A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Laughing all the way to the bank: Why banks need to rethink their approach to social media

by Angus Batey

Every day, I check my bank accounts online. Every time I check, my bank is encouraging me to send it Tweets. So every day I find myself wondering whether I am the only one of their customers to find this bordering on insane.

The social-media revolution has changed the way all companies do business and interact with their customers, and it would be naive to imagine that banking hadn’t been as affected as everybody else. Facebook, Twitter, Google Plus and the rest are powerful tools, enabling individuals and corporations to strengthen relationships through easy interaction – and best of all, the costs are met by somebody else. What’s not to like?

Just about the only other thing I can guarantee on happening every day is that I’ll receive an email telling me that my bank account has developed some problem or other, but that help is at hand, if I’d just click on the link and resubmit my details. I’ve been getting them for the thick end of 20 years and they’ve not evolved greatly in their wit or sophistication. We all know the more obvious telltale giveaways, from the hilariously inept salutations (“Dear esteemed beneficiary…”) to the clumsily hidden address they really come from. Yet these scams still manage to fool some users – according to a 2010 report by Cyveillance [PDF], a spammer can expect to get about 250 people to hand over their data for every half-million phishing emails sent. This is a tiny fraction, but a significant number.

Usually, the first thing that lets you know a purported banking email is a fraud is that it claims it comes from a bank you’ve never had an account with. But what if the scammers knew who you banked with, and took a little more care to make their emails plausible? Wouldn’t that low rate of success quickly start to climb?

Every major High Street bank has a range of official Twitter accounts it uses to communicate with the outside world – often little more than a stream of links to corporate press releases or items of perceived interest to customers. But even if that’s all a bank uses Twitter for, its accounts represent an incredible intelligence-gathering opportunity for anyone willing to spend a couple of hours to better target phishing attacks.

Unless you’re an avid student of the banking industry you’re unlikely to subscribe to a bank’s social-media feed if you don’t hold an account with them – and on Twitter, where you don’t even need to be a registered site user to view details of who is following a particular account, the High Street banks’ feeds are a potential scammer’s goldmine. True, a list of followers will only give you a list of Twitter account names: but, obligingly, a significant number of Twitter users include their real names on their publicly accessible profile pages, sometimes with a link to a personal website which will contain contact information: some users even include email addresses and phone numbers on those public pages.

Worse – from a security perspective – most banks also operate helpline-style Twitter accounts, where users publicly out themselves as customers, often of products including mortgage, insurance and share-dealing services as well as just ordinary current accounts: and while conversations requiring detailed information are conducted via email or private Twitter direct messages, initial queries are asked and answered in full public view.

In the real world, someone wishing to target you for banking fraud would either have had to have sold you something and have you give them a cheque to know where you banked, or followed you up and down the High Street on the off-chance you might visit your local branch. Following your bank on Twitter is like walking up and down that High Street wearing a t-shirt emblazoned with the name of the bank; Tweeting a question to your bank, from a Twitter account that includes your email address, is like walking around in that t-shirt, and with a flashing neon sign fixed to your head saying “Please rob me”.

The criminals clearly prefer to spend their time counting the loot, not finding more effective ways to raise it – and for that we should be thankful. Because, in their enthusiasm to embrace the new opportunities for customer engagement that social media provide, our banks are giving criminals an unprecedented opportunity to improve their phishing success rate. Clearly the banks’ market research has told them that no new method of customer interaction should be shunned: and to the average internet user, who thinks anything free and convenient is to be applauded, a bank refusing to embrace social media will look out of touch. But by encouraging customers to publicly reveal information about the products and services they use, banks are playing a dangerous game – undermining security to promote customer dialogue seems a curious business decision for an industry that relies, more than most, on protecting its clients’
data.

* Angus Batey is a freelance journalist who has covered cyber defence and data security for titles including the Sunday Telegraph and Digital Battlespace. He doesn’t follow his bank on Twitter.

Privacy is always better through sepia-tinted glasses

Instagram has done one thing well. And no it’s not turn HD 8MP snaps of man plus dog’s meals in to Polaroid-esque travesties of blurriness, reminiscent of ‘70s snappers. What the photo filter app-maker (or photo-sharing and social-networking service if you sign up to marketing hyperbole) has done though is highlight that there isn’t a total sense of apathy and disinterest in security and privacy amongst the greater public, they just need something to care about – a sepia-toned champion if you will.

As word of a renewed privacy policy swept across Twitter, Tumblr, and Pinterest, the cool kids were up in arms, albeit at the duress of coattail-riding ‘celebrities’ like Kim Kardashian (a more orange than sepia skinned hero granted, but we take what we can get). How can you not own a photo you took on your own phone? There is one school of thought here that rationalises the situation – you own the unaltered photo which you took; but as you’ve over-exposed/scratched/generally ruined it with their app, then the output belongs to Instagram. By their logic, any image manipulation produces a new photo that is the property of the editor. That’s the kind of proprietary nonsense that even Apple’s legal team would turn their noses up at. This isn’t something anyone wants – my HTC has similar filter editing built in, and plenty of HDRs and digital cameras do their own image and balance correction on-device. Whilst we’re on the subject of what you can do ‘on-device’, in what world did Instagram think it was a good idea to not let users take pictures offline? Seriously?

Despite what Instagram, Zuckerberg, or anyone else claims the true intention of the shift was, the subsequent backtrack was unsurprising both in its speed and scope of the policy turnaround. For a company fresh off the back of a $1bn acquisition and enjoying the associated buzz of riding the crest of the Facebook wave, the whole move was a PR disaster and the damage has already been done. If you believe some news outlets, the app has lost half of its daily user base as a result of the debacle, and competitors have stepped up to try and fill the ‘vintage filter’ void.

But is it fair to blame companies like Instagram, YouTube, Facebook, et al for tying to monetise their offerings? After all they host literally petabytes of users’ content. It isn’t just servers that cost, but staff, cooling, and ground rent. And really, what were they going to use those pictures for? Which third parties were they hoping to sell them to? As nice as that shot of a sun-drenched deckchair on Brighton beach is in black and white, it’s not like stock photo repositories are going to be teeming with low-res shots of your shenanigans for sale. Let’s face it, Instagram got jealous of Facebook and LinkedIn with their user content advertising, and got caught up in the ‘we should be doing that too’ mentality that is synonymous with social media… except they forgot to offer an opt-out like those other bastions of user privacy (eventually) did.

So there’s one very important lesson Instagram has given us – users care about privacy and security when they have a vested interest, if it’s something they use out of choice rather than necessity, they are more than ready to get up-in-arms about it. Well actually there are multiple lessons, but if there’s one more fortune cookie of wisdom here… It might be best to explain the purpose of a policy before rolling it out, even if it’s just for awareness, hearts, minds, and warding off mutiny.

If you like it, Google might put a ring on it

A recent Google Labs research paper explored ideas of alternative sign-in methods and securer authentication techniques. As anyone who has used Gmail over the last few months will know, Google are desperate to introduce secondary forms of verifying your identity; namely submitting your mobile number so that the Mountain View-based internet giant can generate a one-time password. A current pilot study being run out of the Googleplex explores the idea of the mobile device as (rather than generating) the password, this is the passdevice.

Google are desperate to get user security right. They have a large existing user base across their search, messaging, mapping, and video services, and are firmly established as a market leader in consumer email. It isn’t just email though; your Google credentials are the same across the entirety of their platform and product range. What we are dealing with here then is a cross-platform online identity. With the increasing monetisation of services such as Wallet and the Play Store, there is also a direct loss impact to be felt should account security be compromised. There is a direct financial incentive, in terms of profit rather than just loss prevention, as Google tries to assure us that is the homogenous web ecosystem… although let’s face it, no one is believing those Google+ user figures!

Search, Gmail, YouTube, Android OS, Play Store, Zagat, Maps, Motorola, Blogger, Drive, AdWords, AdMob, Analytics. Google offer a lot of free services, and constantly push the envelope in research (Goggles), only to scrap offerings that aren’t ‘working’ (read: not easily monetised) – Google Wave anyone? So there’s no questioning the value that they bring to the digital age, and the standing they have as one of the world’s most powerful (if not necessarily trusted – “don’t be evil”) brands. Is it that unreasonable then that they might ask something in return, something beyond $10-11bn/year profit and full knowledge of your online habits?

You see, Google are thinking along the same lines as Beyoncé here, if you like their services so much then you might as well let them put a ring on it. An authentication ring. Which all sounds very nice, until you start thinking that Web 2.0 giants like Facebook and Twitter, and arch-rivals Apple might like the idea – free advertising and the kind of brand commitment that wearing a real world ‘device’ entangles. The whole initiative would take some time to role out too, not just in terms of manufacturing and getting rings on fingers, but also in terms of devices and platforms that can read the token. Mobile phones are refreshed every 18-24 months, meaning that side of the industry wouldn’t take too long to catch up, but what about PCs – would a reader be connected via USB, retro-fitted, or built in during manufacture? And then there’s Apple, who haven’t exactly been playing ball with supporting their Californian neighbours’ products and services – considering the market share Apple still have in Western markets like the US and UK (and remarkably in Japan), then Tim Cook (Apple CEO) may be the biggest road block on the ring’s route to market.

As a principle there are pros and cons from a security and usability perspective with ‘ring-thentication’ – to name a few… Will it be resilient? Water-proof? Easily blocked and replaced if lost or stolen? Will remote and/or security updates be possible? There are still questions to be answered, but what the research paper does do is finally try to take on the challenge of user inertia towards security and passwords. It’s so simple a solution, that the user won’t have to do anything beyond making the initial decision to put the thing on.

An eye on data, governments increase Google requests for information

The internet is, without a question of a doubt, a vital part of most people’s existence, from people working in forensics, to those involved in ethical hacking and cyber security professionals who keep on top of threats and/or the latest security measures against such activities.

And Google is, perhaps, the dominant player in this virtual arena, at least from a purely search point of view – the dominant search engine by a long shot. That’s putting it lightly, it is, in any case, a master in other areas, like statistical analysis (Google Analytics); social media, and relevant to this post, in the art of data collection.

The American multinational corporation, which was founded by Larry Page and Sergey Brin, recently released its biannual transparency report, which it does, and I quote, to “ensure that we maximise transparency around the flow of information related to our tools and services”.

The most fascinating thing about this report is that government requests, from the UK to the US to China and all the rest – for Google to pass on data is increasing. With regards to the UK, the tech organisation reported a massive 71 per cent rise in content removal requests from the British government and its police force. The reason for moving such information is down to national security issues, a bid to preserve information security.

A Home Office spokesman explained the government’s action as a response to online extremists or hate content, which it takes “very seriously”.

“Where unlawful content is hosted in the United Kingdom, the police have the power to seek its removal and where hosted overseas, we work closely with our international partners to effect its removal,” the spokesman said.

In response, Google said that it had had fully or partially complied with 82 per cent of these requests.

It’s an intriguing insight into the ‘hidden backroom’ conversations going on all the time between Google and various governments, in what is a very sensitive area. We value information security and risk management as much as any other organisation, but we have to be careful that such actions don’t filter into unjustified censorship.

That’s why Google’s transparency report is such a good thing – it lets the world see what’s going on and what governments are doing. Accountability, transparency and, of course, maintaining high levels of information security with sensitive and private data is inherently important after all.