Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/30/2014
10:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail vvv
50%
50%

How To Hack A Human

Check out social engineering expert and founder of the DEF CON Social Engineering Capture the Flag contest Chris Hadnagy's recent interview on Dark Reading Radio.

It happens every day, several times a day: An end-user opens an email attachment or clicks on a URL in an email thinking it's legit -- or just out of curiosity -- and boom, malware infects his or her machine, and the attackers get a foothold into the victim's corporate network.

Duping users is just too easy, and that's what makes social engineering so pervasive and dangerous. Most cyber espionage campaigns and financial-stealing malware attacks start with a clever, and sometimes ridiculously simple, phishing email, which ultimately leads to a major data breach.

Chief human hacker Chris Hadnagy, a social engineering expert and author from Social-Engineer.com, sees these scenarios play out every day while working with corporate clients to help them prevent their users from falling victim to these attacks. Hadnagy also hosts the annual Social Engineering Capture the Flag contest at DEF CON, which this year focused on retailers -- particularly employees at some of the nation's biggest big-box stores (including Home Depot) who gave away troves of potentially sensitive information to cold-callers posing sometimes as the IT department.

[Famed annual contest reveals how many retailers lack sufficient defenses against social engineering. Read Home Depot, Other Retailers Get Social Engineered.]

Hadnagy joins Dark Reading Radio on Wednesday, October 1, at 1:00 p.m. New York time (10:00 a.m. in San Francisco), to talk about the latest social engineering ploys, including those used in the Social Engineering Capture the Flag contest at DEF CON. Hadnagy will explain how his firm works with clients to protect themselves against social engineering and will also provide a postmortem of the DEF CON contest, where Home Depot was among the most socially engineered targets.

Join us tomorrow for the show, which includes a live online chat, where you can ask Hadnagy your social engineering questions. Just register here

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/1/2014 | 10:26:11 AM
Re: Awesome Guest
I've known Chris for a few years, and he always has interesting insight and anecdotes about what he sees out there in the social engineering threatscape. I am really looking forward to our show today--it will be fun, but also eye-opening. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
10/1/2014 | 10:20:52 AM
Awesome Guest
Chris is a fantastic speaker on the scary topic of social engineering. I recall interviewing him for a piece I wrote at Internet Evolution, where he told me he'd much rather 'play' a janitor than an executive because cleaners and maintenance workers typically operate under the radar, making it simpler for them to access the information social engineers need to hack into a system or break an organization's defenses. While speaking to him, I wondered what I'd let slip, whether he knew more about me than I'd wanted him to, and you come away rethinking your entire social media and social interaction! He's a real eye-opener and I can't wait for this session!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/30/2014 | 9:19:41 PM
Re: Phishing
@nomli, that is a very difficult task to manage. On a grand scale it is hard to ensure that the majority of users can do validity checks on incoming mail. As far as I know, I don't believe a phishing attack can be detrimental without user input. (I.E. clicking a link, downloading attachment, embedded code, etc) So I would stay stick to checking the links and scanning attachments before downloading. Especially if you are unsure of where the link brings you. This is difficult to manage even with mass education through public systems.

However, I do believe that it is a great idea @GonzSTL to introduce it to the public curriculum become more positive exposure would be beneficial. Its a start.

I think email providers need to have more stringent security functionality built into their email platform for the end user. Until then, it will be difficult to reach everyone consistently.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/30/2014 | 3:58:12 PM
Re: Phishing
Many years ago, people were advised not to open emails from people they don't know, and especially not to open attachments to those messages. Now, malicious emails appear to come from people you do know! So the question is, what emails should the user open? It is simple enough to simply advise a user to first check the validity of an email by asking the sender if indeed that person sent the message. While that may be effective in determining if the email was valid, it does not guarantee that any attachments are "clean", not to mention the inconvenience of having to validate the authenticity of the message in the first place. It really has come to the point where business emails should first go through an external provider (either in the cloud or through an onsite appliance) for inspection and/or cleansing prior to delivery to the recipient. Yes, this is costly, but if a business wants to open messages with some degree of confidence, what choice do they have? Policies and awareness training can only be so effective.

It is a different story altogether for individuals at home, who usually do not want to spend money for this type of service, or who have not had security awareness training. Most of them rely on their anti-malware software to inspect their emails first before they open them, if they even do that. Home computers are likely the biggest segment in botnets because most home users are less careful or even worried about malware in emails. In today's connected environment, it isn't unusual for children to have their own email addresses, and if their emails are accessed via the common use home computer, then the probability of their home computer being compromised increases greatly. Perhaps providers of email services should use email protections prior to delivery, as a public service to their users. I understand that this can be quite costly, but if they want to earn their users' trust, maybe they should bite the bullet and do exactly that. Here's a thought – what if safe computing practices are part of a public school curriculum? As an IT professional and also a taxpayer, I'm all for that; after all, we do live in a highly technological and electronic age.
nomii
50%
50%
nomii,
User Rank: Apprentice
9/30/2014 | 2:19:45 PM
Re: Phishing
@Ryan true. But wjhat about the emails that looks like to be received from a familiar source.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/30/2014 | 12:07:25 PM
Phishing
This has been quite a talked about topic of late and it seems that it will continue to be. 

Some quick tips to combat phishing:

Don't open emails from unknown sources.

Hover over links to scan for misdirection.

Quarantine emails that you are definitely unsure about before opening.

 

I know I have missed some, does anyone else have quick tips that even non-tech users can follow to combat this type of attack?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/30/2014 | 11:35:46 AM
Re: Scary
Absolutely, @shamika. And as you may know, the SE CTF at DEF CON shows how scammers/hackers/attackers can use voice calls to get potentially valuable intel out of their targets. 
shamika
50%
50%
shamika,
User Rank: Apprentice
9/30/2014 | 11:17:53 AM
Scary
This seems very scary. Yes as you explained it could be an email link. I think the social media has a high risk on this.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16966
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before 13.0.45.3, 14.x before 14.0.5.12, and 15.x before 15.0.8.21 for FreePBX 14.0.10.3. In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
CVE-2019-9491
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
CVE-2019-16964
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
CVE-2019-16965
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
CVE-2019-18203
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.