I’ve been looking forward to the release of Lunker, a spear Phishing toolkit for pentesters. It was originally reported to be part of the OWASP live CD due out this month. We just dont have the budget for phishme (although it is cheap).
Unfortunately according to a comment on this post over at hackyourself.net they are getting a case of the conscience. “Its too ripe for exploitation”. So they are going to take a couple months to make it less ready to go. The rationale is that with metasploit anyone can patch and protect themselves from that. You can’t patch the users against social engineering.
Archive for the ‘Awareness’ Category.
Lunker
Vishing
I’ve noticed that the number of vishing attempts reported at work has been on the rise. Vishing like phishing is a socially engineered attempt to get your financial information. Unlike phishing rather than luring you to a website, it lures you to a phone number. This could fool some people who are aware of the danger of phishing websites but unaware that of the ease of setting up a number to collect financial info. When calling your financial institutions only trust the number on the back of your card and the number on the bill.
Here is the text of the vish:
In our terms and contidions you have agreed to state that your account must always be under your control or those you designate at all times. We have noticed some activity related to your account that indicates that order parties may have tried gaining access or control of your information in your account.
Therefore, to prevent unauthorized access to your Old Point National Bank Internet Banking account,you are limited to five failed login attempts in a 24-hour period. You have exceeded this number of attempts.*
To reactivate your debit card , please call: +1(xxx-xxx-xxxx)
Jesper writes up Antivirus XP 2008
Jesper Johansson writes about Antivirus XP 2008 with some really good screenshots in a article in TheReg.
You don’t need a zero day when users have admin rights and can be tricked into installing the malware.
Rick Rolling for Good Security
Apparently I’m several years behind on the Internet meme of Rick Rolling. Its recently invaded one of the forums I frequent. The regulars are split on whether its as funny as “your shoelace is untied, ha ha, no it isn’t I made you look” or if it is actually kind of funny.
For the uninitiated, a rick roll according to wikipedia is “a classic bait and switch: a person provides a link they claim is relevant to the topic at hand, but the link actually takes the user to the music video for the 1987 Rick Astley song “Never Gonna Give You Up”
When people first heard the Rick Astley song they might think it sounds like a black guy is singing, then you see the music video and its MC mighty white. Its not what you expect. So when someone says they have a link to XYZ and instead you don’t get what you expect, you’ve been rickrolled.
The purpose of all of that backstory is simple. I’ve been wondering if the rickroll phenomena will succeed in educating users to be careful about links in a way that security awareness training never could.
Fighting Back Against Identity Theft
In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)
The Postmaster General’s letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.
So many times when dealing with users the response is “I’ve got nothing to hide” or “I wont be a victim” or “I’ve got nothing worth protecting”. The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.
The FTC brochure has a link to the FTC’s Identity Theft Site.
The brochure has three key sections.
Deter
- Shred financial documents and paperwork before you discard them
- Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.
- Don’t give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.
- Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information
- Don’t use an obvious password like your birth date, your mother’s maiden name or the last four digits of your social security number
- Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.
Detect
Be alert to signs that require immediate attention
- Bills that do not arrive as expected
- Unexpected credit cards or account statements
- Denials of credit for no apparent reason
- Calls or letters about purchases you did not make
Inspect your credit report (www.annualcreditreport.com) and your financial statements.
Defend
Defend against ID theft as soon as you suspect it.
- Place a “fraud alert” on your credit reports.
- Close any account that has been tampered with or established fraudulently.
- File a police report
- Report the theft to the FTC
Common Ways ID Theft Happens:
- Dumpster Diving.
- Skimming – skimmers are a special device that steals your credit/debit card numbers.
- Phishing
- Changing your address
- Theft of wallet/purse, mail, records
Its the Little Credit Card Charges
The CA Security Adviser Research blog has an interesting entry today following the trail of suspicious credit card charge.
Do you review your monthly statement for suspicious charges? Do you look over every charge or just the bigger ones? A fraudster may fly under your radar with a $5 charge. That can accrue to quite a bit of money if they hit enough people.
Review your bills. Whether its fraud or when the phone companies tacks on a monthly fee for long distance, you want to know about it as soon as possible.
BCC
The condo board asked all owners to update their contact information. This time I decided to give them my email address. As I gave it to them, I asked them to please use the BCC function to preserve our email address privacy. I dont need all my neighbors knowing my email address.
The property manager didn’t know about BCC, but she certainly knew of the dangers when BCC isn’t used. Previous they had difficulty with “reply all” storms.
Since she didn’t have access to a listserv (and that would have been too complicated for her) I showed her how to use BCC in Outlook. Hopefully that will prevent future issues. I left feeling like I’ve done my security good deed for the day. Sometimes its hard to put yourself in the users shoes and realize they just need some gentle suggestions to do the right thing. (of course my spidey sense is telling me that I’m going to be the new helpdesk/security guy for her whether I like it or not).
Fakechecks.org
Tonight, I saw a public service announcement educating viewers about online scams. The U.S. Postal Inspection Service has put up a site fakechecks.org. They have fraud tests, videos and prevention advise.
I thought this was a really cool site. Its pretty easy to make fun of the rubes that are losing this money this way. Be a better person than that and educate them so they aren’t taken advantage of by online con men.
Think Before you Post
Think before you post. Its not just advice for bloggers like Whole Foods CEO John Mackey. New generations are growing up with an entirely different expectation on what needs to remain private.
While watching TV tonight, I saw a public service announcement (PSA) from cybertipline.com titled “Bulletin Board.” In this PSA, a girl puts here picture on a physical bulletin board but quickly finds that its not so easy to take something back once its been put out there.
Here’s the youtube copy.
More information is available at their website.
The cynical person might make jokes about how hokey this is. “So you’ve had the birds and the bees talk with your kid, but did you make sure they are practicing safe surfing.” I actually thought the PSA was great and was happy to see it get run on TV.
