This week my focus turns to you, the individual users of computer systems, and how you are the weakest link in the security chain. The two major areas I’m going to examine are social engineering and passwords (if you are familiar with the two then skip down), then I’m going to take aspects from the two and raise a hypothetical scenario that you may relate to.
Social Engineering – This is where people are manipulated in order to gain access. Often times this is the easiest way to gain access as no technical knowledge is needed. Two examples are: 1. email solicitations from a Nigerian royal who offers you a share of millions in exchange for your help transferring the funds (phishing) and 2) when a person leaves a disk containing a Trojan labeled “Company X Salaries” outside an office and a curious employee opens it only to unleash hell on the network (road apple). There are many types of social engineering, and I’m sure you’ve heard many stories, so I won’t dwell on them here, but keep in mind that social engineering feeds off of ignorance (lack of knowledge) and/or careless behavior.
Passwords – Let’s face it… people forget passwords and want something easy to remember, so they choose a word/name or reuse passwords for multiple sites (is this you? Keep this in mind for later). Brute forcing tools such as John the Ripper, or Hydra are very effective in obtaining passwords since they are attacking a static defense. Given a large dictionary file and the cryptographic hash (in Windows it’s the SAM file in system32/Config/), it is only a matter of time before John cracks your password. Obviously, if your password is in the dictionary then it’ll take john only seconds, but John can also be programmed to try every permutation of combinations including special characters, upper and lowercase, and numeric values! This is why
The following example was inspired our recent discussion of Ethernet in class and my observance of a student checking Facebook.
While discussing how Ethernet works in class, one security implication was not elaborated on: After data is broken into packets, all the packets are broadcasted to all users on the same subnetwork (read about it here). When a computer receives packets that are not intended for it, the packets are simply ignored. But what if we could capture those packets and read them? Enter the world of network traffic analyzers, such as WireShark which does just that. So how does Facebook fit in to all this? Well, when you login to facebook it broadcasts to the network your login and password because it is not a secure site (no encryption, and even if you are on wireless WEP or WPA, those standards can be broken). So what does a smart hacker do with your password? Find out who you are, which other services you use (credit, banking, etc.), and cash-in.
Implications for Business
The previous example made a lot of assumptions that may never happen, so am I saying never to connect to Facebook on campus? No, I’m leaving that judgment up to you, but imagine all the other hot spots and web sites you connected to that are not secure (SSL or equivalent), and all the personal information that is trusted in the network. It’s also important to keep in mind that people are an essential pillar to technology, and user awareness training can help prevent many problems, including the scenario above from playing out. Secondly, there are a lot of free tools that anyone can use, and it takes only takes a few actions to compromise an entire organization, so care should be taken in selecting your people. Lastly, it is important for you to familiarize yourself with how technology works because too often we use technology without thinking and are surprised when bad things happen. This goes back to the unknowing trust and risk (which I mentioned in my first post) that people expose themselves to and are present in technology, but don’t realize.
4 comments:
Well, I do know every act I perform over the internet is not safe anyways, but I wonder how costly is it for sites to enhance SSL or equivalent? If it is not that costly, what are the constraints that made sites not to do so? Technical complexity?
Anyways, I read a news lately:
Virus Disguised as IE 7 Download
http://news.yahoo.com/s/pcworld/20070330/tc_pcworld/130267
What I found is that it is very important to educate/alert users about virus attacks these days, especially for phishing. Those sites are so real. I mean their sender emails even end with the same domain. I received couple emails from Yahoo! and MonsterTRAK these days. They sent me links to do upgrade or so. In fact, as I scroll my mouse over the links, I realize they're phishing emails. But I couldn't tell from the sender's email at first place because they end with yahoo.com and monster.com too. If people are not alerted, they might have fallen into the trap.
I agree with you that user awareness is important, but I am curious why certain internet sites such as Facebook do not have better internet security? Wouldn't it be better, coupling with user awareness, that we know the hot sites we are visiting is safe?
Take USC's email for example, (the site that I once deeply trusted), was receiving phishing emails of USC Credit Union and Bank of America without giving any warning alerts...A few friends of mine got phished, including one CS guy who should have known how the internet works '><''
-------------------
I read an article today that a London guy was using a free software 'Pearl' to hack into NASA, the US Army, the US Navy, the Department of Defense, the US Air Force and the Pentagon. He used Pearl (for text manipulation) to search for blank passwords to hack into those systems just because he wants to hunt for aliens.
Although there were no apparent damage, he could probably be sentenced to 45 years in prison.
Read here:
http://crimeblog.us/?p=337
Many individuals prefer to play computer games, but many of those who do end up having some reservations about the sort of PC they should purchase.
One of the major concerns that consumers have when considering purchasing a laptop capable of running games is whether or not it will be able to run games. The marketing for these goods is massive, and the promises are enough to make anyone nervous.
adobe audition cc crack
reimage pc repair crack
logic pro x crack
hitmanpro crack
sublime text crack
hotspot shield vpn premium crack
drivereasy professional crack
mixpad crack
pgware gameswift crack
teamviewer crack
It is wonderful to be here with everyone, I have a lot of knowledge from what you share, to say thank you.
RoboForm Crack
Hide All IP Crack
IDM Crack
Shadowsocks Crack
Auslogics BoostSpeed Pro Crack
Post a Comment