Wednesday, November 25, 2015

Social Engineering, Countering The Threat

Would You Buy A Used Monument From This Man?
"Count" Victor Lustig, con-man and Social Engineer, famously sold the Eiffel Tower. Twice.

Like accomplished Social Engineers of today, he was meticulous in his planning, thorough in his research, had an excellent understanding of human nature. He managed all of this without Google, FaceBook, Twitter, or his own printer back in 1925. Modern Social Engineers have it easy. What scams would Victor (real name Robert Miller) have to his name if he was around today? Which world leader, CEO, or politicians would be his victims?

360is have written a short guide to defending against modern social engineering attacks, and are now introducing our social engineering services to clients and partners by means of a presentation. If you are concerned that a modern day Lustig may find your organisation and its information assets easy prey, then we can help. Get in touch.

Social Engineering + Converged Communications = Bad For Security

John, I'm afraid I've got some very bad news for you.
We've recently learned that even the Director of the CIA can't keep hackers out of his e-mail. A teenager hacked into CIA Director John Brennan's AOL account. He says he did so by posing as a Verizon employee to other Verizon staff to get personal information about Brennan's account, as well as his bank card number and his AOL e-mail address. Then he called AOL and pretended to be Brennan. Armed with the information Verizon had just given him, he convinced AOL customer service to reset his password.

Brennan didn't have a bad password, he didn't e-mail it to anyone, he wasn't even tricked into entering it into a fake web page, the security failure here belonged to AOL and Verizon, and it wasn't even a technical failure at that. Now Brennan's e-mail is part of Wikileaks and a thousand articles.

Security experts including 360is have long since recommended 2 factor authentication systems for all of our clients, and yet still relatively few organisations have this kind of authentication. Their reasons? Cost, complexity, and (in)convenience. Over the last 20 years there have been a number of different companies attempting to tackle the three Cs, some of the more recent attempts make use of mobile devices and "soft tokens" on those devices, or they use instant messaging as a secure channel to convey some passcode or challenge/response.
Is there such a thing as too much convergence?

What if we are using multi-factor authentication, but thanks to the wonder of converged communications...all my factors converge upon 1 single device, normally a smartphone or tablet? What if that device were itself, compromised? Mobile devices can be cloned, rooted, or otherwise compromised just like any computer. How would that possibility change the level of trust you place in these kinds of multi-factor authentication? What if I am also trying to login to the secure service in question from that very same mobile device? If an attacker has my phone under his control, or has bamboozled me into doing something with it which help him, what happens to "defence in depth" and "fail safe"?

For these reasons, and because we don't think using 2 factor authentication should mean you have to trust a 3rd party organisation, we recommend keeping your factors as separate as possible for as long as possible. Talk to us if you want to harden your organisation against hackers, social engineers, and end users who sometimes make poor security choices.