Recently in Social Engineering Category

I got a report today from an employee who had just gotten a call from someone claiming to be either working for Dell, or on behalf of Dell. The caller's story was that they were working for the Dell credit card payment office, and that they wanted to validate a certain purchase. If we would please provide them with some additional information of one of our students, Dell would be able to help this person with their purchase much better.

The employee did not provide the information, terminated the phone call, and reported it to me.

So far, so good!

However, as my discussion with the employee continued, it did not so much bother her that someone called her for that kind of information, but much more so that she could not validate that it was indeed someone calling on behalf of Dell.

However much I tried to explain that it does not matter if that person worked for Dell or not, because the issue that Dell might have with one of our students is an issue between that student and Dell; we are in no way part of that. Somehow, that message just did not sink in. 

So, now I am left with a gnawing doubt; while no information was shared, the request was denied for the wrong reasons.

If a social engineer is able to convince someone that they are doing the right thing by disclosing information, success is practically guaranteed. After all, people WANT to do the right thing!

I guess it is time to kick up our internal training another notch: no matter what the reason is that someone calls, do NOT disclose ANY information, unless you are CERTAIN that you are:

1) trained to disclose that information

2) authorized to disclose that information

3) verifying who you are disclosing that information to

4) certain about what you are disclosing

5) documenting that you are disclosing it.

An interesting new form of phishing attack combines elements of email phishing and telephone phishing. This "hybrid phish" informs users that their bank accounts have been suspended after a fraud alert was triggered. It instructs the recipient to call a telephone number to unlock their accounts.

The phishing message looks like this:

A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?
Source: Network Security Blog

Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.

Wesley McGrew has been posting recently about a capture-the-flag event he is organizing for his students. I am currently gathering my notes to teach an introductory computer security class in Fall, and I am also considering a similar event at the end of the semester. Not only is capture the flag fun to play, it is also a very eye-opening experience when you are able to truly hack into your first box.

One of the most important lessons that an information security professional must learn is that users are the weakest link in the defense of your organization's information assets. No matter how well your technical controls are, if you have users who are uninformed (or outright malicious), your protection failures will fail.