A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Privacy is always better through sepia-tinted glasses

Instagram has done one thing well. And no it’s not turn HD 8MP snaps of man plus dog’s meals in to Polaroid-esque travesties of blurriness, reminiscent of ‘70s snappers. What the photo filter app-maker (or photo-sharing and social-networking service if you sign up to marketing hyperbole) has done though is highlight that there isn’t a total sense of apathy and disinterest in security and privacy amongst the greater public, they just need something to care about – a sepia-toned champion if you will.

As word of a renewed privacy policy swept across Twitter, Tumblr, and Pinterest, the cool kids were up in arms, albeit at the duress of coattail-riding ‘celebrities’ like Kim Kardashian (a more orange than sepia skinned hero granted, but we take what we can get). How can you not own a photo you took on your own phone? There is one school of thought here that rationalises the situation – you own the unaltered photo which you took; but as you’ve over-exposed/scratched/generally ruined it with their app, then the output belongs to Instagram. By their logic, any image manipulation produces a new photo that is the property of the editor. That’s the kind of proprietary nonsense that even Apple’s legal team would turn their noses up at. This isn’t something anyone wants – my HTC has similar filter editing built in, and plenty of HDRs and digital cameras do their own image and balance correction on-device. Whilst we’re on the subject of what you can do ‘on-device’, in what world did Instagram think it was a good idea to not let users take pictures offline? Seriously?

Despite what Instagram, Zuckerberg, or anyone else claims the true intention of the shift was, the subsequent backtrack was unsurprising both in its speed and scope of the policy turnaround. For a company fresh off the back of a $1bn acquisition and enjoying the associated buzz of riding the crest of the Facebook wave, the whole move was a PR disaster and the damage has already been done. If you believe some news outlets, the app has lost half of its daily user base as a result of the debacle, and competitors have stepped up to try and fill the ‘vintage filter’ void.

But is it fair to blame companies like Instagram, YouTube, Facebook, et al for tying to monetise their offerings? After all they host literally petabytes of users’ content. It isn’t just servers that cost, but staff, cooling, and ground rent. And really, what were they going to use those pictures for? Which third parties were they hoping to sell them to? As nice as that shot of a sun-drenched deckchair on Brighton beach is in black and white, it’s not like stock photo repositories are going to be teeming with low-res shots of your shenanigans for sale. Let’s face it, Instagram got jealous of Facebook and LinkedIn with their user content advertising, and got caught up in the ‘we should be doing that too’ mentality that is synonymous with social media… except they forgot to offer an opt-out like those other bastions of user privacy (eventually) did.

So there’s one very important lesson Instagram has given us – users care about privacy and security when they have a vested interest, if it’s something they use out of choice rather than necessity, they are more than ready to get up-in-arms about it. Well actually there are multiple lessons, but if there’s one more fortune cookie of wisdom here… It might be best to explain the purpose of a policy before rolling it out, even if it’s just for awareness, hearts, minds, and warding off mutiny.

If you like it, Google might put a ring on it

A recent Google Labs research paper explored ideas of alternative sign-in methods and securer authentication techniques. As anyone who has used Gmail over the last few months will know, Google are desperate to introduce secondary forms of verifying your identity; namely submitting your mobile number so that the Mountain View-based internet giant can generate a one-time password. A current pilot study being run out of the Googleplex explores the idea of the mobile device as (rather than generating) the password, this is the passdevice.

Google are desperate to get user security right. They have a large existing user base across their search, messaging, mapping, and video services, and are firmly established as a market leader in consumer email. It isn’t just email though; your Google credentials are the same across the entirety of their platform and product range. What we are dealing with here then is a cross-platform online identity. With the increasing monetisation of services such as Wallet and the Play Store, there is also a direct loss impact to be felt should account security be compromised. There is a direct financial incentive, in terms of profit rather than just loss prevention, as Google tries to assure us that is the homogenous web ecosystem… although let’s face it, no one is believing those Google+ user figures!

Search, Gmail, YouTube, Android OS, Play Store, Zagat, Maps, Motorola, Blogger, Drive, AdWords, AdMob, Analytics. Google offer a lot of free services, and constantly push the envelope in research (Goggles), only to scrap offerings that aren’t ‘working’ (read: not easily monetised) – Google Wave anyone? So there’s no questioning the value that they bring to the digital age, and the standing they have as one of the world’s most powerful (if not necessarily trusted – “don’t be evil”) brands. Is it that unreasonable then that they might ask something in return, something beyond $10-11bn/year profit and full knowledge of your online habits?

You see, Google are thinking along the same lines as Beyoncé here, if you like their services so much then you might as well let them put a ring on it. An authentication ring. Which all sounds very nice, until you start thinking that Web 2.0 giants like Facebook and Twitter, and arch-rivals Apple might like the idea – free advertising and the kind of brand commitment that wearing a real world ‘device’ entangles. The whole initiative would take some time to role out too, not just in terms of manufacturing and getting rings on fingers, but also in terms of devices and platforms that can read the token. Mobile phones are refreshed every 18-24 months, meaning that side of the industry wouldn’t take too long to catch up, but what about PCs – would a reader be connected via USB, retro-fitted, or built in during manufacture? And then there’s Apple, who haven’t exactly been playing ball with supporting their Californian neighbours’ products and services – considering the market share Apple still have in Western markets like the US and UK (and remarkably in Japan), then Tim Cook (Apple CEO) may be the biggest road block on the ring’s route to market.

As a principle there are pros and cons from a security and usability perspective with ‘ring-thentication’ – to name a few… Will it be resilient? Water-proof? Easily blocked and replaced if lost or stolen? Will remote and/or security updates be possible? There are still questions to be answered, but what the research paper does do is finally try to take on the challenge of user inertia towards security and passwords. It’s so simple a solution, that the user won’t have to do anything beyond making the initial decision to put the thing on.

That old new

It’s always the case that the latest gadget, fad, instrument of innovation, touted as being brand new and state-of-the-art, is, technically, if we are to be a bit pedantic about it, ‘old’.

It may appear to be an anomalous statement, because, if we take the iPad 2, when it first came out, it was indeed the latest iteration of what is surely going to be a longstanding series of products. It was ‘as new as new can be’.

But, if we take a wider look at the picture, the technology used in developing the multimedia tablet, the blueprint for its design, the research and testing of it, occurred well ahead of that.

A prototype no doubt would have been in place months before its release, if not a final product. Professionals working in the information security & risk management industries will no doubt agree that real world perceptions of time are not what they seem. We’re either behind or kept in the dark. Not maliciously mind you, it’s just a matter of fact of how life is.

So, it gives context as to why the government’s intelligence agency GCHQ, laden with expertise and knowledge and technical savvy, keeps information about its operations hidden, encrypted if we want to use our language. National security is, of course, a very pressing matter. The more people know about any given subject the wider the likelihood of its dissemination when the opposite is desired.

However, judging the time is apt; the GCHQ has decided to share such information and technology with various businesses, as it seeks to adopt a more collaborative – open source approach if you will – in the fight against cybercrime.

As the BBC notes, as well as being a routine exercise in promoting better security, the decision is also economic. Internet business generates about six per cent of the government’s GDP. To give it greater whammy, that figure outstrips agriculture or utilities.

On a more relevant note to those of us working in and around cyber security, this greater access to information will help many people develop defences against the surreptitious threat posed by criminals operating in the virtual landscape. It’s up there on a level with international terrorism so the BBC story reads.

That we can appreciate and we wait with baited breath as to what fascinating developments have been made. And with that information we will develop our own solutions, independently and collaboratively, or at least discuss them at events like the RANT forum each month.

So, though that information may in fact be ‘second-hand’, what we do with it, is new. Magic, no?