Stealing Secrets: Telling Lies Over the Phone

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get the necessary information that may lead to penetrating a person’s computer.

Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network.

Social engineering is all based on telling a lie and getting others to tell the truth in response. Thousands of years of civilized conditioning and cultural teaching to help and trust one another has made people just a little too eager to help.

Participants in the contest successfully got employees from some Fortune 500 companies to provide full profiles of the inner workings on network PCs and software that could easily be used to launch an attack. Some revealed what operating system they had, the version of their service pack, antivirus software, browser, email, which model their laptops were, the virtual private network software the company used, and even what garbage collector hauled the company’s trash.

In some cases, the tricksters even got the Fortune 500 employees to visit certain websites while on the phone. Sometimes the simple act of visiting a website can install a malicious program on your PC if it’s not properly protected. Based on the answers provided by the employees, the social engineer can guide the person to whatever website that would infect their computer based on the answers provided.

Recognize that while you are generally not being swindled by those who call you, there is a chance that you may be. This means having systems in place regarding what can be said to whom, when, and why. Training on social engineering and how to prevent it is a must for any company and frankly for any individual who doesn’t want to fall victim to a conman.

Robert Siciliano, personal security expert contributor  to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures

Banks Need You to Partner in Security

Sticking your cash in a mattress has never been a good idea. That’s why we have banks. Banks have safes, insurance, and other systems in place to ensure that multiple layers of security protect your money.

In the past decade, however, as much as 80% of all banking has taken place online, compared to the hundreds of years of traditional banking. Clearly, this is all about convenience. And it has become apparent that these conveniences of technology have outpaced consumers’ security intelligence. It is possible to secure systems in a way that will defeat most online criminal activity, but that level of security comes with inconveniences that the consumer may not be equipped to handle.

According to American Bankers Association VP of risk-management policy Doug Johnson, “The banking industry wants consumers to monitor their online accounts for unauthorized transactions on a continuous, almost daily, basis. That’s because PCs and smartphones have become the online bank branch for a lot of individuals. The customer needs to really recognize that security is most effective when they work in partnership with their financial institution.”

When banks began building out their infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which the bad guy would scheme to separate banks and their clients from their cash. There are tens of thousands of viruses created every year to overtake users’ PCs and con customers into entering their credentials in spoofed pages.

While banks are fighting their own battles, working with the security industry to create new technologies to combat fraud and account takeover, it is imperative that the banks’ customers adhere to the fundamentals.

  • Set your computer’s operating system to automatically update critical security patches.
  • Make sure your firewall is turned on and protecting two way traffic.
  • Always run antivirus software, and set it to update virus definitions automatically.
  • Run a protected wireless network.
  • Never click links within the body of an email. Instead, go to your favorites menu or type familiar addresses into the address bar.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses online banking security on CBS Boston. (Disclosures)

Researcher Proves Your Friend Isn’t Your Friend

I’ve said numerous times that there’s too much trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. Apparently, they see no reason to distrust. Generally, your “friends” are people who you “know, like and trust.” In this world, your guard is as down as it will ever be. You can be in the safety of your own home or office, hanging with people from all over the world, in big cities and little towns, and never feel that you have to watch your back.

Computerworld reports, “Hundreds of people in the information security, military and intelligence fields recently found themselves with egg on their faces after sharing personal information with a fictitious Navy cyberthreat analyst named ‘Robin Sage,’ whose profile on prominent social networking sites was created by a security researcher to illustrate the risks of social networking.”

Apparently, one of the easiest ways to gain acceptance as a trusted colleague is to be an attractive woman. I recently wrote about “Sandra Appiah,” a curvy lady who sent me a friend request. She had already friended two of my buddies, who accepted because they already had two friends in common. She had posted questionable photos of herself. Red flag? But my buds didn’t seem to see it the way I did.

The security researcher set up profiles on Facebook, LinkedIn and Twitter. “Then he established connections with some 300 men and women from the U.S. military, intelligence agencies, information security companies and government contractors.”

Steve Stasiukonis, another ethical hacker, took it to the next level. He used a similar technique and, with permission, infiltrated a company’s network to test their security. By creating a group on Facebook, he was able to access employees’ profiles.

He set up his own employee persona with a fake company badge, business cards, a shirt embroidered with the company logo, and a laptop. “Upon entering the building, he was immediately greeted by reception. Then displayed fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.”

Social media can and is being used as a smokescreen. The idea behind social media is that we are social creatures that thrive in community and want to connect. The problem is that this ideal is based on the mindset that we are all sheep and there are no wolves.

When mama told you to not talk to strangers, there was wisdom in that advice. When you friend people who you don’t know, you are friending a stranger and going against moms advice.

Robert Siciliano, personal security and identity theft expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

Spies Among Us

The term “spy” conjures ideas about “foreign operatives,” “moles” and James Bond. You might envision forged IDs, fake passports and fraudulently issued government sponsored papers. When spies were recently exposed and caught in the United States, it was kind of surreal for me, since some of them lived right here in Boston.

Back in the day, spies used advanced covert technology, was always a hidden or shrunken version of something more common and accessible. Today, the same technology exists, and it’s cheap and mostly manufactured in China. Lighters, pens, just about any small, seemingly benign object you can think of can contain a video or audio recording device. Tiny flash or thumb drives are capable of storing gigabytes of data.

The eleven Russian spies who were recently nabbed used a lot of the same equipment that you and I use today, including laptops, flash memory cards, and cell phones, but with a twist. One of the spies would set up a laptop in a coffee shop on a regular basis, and the FBI noticed that on Wednesdays, a van driven by an official would go by. The FBI determined that when the van passed the coffee shop, there was a direct exchange of data via their wireless laptops. The discovery was made using commercially available WiFi sniffing technology. Apparently, the data was transferred in this way to avoid detection over the Internet.

The phones the spies used were prepaid mobile phones with no contract, which are often paid for with cash so the user can avoid detection. After a few uses they toss the phone and get a new number to avoid detection.

And the availability of fake identification makes it so easy to pose as someone else. Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID or passport. Or how easy it can be for someone else to obtain an ID that would allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, most of our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner, and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

In the end, the spies were caught with a combination of high tech surveillance and gumshoe police work. The Boston Globe reports that in 2005, FBI agents found a password written on a piece of paper while searching the home of one of the spies. This allowed agents to decode more than a hundred messages between the spies and their government.

Unless we effectively identify who is who, using secure documentation, it’s spy business as usual.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses Spies using fraudulent passports on Fox News. Disclosures

Privacy Laws for Kids Online

Numerous privacy groups are urging the FTC to update its Children’s Online Privacy Protection Act of 1998. The primary goal of the Children’s Online Privacy Protection Act, or COPPA, is to give parents control over what information is collected from their children online and how such information may be used.

Jeff Chester, Executive Director of the Center for Digital Democracy said, “The Commission should enact new rules for COPPA that draw upon its current investigations into behavioral marketing and other current digital advertising practices. It’s time for the FTC to do a better job of protecting the privacy of children online.”

The Internet today isn’t what is was in 1998. Back in the day, when dial up – the online equivalent of a horse and buggy – was the only means of getting around, the risks weren’t as great as they are now. The speed of technology has outpaced the security of information and the learning curve of users. Over time, many web operators conveniently forget the rules, chose to do things their own way, and then apologize when they are accused of doing something wrong.

The original COPPA was designed around websites that sell merchandise. Today, we have social media, Second Life, online gaming sites, and smartphones that can access the Internet anywhere, anytime.

The report states, “several start-ups…are experimenting with ways to use cell phones to bridge the digital and physical worlds and turn the tasks of everyday life, like buying coffee and running errands, into a game.” Many major companies are taking advantage of these applications for promotional purposes. A major fast food chain, for example, offers a soda and sandwich to people who “check in” three times. This company is also able to “use the data they collect from people’s cell phones to learn more about who their customers are and how they behave.”

Geolocation could pose a privacy threat. Information collected through geolocation is particularly sensitive, since it can allow a child to be physically contacted wherever he or she is, at any time. Parents need to be aware if there is misuse.

The descriptively named website aggregates real time location information that users have voluntarily shared on Twitter in order to bring attention to the potential problems with this type of sharing.

The risks are magnified for children, who will often fail to comprehend the significance of sharing personal information. And when a child’s location is collected automatically, neither the parent nor the child is aware that this information is being shared, nor are they given the opportunity to consent or refuse to consent to such data collection.

Kids are plugged in all day, which means it’s imperative that parents understand how these technologies are slowly infiltrating children’s’ lives in ways that we couldn’t possibly have imagined a decade ago. Hopefully, more transparency and oversight of the wild, wild web will keep new technologies in check, and your kids more secure. A great site to help educate you and your kids is

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses child predators online on Fox News. Disclosures

Using Honeypots to Better Understand Security

When you think “honeypot,” images of that lovable furry bear, Winnie the Pooh, may come to mind. Pooh loved him some honey. And whenever he stumbled upon a pot of honey, he gorged himself on that sugary goodness until he passed out. Yum.

But in technology terms, a honeypot is a trap set to detect, deflect, or somehow counteract unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a larger network, but is actually isolated. (You may have seen reality shows where police set up a bicycle in front of a store and stake it out until someone steals the bike, then tackle and arrest the thief. A honeypot is similar, but without the tackling and arresting.)

Honeypots are tools used by researchers and security professionals to monitor the behaviors of criminal hackers and viruses, allowing the researchers to gather intelligence on how they operate. In this way, researchers can gain an understanding of the motivations and methods a hacker would use. This process helps developers think like the bad guy, giving them a better understanding of the necessary security needed to prevent and counter attacks.

When intuitive security professionals develop a honeypot mindset, they can anticipate the bad guy’s next move. They make numerous predictions about what he will do next and put redundant systems in place to prevent him from doing his job. This becomes second nature for some.

I’d recommend a similar strategy for your own personal security. When it comes to protecting yourself, think about your surroundings and what might make you a target. If you are processing a credit card transaction, think about how risky it may be and what to do in response to those risks. Before you leave your home, visualize the paths of least resistance into your house and what should be done to secure it.

Bad guys don’t play by the same rules we do. But if you understand their game and anticipate their next move, you can beat them.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses another databreach on Fox News. Disclosures

Are Contactless Payment Methods Secure?

“Contactless,” in this context, refers to the use of a wireless device. A payment is contactless when, instead of inserting your credit or debit card, you hold your card or keychain device within a few inches of the terminal, and your payment information is sent and processed wirelessly.

Contactless payments offer a faster and more convenient alternative to cash for small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

Hackers, whether they’re black hat (bad guys) or white hat (security professionals), are always looking for vulnerabilities in technology. The bad guys’ intentions are to exploit these vulnerabilities for ill-gotten gain, and the security professionals’ are to make the technology more secure.

A white hat hacker demonstrated some of the vulnerabilities of early contactless technologies for Canada’s CBC News. However, these demonstrations took place in unrealistic settings, and the IT professional went to great lengths to concoct scenarios in which this payment processing method could lead to fraud. These scenarios encourage fear, uncertainty, and doubt, without providing any tangible testing value.

In response to the question of security in contactless technology, the Smart Card Alliance stated, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities. Every day tens of millions of people around the world safely use contactless technology in their passports, identity cards and transit fare cards for secure, fast and convenient transactions. Multiple layers of security protect these transactions, making them safe for consumers and merchants. Some of these features are in the contactless smart card chip and some are in the same networks that protect traditional credit and debit card transactions.”

A researcher can manipulate tests in a controlled environment and create a desired outcome that seems to establish vulnerability, but there’s a big difference between that type of demonstration and real world penetration testing. To date, there is no such thing as 100% perfect security, and my guess is that there will never be. With that in mind, it is essential that the good guys continue to work towards that goal, impossible as it may be, and to expose flaws that they find, but they should do it responsibly.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses on CNBC. Disclosures

Mobile Phone Spyware Resellers Arrested

Spyware is sold legally in the United States. This software records chats, emails, websites visited, usernames and passwords, and basically everything a person does on that PC. Some spyware programs can record everything in a video file that can then be accessed remotely.

This is all perfectly legal as long as the PC’s owner is the one to install the software. Installing spyware on a computer that is not your own is illegal. Spyware can be great if, for example, you have a twelve-year-old daughter who obsessively chats online, and you want to know with whom she’s chatting or if you have employees whose productivity is less than satisfactory, you may want to check if they’re watching YouTube all day.

Spyware also comes in the form of a virus, which essentially does the same thing. When you click a malicious link or install a program that is infected with malicious software, numerous types of spyware can be installed as well.

Mobile phone spyware is relatively new and is quickly grabbing headlines. As PCs shrink to the size of a smartphone, spyware continues to evolve with this trend.

Apparently, cell phone spyware is illegal in Romania, since the Romanian Directorate for Investigating Organized Crime and Terrorism recently arrested fifty individuals, including “businessmen, doctors, and engineers, in addition to a judge, government official, police officer, and former member of Parliament,” who have been accused of monitoring cell phone communications of their spouses and competitors, among others, using off-the-shelf software.

Spyware can be installed on your cell phone remotely or directly. To protect your phone, never click on links in texts or emails that could actually point toward malicious downloads. Always have your phone with you and never let it out of your sight or let anyone else use it. Make sure your phone requires a password to have access. If your phone is password-protected, it will be difficult to install spyware.

If your phone is behaving oddly or you have some other reason to suspect that it contains spyware, reinstall the phone’s operating system. Consult your user manual or call your carrier’s customer service for step-by-step help with this process.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. Disclosures

Adobe a Target for Criminal Hackers

We all know and love Adobe products. Their PDFs have become as ubiquitous as .DOC, .TXT and .XLS. Most PCs include Adobe Reader as a bundled software. The Adobe Flash media player is the easiest most user friendly online video player on the planet and required for the most popular video site YouTube.

Brad Arkin, Adobe’s director for product security and privacy, recently commented, “We’re in the security spotlight right now. There’s no denying that the security community is really focused on ubiquitous third-party products like ours. We’re cross-platform, on all these different kinds of devices, so yes, we’re in the spotlight.”

Adobe, in response is doing everything a responsible software developer should do.

Adobe is the same boat today that Microsoft found itself in years ago. Ground zero. Hack central. Criminal hackers love it. Adobe’s software or files are used on almost every PC and across operating all systems. Every browser requires a program to open PDFs and many websites either have links with PDFs or incorporate Flash to play video or for aesthetic reasons. According to an estimate from McAfee, in the first quarter of this year, 28% of all exploit-carrying malware leveraged a Reader vulnerability.

While attention from the criminal hacking community has certainly been a burden to Adobe, the same attention is now being paid by the white hat hackers, the good guys. The security community is now actively involved in the reporting of bugs and vulnerabilities, which is helping Adobe tighten up. Fortunately, Adobe is learning from their current situation and is actively engaged in resolving these issues. They’ve created a better, more frequent software updating tool for each of their programs, including Flash and Adobe Reader. As difficult a situation as this may be, Adobe is handling it very well.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. Adobe’s process now includes their Secure Product Lifecycle (SPLC) to seek out and squash those issues. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them. Adobe however is beginning to turn the tide on the bad guys.

If you function in a Microsoft Windows environment, you should be aware of “Windows Update” and have it set to automatically download and update your operating system’s critical security patches. Updating Reader and Flash requires manual action, but Adobe’s built-in updater can also be set to automatic. I’d suggest that most users set this to automatic as well. If you have an older version of Reader, which may not include an automatic update option, you should head directly to to download the current software.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Wireless Security” is an Oxymoron, But There is Hope

WiFi is everywhere. Whether you travel for business or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. What are your risk factors when accessing wireless? There are plenty. WiFi wasn’t born to be secure. It was born to be convenient. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.

Anyone using an open unsecured network risks exposing their data. There are many ways to see who’s connected on a wireless connection, and to gain access to their information. As more sensitive data has been wirelessly transmitted over the years, the need for security has evolved. Today, with criminal hackers as sophisticated as they ever have been, wireless communications are at an even higher risk.

When setting up a wireless router, there are two different security protocol options. WiFi Protected Access (WPA and WPA2) is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy. Wired Equivalent Privacy was introduced in 1997 and is the original version of wireless network security.

There are a few things you should do to protect yourself while using wireless.

Be smart about what kind of data you transmit on a public wireless connection. Only transmit critical data from secure sites, ones where “HTTPS” appears in the address bar. These sites have additional encryption built in.

Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s no data on either device that would compromise my identity or financial security.

If you have file sharing set up on a home network, when venturing to wireless hot spots you need to manually turn it off on your laptop.

Turn off WiFi and Bluetooth on your laptop or cell phone when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.

Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is being used as bait.

Beware of evil twins. Anyone can set up a router to say “T-Mobile” “ATT Wireless” or “Wayport”. These are connections can appear legitimate but are actually traps set to snare anyone who connects.

Keep your antivirus software and operating system updated. Make sure your antivirus software is automatically updated and your operating system’s critical security patches are up to date.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses hackers hacking wireless networks on Fox Boston. (Disclosures)