Home » Internet and Businesses Online » Security

Basic Author |   8 Articles

Joined: March 28, 2010 United States
Was this article helpful? 0 0

The Perfect Threat

By

Expert Author Mike Millslagel

This exploit cannot be patched. The operating system cannot be upgraded. The exploit can completely bypass all your cyber security no matter how good your systems. The vulnerability is introduced every time someone sits down at the computer. Between the keyboard and chair. The exploit is "us". The weakest link in any security chain is the human operating the computer. And the cybercrims understand this vulnerability very well.

In 2000, the " I love You" worm made an incredible impression on the computer environment because of how fast the worm had propagated around the world from just one click. How long? One day. The worm started in the Phillipines on 4 May 2000 and made it around the world in 24 hours. By 13 May 2000, the worm had infected 50 million computers. The cost of the worm infection was approximately $5.5 billion in damages and overwhelmed most email systems very quickly. And why did this happen? The "perp" exploited a human weakness to be loved and the victim opened the malicious email and the rest was history.

At Defcon 18 in Las Vegas, a social engineering contest "how strong is your schmooze" was held. The contestants were given a victim whom the contestant was to gather enough data to be successful in their schmooze. There were some rules:

  • Targets will exclude financial, government, educational, or health care institutions.
  • Confidential data like Socical Security numbers, credit card numbers, etc. were off limits.
  • Nothing that can get sponsors and contestants sued.
  • No porn.
  • Do not target information such as passwords.
  • Contestants could not present themselves as an employee of a government agency, law enforcement or legally liable entity.
  • The attacker must only call the target company. No relatives or family of any employee at the target.

The companies included BP, Shell, Google, Proctor & Gamble, Microsoft, Apple, Cisco, Ford, Pepsi, Wal-Mart, Symantec, Philip Morris, Dell, and Verizon. To the amazement of the sponsors, the contestants were able to get information from all of the companies called. The gamut of company personnel ranged from chief technical officer to sales. "One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system. (Yahoo News, 2010)"

Social engineering is not anything new. One of the early social exploits happened between the Greeks and Trojans. The Greeks shut down the surrounding regions of Troy but could not get behind the walls of Troy. After nine years of war, the Greeks decide to try something else. One morning, the people of Troy see the Greek ships sailing away and this rather large wooden statue on wheels in front of the city. One lone Greek soldier, Sinon still remained, his job was to convince the town's people the Greeks have given up and gone home.

Sinon complains the Greeks had abandon him and left the wooden horse a tribute to the impenetrable Trojan fortress. The city of Troy was just too difficult to penetrate. Everyone in the town celebrated the victory, with the exception of two people. Laocoon and Cassandra, spoke out against the horse telling people the premise made no sense and something was wrong but they were ignored. The Trojans celebrated what they thought was their victory, and dragged the wooden horse into Troy (Bunson, 1994). That night, the Greek soldiers emerged from the wooden structure and slaughtered the town's people in their sleep.

To successfully exploit the PEBCAK vulnerability, the cybercrim will do some intelligence work. The exploiter will thoroughly go through any and all websites to extract as much information as possible. Next, the perp will use Maltego to see if there are any interesting bits of information that can be obtained from more sources regarding the target. These guys will look for company victims on Facebook and Twitter to become your friend. The next thing you know these people are getting to know you and will start asking interesting questions maybe about where you work and what you do. The con man can get more from you by being your friend than being a stranger.

Here are somethings to think about:

  • Why is the survey person asking about my security systems, operating systems, applications?
  • Do you know the person who just sent you something or ask why did you forward me this?
  • Why does this person want to "friend" me on Facebook. I don't know them.
  • Check out icanstalku.com - what are these people thinking?
  • Why is my bank, ISP, etc. emailing me? They do not need my information this way.
  • Just because you find a USB memory stick in the parking lot or bathroom does not mean you have to look at the device on your computer.

Ronald Reagan had a pretty good idea - "Trust but verify". Do not plug unknown (found) devices into your computer, the cybercrims are writing really good exploits that launch when you plug in the device. The people hired to do surveys have a tough job but you can politely tell them you cannot answer questions. Do not put your where abouts on Facebook or Twitter -- try calling your friends, they might want to hear from you, plus your friends might not be the only ones who care if you are not home. Do not open emails that are forwarded - even if it is from your mom. And finally, if your mom says she loves you, verify that fact with several other people, she could be saying that because she knows you so well and understands your sensitivity. Be safe, and know your friends - know your enemies even better.

And don't be a stranger - visit us at http://www.oss4win.com. We have all types of open source software for Windows. Save your self some money and get more productive.

Mike Millslagel
Security System Consultant
B.S. Information Systems, MBA, MCSE, CNE, CCNP Security Specialist
http://www.oss4win.com

Article Source: http://EzineArticles.com/?expert=Mike_Millslagel

Did you find this article helpful? 0 0
Get Involved
0 comments Suggest a topic
Article Tools
Print this article E-mail to a friend EzinePublisher Report this article Cite this article
Stay Informed
Get notified by email when new articles are added to this category or written by this author.
Security Article Feed
Find More Articles

Similar Articles

Recent Articles

Submitted On August 21, 2010. Viewed 35 times. Word count: 981.