Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
How To Hack A Human
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/1/2014 | 10:26:11 AM
Re: Awesome Guest
I've known Chris for a few years, and he always has interesting insight and anecdotes about what he sees out there in the social engineering threatscape. I am really looking forward to our show today--it will be fun, but also eye-opening. 
Alison_Diana
Alison_Diana,
User Rank: Moderator
10/1/2014 | 10:20:52 AM
Awesome Guest
Chris is a fantastic speaker on the scary topic of social engineering. I recall interviewing him for a piece I wrote at Internet Evolution, where he told me he'd much rather 'play' a janitor than an executive because cleaners and maintenance workers typically operate under the radar, making it simpler for them to access the information social engineers need to hack into a system or break an organization's defenses. While speaking to him, I wondered what I'd let slip, whether he knew more about me than I'd wanted him to, and you come away rethinking your entire social media and social interaction! He's a real eye-opener and I can't wait for this session!
RyanSepe
RyanSepe,
User Rank: Ninja
9/30/2014 | 9:19:41 PM
Re: Phishing
@nomli, that is a very difficult task to manage. On a grand scale it is hard to ensure that the majority of users can do validity checks on incoming mail. As far as I know, I don't believe a phishing attack can be detrimental without user input. (I.E. clicking a link, downloading attachment, embedded code, etc) So I would stay stick to checking the links and scanning attachments before downloading. Especially if you are unsure of where the link brings you. This is difficult to manage even with mass education through public systems.

However, I do believe that it is a great idea @GonzSTL to introduce it to the public curriculum become more positive exposure would be beneficial. Its a start.

I think email providers need to have more stringent security functionality built into their email platform for the end user. Until then, it will be difficult to reach everyone consistently.

 
GonzSTL
GonzSTL,
User Rank: Ninja
9/30/2014 | 3:58:12 PM
Re: Phishing
Many years ago, people were advised not to open emails from people they don't know, and especially not to open attachments to those messages. Now, malicious emails appear to come from people you do know! So the question is, what emails should the user open? It is simple enough to simply advise a user to first check the validity of an email by asking the sender if indeed that person sent the message. While that may be effective in determining if the email was valid, it does not guarantee that any attachments are "clean", not to mention the inconvenience of having to validate the authenticity of the message in the first place. It really has come to the point where business emails should first go through an external provider (either in the cloud or through an onsite appliance) for inspection and/or cleansing prior to delivery to the recipient. Yes, this is costly, but if a business wants to open messages with some degree of confidence, what choice do they have? Policies and awareness training can only be so effective.

It is a different story altogether for individuals at home, who usually do not want to spend money for this type of service, or who have not had security awareness training. Most of them rely on their anti-malware software to inspect their emails first before they open them, if they even do that. Home computers are likely the biggest segment in botnets because most home users are less careful or even worried about malware in emails. In today's connected environment, it isn't unusual for children to have their own email addresses, and if their emails are accessed via the common use home computer, then the probability of their home computer being compromised increases greatly. Perhaps providers of email services should use email protections prior to delivery, as a public service to their users. I understand that this can be quite costly, but if they want to earn their users' trust, maybe they should bite the bullet and do exactly that. Here's a thought – what if safe computing practices are part of a public school curriculum? As an IT professional and also a taxpayer, I'm all for that; after all, we do live in a highly technological and electronic age.
nomii
nomii,
User Rank: Apprentice
9/30/2014 | 2:19:45 PM
Re: Phishing
@Ryan true. But wjhat about the emails that looks like to be received from a familiar source.
RyanSepe
RyanSepe,
User Rank: Ninja
9/30/2014 | 12:07:25 PM
Phishing
This has been quite a talked about topic of late and it seems that it will continue to be. 

Some quick tips to combat phishing:

Don't open emails from unknown sources.

Hover over links to scan for misdirection.

Quarantine emails that you are definitely unsure about before opening.

 

I know I have missed some, does anyone else have quick tips that even non-tech users can follow to combat this type of attack?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
9/30/2014 | 11:35:46 AM
Re: Scary
Absolutely, @shamika. And as you may know, the SE CTF at DEF CON shows how scammers/hackers/attackers can use voice calls to get potentially valuable intel out of their targets. 
shamika
shamika,
User Rank: Apprentice
9/30/2014 | 11:17:53 AM
Scary
This seems very scary. Yes as you explained it could be an email link. I think the social media has a high risk on this.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-33311
PUBLISHED: 2022-08-18
Browse restriction bypass vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Address Book via unspecified vectors.
CVE-2022-25986
PUBLISHED: 2022-08-18
Browse restriction bypass vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Scheduler.
CVE-2022-28715
PUBLISHED: 2022-08-18
Cross-site scripting vulnerability in the specific parameters of Cybozu Office 10.0.0 to 10.8.5 allows a remote attacker to inject an arbitrary script via unspecified vectors.
CVE-2022-2876
PUBLISHED: 2022-08-18
A vulnerability, which was classified as critical, was found in SourceCodester Student Management System. Affected is an unknown function of the file index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to...
CVE-2022-29487
PUBLISHED: 2022-08-18
Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.8.5 allows a remote attacker to inject an arbitrary script via unspecified vectors.