Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/30/2014
10:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail vvv
50%
50%

How To Hack A Human

Check out social engineering expert and founder of the DEF CON Social Engineering Capture the Flag contest Chris Hadnagy's recent interview on Dark Reading Radio.

It happens every day, several times a day: An end-user opens an email attachment or clicks on a URL in an email thinking it's legit -- or just out of curiosity -- and boom, malware infects his or her machine, and the attackers get a foothold into the victim's corporate network.

Duping users is just too easy, and that's what makes social engineering so pervasive and dangerous. Most cyber espionage campaigns and financial-stealing malware attacks start with a clever, and sometimes ridiculously simple, phishing email, which ultimately leads to a major data breach.

Chief human hacker Chris Hadnagy, a social engineering expert and author from Social-Engineer.com, sees these scenarios play out every day while working with corporate clients to help them prevent their users from falling victim to these attacks. Hadnagy also hosts the annual Social Engineering Capture the Flag contest at DEF CON, which this year focused on retailers -- particularly employees at some of the nation's biggest big-box stores (including Home Depot) who gave away troves of potentially sensitive information to cold-callers posing sometimes as the IT department.

[Famed annual contest reveals how many retailers lack sufficient defenses against social engineering. Read Home Depot, Other Retailers Get Social Engineered.]

Hadnagy joins Dark Reading Radio on Wednesday, October 1, at 1:00 p.m. New York time (10:00 a.m. in San Francisco), to talk about the latest social engineering ploys, including those used in the Social Engineering Capture the Flag contest at DEF CON. Hadnagy will explain how his firm works with clients to protect themselves against social engineering and will also provide a postmortem of the DEF CON contest, where Home Depot was among the most socially engineered targets.

Join us tomorrow for the show, which includes a live online chat, where you can ask Hadnagy your social engineering questions. Just register here

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/1/2014 | 10:26:11 AM
Re: Awesome Guest
I've known Chris for a few years, and he always has interesting insight and anecdotes about what he sees out there in the social engineering threatscape. I am really looking forward to our show today--it will be fun, but also eye-opening. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Moderator
10/1/2014 | 10:20:52 AM
Awesome Guest
Chris is a fantastic speaker on the scary topic of social engineering. I recall interviewing him for a piece I wrote at Internet Evolution, where he told me he'd much rather 'play' a janitor than an executive because cleaners and maintenance workers typically operate under the radar, making it simpler for them to access the information social engineers need to hack into a system or break an organization's defenses. While speaking to him, I wondered what I'd let slip, whether he knew more about me than I'd wanted him to, and you come away rethinking your entire social media and social interaction! He's a real eye-opener and I can't wait for this session!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/30/2014 | 9:19:41 PM
Re: Phishing
@nomli, that is a very difficult task to manage. On a grand scale it is hard to ensure that the majority of users can do validity checks on incoming mail. As far as I know, I don't believe a phishing attack can be detrimental without user input. (I.E. clicking a link, downloading attachment, embedded code, etc) So I would stay stick to checking the links and scanning attachments before downloading. Especially if you are unsure of where the link brings you. This is difficult to manage even with mass education through public systems.

However, I do believe that it is a great idea @GonzSTL to introduce it to the public curriculum become more positive exposure would be beneficial. Its a start.

I think email providers need to have more stringent security functionality built into their email platform for the end user. Until then, it will be difficult to reach everyone consistently.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/30/2014 | 3:58:12 PM
Re: Phishing
Many years ago, people were advised not to open emails from people they don't know, and especially not to open attachments to those messages. Now, malicious emails appear to come from people you do know! So the question is, what emails should the user open? It is simple enough to simply advise a user to first check the validity of an email by asking the sender if indeed that person sent the message. While that may be effective in determining if the email was valid, it does not guarantee that any attachments are "clean", not to mention the inconvenience of having to validate the authenticity of the message in the first place. It really has come to the point where business emails should first go through an external provider (either in the cloud or through an onsite appliance) for inspection and/or cleansing prior to delivery to the recipient. Yes, this is costly, but if a business wants to open messages with some degree of confidence, what choice do they have? Policies and awareness training can only be so effective.

It is a different story altogether for individuals at home, who usually do not want to spend money for this type of service, or who have not had security awareness training. Most of them rely on their anti-malware software to inspect their emails first before they open them, if they even do that. Home computers are likely the biggest segment in botnets because most home users are less careful or even worried about malware in emails. In today's connected environment, it isn't unusual for children to have their own email addresses, and if their emails are accessed via the common use home computer, then the probability of their home computer being compromised increases greatly. Perhaps providers of email services should use email protections prior to delivery, as a public service to their users. I understand that this can be quite costly, but if they want to earn their users' trust, maybe they should bite the bullet and do exactly that. Here's a thought – what if safe computing practices are part of a public school curriculum? As an IT professional and also a taxpayer, I'm all for that; after all, we do live in a highly technological and electronic age.
nomii
50%
50%
nomii,
User Rank: Apprentice
9/30/2014 | 2:19:45 PM
Re: Phishing
@Ryan true. But wjhat about the emails that looks like to be received from a familiar source.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/30/2014 | 12:07:25 PM
Phishing
This has been quite a talked about topic of late and it seems that it will continue to be. 

Some quick tips to combat phishing:

Don't open emails from unknown sources.

Hover over links to scan for misdirection.

Quarantine emails that you are definitely unsure about before opening.

 

I know I have missed some, does anyone else have quick tips that even non-tech users can follow to combat this type of attack?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/30/2014 | 11:35:46 AM
Re: Scary
Absolutely, @shamika. And as you may know, the SE CTF at DEF CON shows how scammers/hackers/attackers can use voice calls to get potentially valuable intel out of their targets. 
shamika
50%
50%
shamika,
User Rank: Apprentice
9/30/2014 | 11:17:53 AM
Scary
This seems very scary. Yes as you explained it could be an email link. I think the social media has a high risk on this.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.