Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

How To Hack A Human
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/1/2014 | 10:26:11 AM
Re: Awesome Guest
I've known Chris for a few years, and he always has interesting insight and anecdotes about what he sees out there in the social engineering threatscape. I am really looking forward to our show today--it will be fun, but also eye-opening. 
User Rank: Moderator
10/1/2014 | 10:20:52 AM
Awesome Guest
Chris is a fantastic speaker on the scary topic of social engineering. I recall interviewing him for a piece I wrote at Internet Evolution, where he told me he'd much rather 'play' a janitor than an executive because cleaners and maintenance workers typically operate under the radar, making it simpler for them to access the information social engineers need to hack into a system or break an organization's defenses. While speaking to him, I wondered what I'd let slip, whether he knew more about me than I'd wanted him to, and you come away rethinking your entire social media and social interaction! He's a real eye-opener and I can't wait for this session!
User Rank: Ninja
9/30/2014 | 9:19:41 PM
Re: Phishing
@nomli, that is a very difficult task to manage. On a grand scale it is hard to ensure that the majority of users can do validity checks on incoming mail. As far as I know, I don't believe a phishing attack can be detrimental without user input. (I.E. clicking a link, downloading attachment, embedded code, etc) So I would stay stick to checking the links and scanning attachments before downloading. Especially if you are unsure of where the link brings you. This is difficult to manage even with mass education through public systems.

However, I do believe that it is a great idea @GonzSTL to introduce it to the public curriculum become more positive exposure would be beneficial. Its a start.

I think email providers need to have more stringent security functionality built into their email platform for the end user. Until then, it will be difficult to reach everyone consistently.

User Rank: Ninja
9/30/2014 | 3:58:12 PM
Re: Phishing
Many years ago, people were advised not to open emails from people they don't know, and especially not to open attachments to those messages. Now, malicious emails appear to come from people you do know! So the question is, what emails should the user open? It is simple enough to simply advise a user to first check the validity of an email by asking the sender if indeed that person sent the message. While that may be effective in determining if the email was valid, it does not guarantee that any attachments are "clean", not to mention the inconvenience of having to validate the authenticity of the message in the first place. It really has come to the point where business emails should first go through an external provider (either in the cloud or through an onsite appliance) for inspection and/or cleansing prior to delivery to the recipient. Yes, this is costly, but if a business wants to open messages with some degree of confidence, what choice do they have? Policies and awareness training can only be so effective.

It is a different story altogether for individuals at home, who usually do not want to spend money for this type of service, or who have not had security awareness training. Most of them rely on their anti-malware software to inspect their emails first before they open them, if they even do that. Home computers are likely the biggest segment in botnets because most home users are less careful or even worried about malware in emails. In today's connected environment, it isn't unusual for children to have their own email addresses, and if their emails are accessed via the common use home computer, then the probability of their home computer being compromised increases greatly. Perhaps providers of email services should use email protections prior to delivery, as a public service to their users. I understand that this can be quite costly, but if they want to earn their users' trust, maybe they should bite the bullet and do exactly that. Here's a thought – what if safe computing practices are part of a public school curriculum? As an IT professional and also a taxpayer, I'm all for that; after all, we do live in a highly technological and electronic age.
User Rank: Apprentice
9/30/2014 | 2:19:45 PM
Re: Phishing
@Ryan true. But wjhat about the emails that looks like to be received from a familiar source.
User Rank: Ninja
9/30/2014 | 12:07:25 PM
This has been quite a talked about topic of late and it seems that it will continue to be. 

Some quick tips to combat phishing:

Don't open emails from unknown sources.

Hover over links to scan for misdirection.

Quarantine emails that you are definitely unsure about before opening.


I know I have missed some, does anyone else have quick tips that even non-tech users can follow to combat this type of attack?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
9/30/2014 | 11:35:46 AM
Re: Scary
Absolutely, @shamika. And as you may know, the SE CTF at DEF CON shows how scammers/hackers/attackers can use voice calls to get potentially valuable intel out of their targets. 
User Rank: Apprentice
9/30/2014 | 11:17:53 AM
This seems very scary. Yes as you explained it could be an email link. I think the social media has a high risk on this.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file