Category Archives: Social media

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Laughing all the way to the bank: Why banks need to rethink their approach to social media

by Angus Batey

Every day, I check my bank accounts online. Every time I check, my bank is encouraging me to send it Tweets. So every day I find myself wondering whether I am the only one of their customers to find this bordering on insane.

The social-media revolution has changed the way all companies do business and interact with their customers, and it would be naive to imagine that banking hadn’t been as affected as everybody else. Facebook, Twitter, Google Plus and the rest are powerful tools, enabling individuals and corporations to strengthen relationships through easy interaction – and best of all, the costs are met by somebody else. What’s not to like?

Just about the only other thing I can guarantee on happening every day is that I’ll receive an email telling me that my bank account has developed some problem or other, but that help is at hand, if I’d just click on the link and resubmit my details. I’ve been getting them for the thick end of 20 years and they’ve not evolved greatly in their wit or sophistication. We all know the more obvious telltale giveaways, from the hilariously inept salutations (“Dear esteemed beneficiary…”) to the clumsily hidden address they really come from. Yet these scams still manage to fool some users – according to a 2010 report by Cyveillance [PDF], a spammer can expect to get about 250 people to hand over their data for every half-million phishing emails sent. This is a tiny fraction, but a significant number.

Usually, the first thing that lets you know a purported banking email is a fraud is that it claims it comes from a bank you’ve never had an account with. But what if the scammers knew who you banked with, and took a little more care to make their emails plausible? Wouldn’t that low rate of success quickly start to climb?

Every major High Street bank has a range of official Twitter accounts it uses to communicate with the outside world – often little more than a stream of links to corporate press releases or items of perceived interest to customers. But even if that’s all a bank uses Twitter for, its accounts represent an incredible intelligence-gathering opportunity for anyone willing to spend a couple of hours to better target phishing attacks.

Unless you’re an avid student of the banking industry you’re unlikely to subscribe to a bank’s social-media feed if you don’t hold an account with them – and on Twitter, where you don’t even need to be a registered site user to view details of who is following a particular account, the High Street banks’ feeds are a potential scammer’s goldmine. True, a list of followers will only give you a list of Twitter account names: but, obligingly, a significant number of Twitter users include their real names on their publicly accessible profile pages, sometimes with a link to a personal website which will contain contact information: some users even include email addresses and phone numbers on those public pages.

Worse – from a security perspective – most banks also operate helpline-style Twitter accounts, where users publicly out themselves as customers, often of products including mortgage, insurance and share-dealing services as well as just ordinary current accounts: and while conversations requiring detailed information are conducted via email or private Twitter direct messages, initial queries are asked and answered in full public view.

In the real world, someone wishing to target you for banking fraud would either have had to have sold you something and have you give them a cheque to know where you banked, or followed you up and down the High Street on the off-chance you might visit your local branch. Following your bank on Twitter is like walking up and down that High Street wearing a t-shirt emblazoned with the name of the bank; Tweeting a question to your bank, from a Twitter account that includes your email address, is like walking around in that t-shirt, and with a flashing neon sign fixed to your head saying “Please rob me”.

The criminals clearly prefer to spend their time counting the loot, not finding more effective ways to raise it – and for that we should be thankful. Because, in their enthusiasm to embrace the new opportunities for customer engagement that social media provide, our banks are giving criminals an unprecedented opportunity to improve their phishing success rate. Clearly the banks’ market research has told them that no new method of customer interaction should be shunned: and to the average internet user, who thinks anything free and convenient is to be applauded, a bank refusing to embrace social media will look out of touch. But by encouraging customers to publicly reveal information about the products and services they use, banks are playing a dangerous game – undermining security to promote customer dialogue seems a curious business decision for an industry that relies, more than most, on protecting its clients’
data.

* Angus Batey is a freelance journalist who has covered cyber defence and data security for titles including the Sunday Telegraph and Digital Battlespace. He doesn’t follow his bank on Twitter.

Privacy is always better through sepia-tinted glasses

Facebook-Acquires-Instagram

Instagram has done one thing well. And no it’s not turn HD 8MP snaps of man plus dog’s meals in to Polaroid-esque travesties of blurriness, reminiscent of ‘70s snappers. What the photo filter app-maker (or photo-sharing and social-networking service if you sign up to marketing hyperbole) has done though is highlight that there isn’t a total sense of apathy and disinterest in security and privacy amongst the greater public, they just need something to care about – a sepia-toned champion if you will.

As word of a renewed privacy policy swept across Twitter, Tumblr, and Pinterest, the cool kids were up in arms, albeit at the duress of coattail-riding ‘celebrities’ like Kim Kardashian (a more orange than sepia skinned hero granted, but we take what we can get). How can you not own a photo you took on your own phone? There is one school of thought here that rationalises the situation – you own the unaltered photo which you took; but as you’ve over-exposed/scratched/generally ruined it with their app, then the output belongs to Instagram. By their logic, any image manipulation produces a new photo that is the property of the editor. That’s the kind of proprietary nonsense that even Apple’s legal team would turn their noses up at. This isn’t something anyone wants – my HTC has similar filter editing built in, and plenty of HDRs and digital cameras do their own image and balance correction on-device. Whilst we’re on the subject of what you can do ‘on-device’, in what world did Instagram think it was a good idea to not let users take pictures offline? Seriously?

Despite what Instagram, Zuckerberg, or anyone else claims the true intention of the shift was, the subsequent backtrack was unsurprising both in its speed and scope of the policy turnaround. For a company fresh off the back of a $1bn acquisition and enjoying the associated buzz of riding the crest of the Facebook wave, the whole move was a PR disaster and the damage has already been done. If you believe some news outlets, the app has lost half of its daily user base as a result of the debacle, and competitors have stepped up to try and fill the ‘vintage filter’ void.

But is it fair to blame companies like Instagram, YouTube, Facebook, et al for tying to monetise their offerings? After all they host literally petabytes of users’ content. It isn’t just servers that cost, but staff, cooling, and ground rent. And really, what were they going to use those pictures for? Which third parties were they hoping to sell them to? As nice as that shot of a sun-drenched deckchair on Brighton beach is in black and white, it’s not like stock photo repositories are going to be teeming with low-res shots of your shenanigans for sale. Let’s face it, Instagram got jealous of Facebook and LinkedIn with their user content advertising, and got caught up in the ‘we should be doing that too’ mentality that is synonymous with social media… except they forgot to offer an opt-out like those other bastions of user privacy (eventually) did.

So there’s one very important lesson Instagram has given us – users care about privacy and security when they have a vested interest, if it’s something they use out of choice rather than necessity, they are more than ready to get up-in-arms about it. Well actually there are multiple lessons, but if there’s one more fortune cookie of wisdom here… It might be best to explain the purpose of a policy before rolling it out, even if it’s just for awareness, hearts, minds, and warding off mutiny.

Managing social media

You’d have thought social media was a simple thing: the two-way conversation where everyone’s connected, everyone’s linked, everyone’s liking, and everyone’s following. It’s a global world of connectivity, nonstop chitchat, an open existence where we learn, share and grow. At a basic level, yes, that’s social media defined perfectly, but as with any explanation of this kind, it merely touches the surface. Social media is much more than sum of its parts.

At first, many organisations were reluctant to be taken in by it all. They thought it was a fad, so to speak, extremely popular but transient. It’s time would pass. Everyone that took a sly little pop at it soon realised they had jumped the gun in their estimations. Everyone is now on Facebook, Twitter, LinkedIn, Tumblr and Pinterest to name the obvious few.

Initially, most organisations didn’t know what to do. They were connected, but didn’t fully understand how to “talk”, to disseminate and to engage. But, with the passage of time, they refined their approach, savvied up on the particulars and, with the help of experts, cracked it. They’ve even took the time out to develop authoritative social media policies (See the BBC’s English Region’s Social Media Strategy as one example).

However, this doesn’t imply that we’ve reached a level playing field. As we mentioned above, social media is a complex creature and a burgeoning one too. At RANT last night in London, Jitender Arora, chief information security officer (CISO) at GE Capital UK,  discussed whether such policies are suitable. His assertion is that “pragmatic” social media governance is more effective.

He makes a shrewd point. Businesses and indeed CISOs can’t cover every eventuality in a static document that sets the terms and conditions in stone. You simply can’t look over every eventuality across a number of different platforms, which although all connected in that they are social, are distinct in their makeup. Moreover, asks Mr Arora: “Are social media policies really effective in changing user behaviour?”

The obvious challenge is how one ensures that a business keeps its brand integrity intact when it publishes and engages on a macro level – a ubiquitous presence online, by virtue alone, opens them up to blunders. And these are the ones that can’t be quickly remedied for hope no one noticed. Your audience, online, is connected. They saw.

One of the more serious challenges is naturally concerned with data protection. Cyber criminals, as we know, possess many means to hack into websites and security systems, big and small. The consequences of having a social network hacked are not to be underplayed as a paper two years ago postulated. Produced by the Information Systems Audit and Control Association, the study stated that the biggest threats to organisations through this conduit are viruses, brand hijacking and loss of corporate content.

Which, funnily enough, brings us back to the central question: which is best, a pragmatic or following policy? Honestly, a bit of both perhaps. The UK has an “unwritten” constitution and it works; has done for many centuries. It responds and it grows. In the US they have a static constitution, which is superbly eloquent. It has been amended 27 times. Things change.

The next RANT forum takes place Near Earls court in London on Wednesday 25th April 2012. For more information, visit our website.

Something phishy is going on in Facebook

What would a world be like without Facebook? The mere question sends an icy shudder down our collective spines. It has become so embedded not only in our personal lives, but has rooted itself into the identity of different facets of society. From political parties to charities to big corporate giants, Facebook has become integral to their message.

Of course there are other social networking sites out there, all of which are user-friendly, engaging and full of interesting features – note, Google recently revealed that its own social offering, Google+, now has 90 million registered users – but none of them have had the same impact as Facebook. Heck, it even got made into a movie and a very good one at that too.

This all adds up to making Facebook particularly vulnerable to exploitation and cyber attacks. With that many people connected and overly candid about their private lives, perceptive criminals have been able to, for example, break into homes, steal identities and gain access to bank details. The worrying thing is that this openness is a sign of the age.

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people – and that social norm is just something that has evolved over time,” Mark Zuckerberg, the co-creator of Facebook once said.

One thing to be aware this year is a new phishing scam unique to the social networking site. The basic premise is that fraudsters are posing as Facebook security in chats. David Jacoby, a Kaspersky Lab expert, warns that not only are these scammers attempting to steal identities, but credit card information and security questions. Moreover, the move highlights a new approach to phishing.

“This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website,” he wrote. “It will reuse the stolen information and login to the compromised account and change both profile picture and name.”

Once an account has been hijacked, the profile is modified and all contacts are sent a message warning them that their account will be deactivated. It asks people to click a link which redirects them to a sham Facebook page where it asks for key login details. After which comes the ‘juicy bit’ asking for credit card details (including your security code).

Not only is it all so sophisticated, it exudes authenticity. This scam and others like it showcase the product of, dare we say it, extensive research and hard labour. The disturbing thing is that they’re becoming more popular, and unfortunately capturing people off-guard.

Although Facebook is fully aware of the security threats it faces on a daily basis – “We have spent several years developing protections to stop spam from spreading and have sought to cooperate with other industry leaders to keep users and their data safe,” it said in a recent statement – more needs to be done to educate users about how to keep their data and personal information secure. We as professionals can do our best to develop strategies to negate the impact of such scams, but to truly succeed; we need vigilance from those outside of the industry as well. Together we can make Facebook a virtual home as comfortable as that of our tangible abodes.

Getting in on the conversation

Nowadays if you’re not on a social network site like Facebook, LinkedIn or Twitter, you are seen as someone who is not with the program. It’s objectionable to some people, an affront even – why on earth wouldn’t you be connected?

This is an age of information, of conversation, both digitally and in person. We’ve never had so many channels through which to communicate with one another on such a grand, open scale. From one corner of the world to another we can navigate intelligent discourse on anything and everything, quickly and in person. The flow of content has never been so easy.

With this in mind, some hints and tips for security professionals looking to ‘get in on the conversation’, are as follows.

If you’re not already on a social networking site, then now is the time to sign up. While that may indeed be unlikely – we like to think you’re relatively informed about the virtues of such sites, personally and professionally – it is worth reiterating.

None of the above are absolutely essential – there are an abundance of social networking sites out there, equally good, though not all that well known. Some will be relevant to industry – like an intrepid explorer, hit Google and have a search. While we’re here, do have a look at Google + – it’s definitely one hell of an innovative platform to converse online.

However, the advantages of connecting on Facebook, Twitter and LinkedIn are that they are all extremely popular, have a huge following – implying you can network much more efficiently through these channels – and they excel at what they do. So get liking, tweeting and linked in.

Through such digital networks we can create opportunities for real world interaction. Sign up to mailing lists and follow key initiatives like RANT. In doing so, you open up doors for all sorts of instances where you can meet peers, learn off one another and create opportunities to progress in one’s career. You’ll also be abreast of the latest happenings in the business, whether that’s new reports, blue sky thinking or upcoming conferences discussing the future.

It’s all about fostering a collaborative – and indeed open – environment. As security professionals working in a digital age, we have to be at the forefront of technological innovation, forward-thinking and keeping an ear to the ground. Don’t get left behind.

Get Tweeting for Recruitment

It seems like there was never a time when Twitter wasn’t around, such is its ubiquity in contemporary society. From the general public posting ramblings to celebrities waxing lyrical about their lifestyles to the government keeping the public updated about its various endeavours (many of which no doubt centre on the economy!), this social media site has grown exponentially in the last few years.

Twitter has, in short, transformed the way we interact with one another, how we communicate news and information in general and how businesses and organisations conduct their operations. Its success is owed to its simplicity and unmediated real-time nature, USPs that manage to appeal to a wide demographic of people.

The IT security market is no stranger to this medium, which is ideally suited to recruitment. Whether it’s used to source or post job vacancies in, for example, the information security, technical risk or IT forensics professions, or as a means of networking with industry specialists, Twitter is the perfect tool for businesses and prospective employees to connect.

When using Twitter as a recruitment service helpful tips might include utilising hashtags so that tech-savvy professionals looking for work can easily find a job in their given field. For example, let’s say someone is looking for positions in information security – Acumin would post the following “#infosecjobs” in a tweet with an appropriate link to a specific job. This creates an easily searchable trend,  which simply cuts out all the clutter and connects agencies to professionals in a simple and efficient way.

Organisations wanting to headhunt professionals in their sector can take advantage of the many Twitter offshoots, which offer unique ways of engaging with the medium. Take for example http://www.wefollow.com, a user-generated Twitter directory which like the service itself, operates on a simple interface.

Equally, there are ample aggregators out there specifically aimed at bringing together jobs in the information security and risk management sector, which can be discovered by conducting a simple search. Check out, http://www.twitjobsearch.com as just one example of this.

Professionals and agencies working in any given sector can keep a real-time conversation going through their own tweets, @ replies, and retweets. It can be a great tool for keeping abreast of industry developments by following businesses and specialists within the sector. There is a lot of following on Twitter and features such as suggested follows and browsing others’ connections make targeting appropriate sources easier.  To this effect a budding IRM professional might demonstrate gravitas and expertise through posting comments and links about relevant developments in their sector, content an employer might chance upon which also enhances the poster’s own brand.

It’s about the two-way conversation – are you tweeting today?

Follow us on Twitter: @Acumin