The Seven Deadly Sins of Social Engineering

The Seven Deadly Sins of Social Engineering

Social Engineering has always been one of my favorite attack vectors when doing any penetration test. A big reason why our firm succeeds is that we as human beings forget the “Seven Deadly Sins”.

As I thought about social engineering attack vectors for previous engagements, I noticed I always had a few common attack vectors I utilized, but they always focused on a few key vectors that can always be attributed to the Seven Deadly Sins.

The Seven Deadly Sins, for those not familiar with them, are: Lust, Gluttony, Greed, Sloth, Wrath, Envy, and Pride. Let me give some examples:

  • Lust – Those wonderful emails promising a wonderful time with beautiful women or a sexual temptation
  • Gluttony – Free Gift Cards to some retailer in some huge sum
  • Greed – Nigerian emails or those wonderful email scams promising lots of money (gift cards to retailers can also fall under this category)
  • Sloth – Easy money by working at home
  • Wrath – Maybe not so much outrage or anger towards an individual, but a situation or outcome, like poor orphans, or a major disaster situation like the recent Typhoon Haiyan
  • Envy – Free iPads, iPhones or some beautiful electronic device
  • Pride – Involves stroking one’s ego in the email, calling them a valuable person or asset and that they are needed. Insecurity is a form of pride, where rather than building one’s ego, they tear them down and make one feel insecure about themselves.

In all cases, they are all emotional outbursts that can motivate someone to donate in the spirit of aid such as Typhoon Haiyan, or play on someone’s envy because a friend has nice shiny toys that they desire.

Either way, be conscious about these social engineering attempts, in your business and personally. These seven social engineering attack vectors will always net at least one win and the adversary only needs a single win.

 

Another vBulletin Security Hole? Not surprising

Another vBulletin Security Hole? Not surprising

First, in the interest of fair disclosure, I am a vBulletin customer for close to 10+ years. While my criticisms may be harsh, there are justified given the level of incompetence I have witnessed in the last few years.

If you missed this article on Brian Krebs’s blog two weeks ago, it details an exploit that targets the installation folder of the vBulletin 4.x and vBulletin 5.x generation with an estimated 35,000 sites affected despite Internet Brands notifying customers.

If you run a forum or site powered by vBulletin, remove the “/install” and/or “/core/install” folders. If your vBulletin site still has those directories installed, check for new administrator accounts and any accounts that may have been whitelisted in config.php as super admins.

Criticism

Regardless of product one uses, Webmasters/Business Owners/Organizations should be employing best practices when it comes to vendor risk management. That includes signing up for their notifications in the event of a security flaws related to their products. Moreover, anyone who did their homework on Internet Brands would clearly know that the product is rubbish. The product is flawed in so many ways its not even funny.

There are even a couple of vBulletin blog sites focused on the nightmare it has become.

Criticism of Internet Brands

First, we can all agree there are a set of industry best practices out there from coding to marketing. From my observations, Internet Brands has pretty much violated every conceivable best practice out there, and is a disaster beyond our imagination. This is the very same company who programmed vBulletin database credential leakage. Your database SQL username, password, server, and database name was revealed to the public if you looked it up at a forum owner’s frequently asked questions.

Yes site owners are responsible or their sites, but Internet Brands has no real concept of risk management, project management or information security. The sole purpose for them is to make money, and they will make money at the expense of your site’s information security. As a customer, I lost faith very quickly and terminated my usage of vBulletin immediately to not expose my sites to potential, and future security issues.

Moreover, their security notices downplayed the security threat. In an email Internet Brands wrote to its customers customers:

A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.

When one reads the email, the choice of words highlighted in bold leads customers to draw the wrong conclusions, including that the threat is not  confirmed, and that it will be confirmed later. Moreover a customer should expect a confirmation should the security issue was confirmed, however that no immediate action was required. This miscommunication of the flaw was designed to protect Internet Brands however it also in the process the language chosen changed the risk from an actual risk to a potential risk.

Beyond the notification and communications to its customers, Internet Brands itself is responsible for the overall security of their product. That includes elements like the install directory. It is still the responsibility of Internet Brands to ensure that vBulletin is securely coded, using industry best practices to test, audit, and validate, and deliver a product that not only is coded well, but scales well.

Information security starts with your developers, your software vendors and continues with your developers and software vendors. It is (or rather, should be a required) part of software development life cycle. It isn’t easy to do, but the savings and return on investment are ten fold when it is integrated into your processes.

Do your homework on your software vendors. Yes they may claim security is at the top of their list, but I would “trust but verify”. But more so, don’t be cheap on information security. Going for checklist audits and assessments just to say you are secure is being cheap.

Your organization has a reputation to uphold. Information Security is an investment to your organization and welfare. Should you not wish to invest, be prepared for a number of sleepless nights ahead.

 

Summary:

  • Securely Code Your Products
  • Do your homework on your vendors
  • Your organization has a reputation. It can get tarnished for improper information security.
  • Information Security is not cheap. But it is well worth the investment in the long run.

Encouraging Aspiring Future Cyber Defenders

Encouraging Aspiring Future Cyber Defenders

IMG_1102_largeThe process of building, nurturing, encouraging, developing, inspiring, and training future cybersecurity professionals is an ongoing lifecycle for us at Net Force. For the second straight year, our team has been working with Cal-Poly Pomona, Los Angeles Unified School District and CyberPatriot to identify and encourage new and rising talent in the industry.

This past weekend especially was a landmark occasion for those of us in Los Angeles. Over 350 middle and high school students from across Southern California gathered together for the first annual “Cyber Day Los Angeles”. Students as young as sixth grade were given Windows images to debug and remediate security issues while the advanced and battle-tested students also engaged in a Linux Capture-The-Flag (CTF) Competition.

These students represent our future team members and colleagues. It is such a huge priority for those of us at Net Force to have more friends than enemies. We want to see these students become our allies rather than those who go to the dark side. It makes our lives significantly easier.

Training future talent is a key component to defending our systems. As I wrote before, defense is not easy. Competitions like CyberPatriot and events like Cyber Day Los Angeles ensures that we have the brightest minds working on the ongoing battle against cybercrime. Cyber Threats continue to be the biggest threat to organizations alike with increased sophistication. Adversaries are becoming more adept in this field to a point where adversaries are making a profession of being evil. Knowing that these young minds are coming down the pipe brings some comfort.

At the end of the day, I find it inspiring and encouraging to see so many students, from both middle and high schools across the Southern California, gather and share a passion for cyber security.

Teaching CyberSecurity in Higher Academia

Teaching CyberSecurity in Higher Academia

Teaching Cyber Security in Higher Academia has always been a subject that’s struck a chord with both academia and industry. There is always this balance that both sides seek to achieve.

On one hand, there are risks when teaching such a subject, including, having the proverbial “Dog biting the hand that feeds it.” Reading this thread on Reddit made my stomach churn as I see students try to advance their careers, knowledge and understanding of cyber security.

I won’t go down this rabbit hole too much on pointing the negatives out, but I would like to point out the obvious: The students are meeting in an unofficial capacity.

Whether it is sanctioned or unsanctioned by Higher Academia, the students have formed a community to share and learn. The very fact these students want to take it to the next level with the blessing of the administration indicates the willingness by students to do this the right way and ensure this community stays out of trouble.

It is also a wonderful opportunity for the administration to teach and help students learn the right ethics, morals, and understanding the consequences of ‘going to the dark side’. These students will be this academic institution’s first line of cyber defense in future years as they may notice suspicious and unusual behavior of computers they use on campus. They may even join the ranks as staff members of a higher academia institution, including the one they currently attend.

This is a relationship I encourage any student and higher academia to grow, nurture and cultivate. The benefits will always outweigh the concerns, and I ask that higher academia to avoid simply saying no and let that be the end of the conversation and dialogue.

Rather, identify the concerns (and yes they are legitimate concerns) and find ways to teach and educate these young minds that “With great power comes great responsibility.

The Shaming and Heckling of #Infosec

The Shaming and Heckling of #Infosec

Do not let any unwholesome talk come out of your mouths, but only what is helpful for building others up according to their needs, that it may benefit those who listen.” – Ephesians 4:29

First, I understand this blog entry might sound a bit like “Monday Night Quarterbacking” or “Jumping on the Bandwagon”, and you are entitled to your own opinion.

Reading what my good friend Rafal Los wrote about “Living in Glass Houses – #Infosec Industry’s Culture of Shaming” wrote Monday evening, I have to agree with him. Information Security is Hard.

I like to equate being in the information security/cyber security industry being the same as in the intelligence community.

To quote the movie The Recruit,

Our failures are known. Our successes are not.”

The work and life of those in the intelligence community is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

The work and life of security and IT audit professionals share similar parallels. It is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

Security is, and will always be, challenging on both offensive and defensive. It is a matter of degree. Both sides generally lack the support and resources to do the job while at the same time are some of the first scapegoats in the wake following a security incident.

From an offensive/penetration tester perspective, there is always a finite amount of time and resources trying to rush in and identify risks without breaking the business or the piggy bank in the process. I somewhat question when a penetration tester announces they found a single vulnerability and concludes their job is complete. As part of any security engagement I have been on, there is always that lingering feeling that I missed something and warrants a closer look.

From a defensive/information security analyst perspective, it’s not easy as between managing the day job (Layer 1-7 issues, putting out fires, doing investigations on security incidents, and normal responsibilities) and managing the night job (Layer 8 and 9 issues: Finances and Politics), it is miracle in some sense that some firms actually have security in the first place given the finite budgets they are given to work with and the sheer level of red tape they have to go through to get anything accomplished.

Being part of the Western Regional Collegiate Cyber Defense Competition for the last four years has taught me that playing defense is never as simple as doing a single thing. Whether it be people, process, or technology, something will fail, and that failure will lead to the compromise of a system or entire network. These blue teams (defenders) consistently have to anticipate every single strategy the red team (attackers) will use and win every single battle red team wages. In contrast, red team has the opportunity to win a single battle (or a few small skirmishes) to win the war. The same is true in the real world.

I challenge anyone out there, whether you are in the information security industry or information technology field, or simply a bystander to understand the complexities we face together. The criticisms, and demanding someone should be fired for this illusion, this perception of incompetence needs to stop. The heckling, shaming must stop, even if it is at a cyber competition. There is no such thing as secure. Even security firms are a target.

I challenge everyone that instead of shaming or heckling, we should be encouraging, and edifying one another. Don’t tear people down. Build them up to be even better security professionals. As cliche as this is, we are all in this together.