Social Engineering is making a come back

November 21, 2023

History always seems to repeat itself.

History of social engineering

Ransomware has been around since the late 1980s. Social engineering has technically been around since the advent of human communication. In the context of technology security it’s been around since phreaking techniques were used in the 1960s and 1970s as a way to take advantage of phone systems. Today it’s phishing, vishing, smishing, and much more. It’s been around but not the main technique used to get into an organization, well until now.

It seems as vulnerability management and incident response improves attackers are switching to social engineering via phone. I recently heard from a friend about another friend who got all their work logins compromised via an attacker calling into the help desk and resetting his password and MFA. This comes on the heels of the MGM and Okta breaches.

MGM

Like the movie Ocean’s 11 attackers used social engineering techniques to obtain access into MGM system by impersonating an employee and calling into the help desk to have their credentials reset. This resulted in ransomware being deployed in their environment and costing the casino hundreds of millions of dollars.

Okta

The compromise of access tokens via the Okta’s customer support unit is probably even scarier because Okta holds the keys to a lot of other organizations. This breach gives attackers information to pivot into other organizations.

What’s next for social engineering

When attacks like the two examples above are successful and result in lots of money and infamy others start copying the techniques used. I would expect us to continue to see attacks like these going forward which means more focus will be needed on security awareness. Groups like Scattered Spider are already starting to pop up and their focus is on social engineering their way into organizations. Then with that access ransomware gangs begin deploying ransomware. This highlights a need for good detection procedures and technologies. We’ll probably also see more difficult controls put in place to protect accounts. This will degrade our account access user experience as a side effect.

Resources for Social Engineering

Social-Engineer: This is a company started by Chris Hadnagy focused on social engineering. They provide resources and also assessments for an organization that focus on social engineering. He’s written several books as well on the topic that I highly recommend.

One of those books:

"Social Engineering: The Art of Human Hacking" by Christopher Hadnagy: This book delves into the psychology and techniques of social engineering.

Krebs on Security is a great blog to follow in general. He covers a variety of topics mostly around breaches.

This blog post first appear on Exploring Information Security

CSO panel and thoughts on Cardinals-Astros breach

January 10, 2016

Last month I participated on a panel for CSO on, "The pathway to the security talent we crave." The audio and transcript from that panel is up for those who have a free account with CSO.

Former St. Louis Cardinals employee, Chris Correa, was in court for his unauthorized access of the Houston Astros database, Ground Control, on Friday. I read through the five-page indictment and shared my thoughts on Astros County in regards to how the breach occurred.

This post first appeared on Exploring Information Security.

InfoSec breach links December 8, 2014

December 8, 2014

I'm back. I passed my Spanish course and will have some thoughts on that experience next week. I still have two final projects to complete for two other classes so the posts for this week will be simple and probably mostly link dumps. I have been keeping up with security news and saved several links from this past month. Needless to say, some of them are quite dated, but it's interesting look at all the security stuff that happens in a month to two-month time-frame.

Malware Based Credit Card Breach at Kmart - Brian Krebs - Krebs on Security

“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”

Banks: Credit Card Breach at Staples Stores - Brian Krebs - Krebs on Security

According to more than a half-dozen sources at banks operating on the East Coast, it appears likely that fraudsters have succeeded in stealing customer card data from some subset of Staples locations, including seven Staples stores in Pennsylvania, at least three in New York City, and another in New Jersey.

Sony Got Hacked Hard: What We Know and Don't Know So Far - Kim Zetter

As so often happens with breach stories, the more time that passes the more we learn about the nature of the hack, the data that was stolen and, sometimes, even the identity of the culprits behind it. A week into the Sony hack, however, there is a lot of rampant speculation but few solid facts. Here’s a look at what we do and don’t know about what’s turning out to be the biggest hack of the year—and who knows, maybe of all time.

This post first appeared on Exploring Information Security.

Things to know: Jimmy John's and Home Depot breach

September 30, 2014

I meant to write something up on this last week, but someone found a bug in bash that set my world on fire. I've asked several friends and family if they've heard about the Jimmy John's and/or Home Depot breach and the response has been less than encouraging. So here's the low done on the two breaches.

Home Depot

56 million debit and credit card numbers were stolen between April and September of this year:

Home Depot: 56M Cards Impacted, Malware Contained - Brian Krebs - Krebs on Security

It looks like the breach impacted all Home Depot stores in the US and Canada. If the numbers seem quite low for a four-to-five month breach it's because the self-checkout terminals seem to be the ones that got owned. Either way, if you shopped at Home Depot between April and September, get a new card issued from their bank. They'll be sure to send the bill to Home Depot, so don't let them talk you out of a new card. And oh hey look! Home Depot is offering free identity protection for 12 months. Be sure to sign up for that, but realize that "protection" won't stop nefarious people from using your identity for their own gain.

Official Statement

Jimmy John's

216 stores were found to have been affected by this event and Jimmy John's has been kind enough to provide a search tool for the stores that were owned.

Affected Stores & Dates

Two stores were affected in South Carolina, one of which I've gone to in the last year. Luckily I haven't been there in the last three months. Bullet dodged. The tool is easy to use, just input a store number, city, state, address or date. Using a state's two-letter code should limit the results enough to help you identify if you've been affected by this particular breach. Full details can be found below on the incident.

Data Security Incident

Protect yourself

These are only two of the many breaches that have occurred this year. Goodwill has gotten popped as well as several other smaller and local businesses. Here are some tips for protecting yourself from identity theft that could occur from breaches like these:

Check bank statements regularly. It's ridiculously easy to do and should only take 10-15 minutes. I would recommend trying to check bank statements at least once a week. With online banking it shouldn't take more than 10-15 minutes to pop in and check what's been purchased on all your cards.

Also, I would highly recommend using credit cards instead of debit cards. It's a lot easier to replace a credit card than it is a debit card.

Finally, I would recommend cash, but then you have to worry about skimmers on ATM machines, so I won't. =P

Happy shopping!

This post first appeared on Exploring Information Security.

Companies are putting your financial information at risk

September 9, 2014

As much as I would like to give out a sigh of relief that I don’t shop at Home Depot, I just can’t. While it’s likely that Home Depot has been breached, it’s only one store of many. I shop at its competitor Lowe’s and Sam’s and restaurants and various other services. In the last 10 months we’ve seen several vendors release statements that they have been breached. From Target to Dairy Queen to Goodwill to UPS to Home Depot and several other stores in between. The latest threat to my financial security is the places I shop.

Last month the U.S. government has warned that over 1,000 companies have had their point-of-sale systems compromised with malware intent on stealing credit and debit card information. I shopped at Target during the three weeks they got breached and had to have my card replaced. I’ve managed to dodge the bullet since then, but I expect that at some within the next year I’ll be calling my bank again for a new credit card.

What can be done?

Since it’s not feasible to stop shopping at local stores, here are some of the things that I try to do to protect myself from breaches that could put my financial well-being at risk.

Use a credit card instead of a debit card

Anywhere I shop, be it online or offline, I always try to use a credit card. If my credit card gets stolen in one of these breaches, criminals will have access to by credit line, not my personal bank account. I feel much more confident that I can get the charges on my credit card dropped with less stress and much less hassle than trying to recover money from my drained bank account.

Check your statements

Whether it is credit card or a debit card, I try to keep an eye on my bank statements. At least once a week I will login to my bank account and go through my credit card and checking account statements. Any rogue transactions get reported with the simple click of a button (your bank process may vary). I’ve benefited from this by also finding a couple transactions that a vendor had billed me twice for.

When I go through my bank statements, I am double checking every transaction, not just foreign transactions. Banks have alerts and alarms setup for transactions outside of a customer’s geographical area. Criminals have adjusted to this tactic and now sell and buy cards within a person’s geographical, which make it much tougher for banks to identify credit cards that may have been stolen.

Until companies that we buy from improve the security of their systems my financial well-being and your financial well-being will be at high risk of being compromised. We must remain vigilant in doing what we can to protect it.

This post first appeared on Exploring Information Security.

InfoSec links July 29, 2014

July 29, 2014

Banks: Card Breach at Goodwill Industries - Brian Krebs - Krebs on Security

Who steals from Goodwill? Honestly.

What's the worst thing you can say to a sysadmin? - Naked Security - Sophos

I had no idea there was such a thing as SysAdmin day, let alone that it’s been going on for the past 15 years.

The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil' - Jordan Robertson - Bloomberg

A profile on Barnaby Jack whom I’ve heard only good things about.

This post first appeared on Exploring Information Security.

Thoughts on the Houston Astros data breach

July 1, 2014

I have a good reason for not having my usual link post up this morning. Yesterday I found out that the Houston Astros, the team I root for on a daily basis, had a data breach. Some of the data taken, made it's way onto Anonbin, so last night I spend five hours putting together 1775 words on the data breach over at The Crawfish Boxes. When I was done, the motivation to write was almost completely gone for me.

Be sure to check my post over there, and be sure to check back tomorrow for my regularly scheduled link post AND a new episode of the Exploring Information Security Podcast.

This post first appeared on Exploring Information Security.