used in the Social Engineering Capture the Flag contest at DEF CON. Hadnagy will explain how his firm works with clients to protect themselves against social engineering and will also provide a postmortem of the DEF CON contest, where Home Depot was among the most socially engineered targets.

Join us tomorrow for the show, which includes a live online chat, where you can ask Hadnagy your social engineering questions. Just register here

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/1/2014 | 10:26:11 AM
Re: Awesome Guest
I've known Chris for a few years, and he always has interesting insight and anecdotes about what he sees out there in the social engineering threatscape. I am really looking forward to our show today--it will be fun, but also eye-opening. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
10/1/2014 | 10:20:52 AM
Awesome Guest
Chris is a fantastic speaker on the scary topic of social engineering. I recall interviewing him for a piece I wrote at Internet Evolution, where he told me he'd much rather 'play' a janitor than an executive because cleaners and maintenance workers typically operate under the radar, making it simpler for them to access the information social engineers need to hack into a system or break an organization's defenses. While speaking to him, I wondered what I'd let slip, whether he knew more about me than I'd wanted him to, and you come away rethinking your entire social media and social interaction! He's a real eye-opener and I can't wait for this session!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/30/2014 | 9:19:41 PM
Re: Phishing
@nomli, that is a very difficult task to manage. On a grand scale it is hard to ensure that the majority of users can do validity checks on incoming mail. As far as I know, I don't believe a phishing attack can be detrimental without user input. (I.E. clicking a link, downloading attachment, embedded code, etc) So I would stay stick to checking the links and scanning attachments before downloading. Especially if you are unsure of where the link brings you. This is difficult to manage even with mass education through public systems.

However, I do believe that it is a great idea @GonzSTL to introduce it to the public curriculum become more positive exposure would be beneficial. Its a start.

I think email providers need to have more stringent security functionality built into their email platform for the end user. Until then, it will be difficult to reach everyone consistently.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/30/2014 | 3:58:12 PM
Re: Phishing
Many years ago, people were advised not to open emails from people they don't know, and especially not to open attachments to those messages. Now, malicious emails appear to come from people you do know! So the question is, what emails should the user open? It is simple enough to simply advise a user to first check the validity of an email by asking the sender if indeed that person sent the message. While that may be effective in determining if the email was valid, it does not guarantee that any attachments are "clean", not to mention the inconvenience of having to validate the authenticity of the message in the first place. It really has come to the point where business emails should first go through an external provider (either in the cloud or through an onsite appliance) for inspection and/or cleansing prior to delivery to the recipient. Yes, this is costly, but if a business wants to open messages with some degree of confidence, what choice do they have? Policies and awareness training can only be so effective.

It is a different story altogether for individuals at home, who usually do not want to spend money for this type of service, or who have not had security awareness training. Most of them rely on their anti-malware software to inspect their emails first before they open them, if they even do that. Home computers are likely the biggest segment in botnets because most home users are less careful or even worried about malware in emails. In today's connected environment, it isn't unusual for children to have their own email addresses, and if their emails are accessed via the common use home computer, then the probability of their home computer being compromised increases greatly. Perhaps providers of email services should use email protections prior to delivery, as a public service to their users. I understand that this can be quite costly, but if they want to earn their users' trust, maybe they should bite the bullet and do exactly that. Here's a thought – what if safe computing practices are part of a public school curriculum? As an IT professional and also a taxpayer, I'm all for that; after all, we do live in a highly technological and electronic age.
nomii
50%
50%
nomii,
User Rank: Apprentice
9/30/2014 | 2:19:45 PM
Re: Phishing
@Ryan true. But wjhat about the emails that looks like to be received from a familiar source.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/30/2014 | 12:07:25 PM
Phishing
This has been quite a talked about topic of late and it seems that it will continue to be. 

Some quick tips to combat phishing:

Don't open emails from unknown sources.

Hover over links to scan for misdirection.

Quarantine emails that you are definitely unsure about before opening.

 

I know I have missed some, does anyone else have quick tips that even non-tech users can follow to combat this type of attack?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/30/2014 | 11:35:46 AM
Re: Scary
Absolutely, @shamika. And as you may know, the SE CTF at DEF CON shows how scammers/hackers/attackers can use voice calls to get potentially valuable intel out of their targets. 
shamika
50%
50%
shamika,
User Rank: Apprentice
9/30/2014 | 11:17:53 AM
Scary
This seems very scary. Yes as you explained it could be an email link. I think the social media has a high risk on this.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.