Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

How to Do Passwords Right: Password Management Best Practices

password best practicesLearn what your business is doing wrong with passwords. George Mateaki, CISSPBy: George MateakiWith the recent release of PCI 3.2, one of the changes is the requirement that business must use multi-factor authentication within and out of the network. Multi-factor authentication includes at least two of the following:Something you know (password, code, etc.)Something you have (code sent to your phone)Something you are (fingerprint scan, etc.) Part of the authentication process includes passwords, but unfortunately passwords can bring their own set of problems.password best practicesThe problem with passwordsThe biggest problem with passwords is they can be broken fairly easily through brute-force and dictionary attacks.  Programs like John the Ripper and L0phtCrack are used to crack even complex passwords.Human nature also makes passwords insecure. Employees tend to choose passwords they can remember easily, often making it easy for a data thief to crack through social engineering. Many employees also tend to write down passwords or even share them with others for more convenience.Finally, there’s the matter of storage. Many applications transmit passwords in plaintext, making it easy for hackers to find and use.Unfortunately, many businesses don’t realize just how easily cyber thieves can crack a password, especially if it’s a common one. As a result, they have poor practices when it comes to password security.Here are some things businesses are doing wrong with passwords.Tweet: Here are some things businesses are doing wrong with passwords. http://ow.ly/IbEA303vutg #datasecurity #PCIDSSTweetDefault configuration: businesses will often keep the default passwords that were established when their routers/POS systems were set up. Most default passwords have been published on the internet, so that makes it fairly easy for hackers to break into your devices.   Sharing credentials: sometimes employees will share accounts and credentials to save time. However, this makes it easy for social engineers to quickly gain access to sensitive data. Not updating passwords regularly: for many hackers, it’s only a matter of time before they crack a password, so businesses that have had the same passwords for their accounts since the day the company started are vulnerable. Choosing words like “password” or “admin”: these passwords are very common and are likely the first words hackers guess when trying to break into your remote access.  SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?Do we even need passwords anymore? It’s true that passwords alone will not secure your data very well, but it’s the baseline. The fact that many businesses aren’t even using basic password security shows how vulnerable their data may be.Eventually passwords may not be needed anymore as technology develops, but currently your devices and applications will still need unique, strong passwords.Password best practices So how do you make sure your passwords are secure? Here are some basic practices.Assign employees unique credentials/change default passwordsMake sure your employees aren’t using the same password or usernames. This will prevent social engineers from getting access to sensitive data simply by targeting one employee. Many companies will create a numeric user name that has absolutely no association with the actual name of the user. Changing the administrator account name to admin may meet the letter of the law but misses the intent. The administrator user name should be changed to something that does not indicate an administrator. This goes for any elevated access account used as the master/root access if the technology allows for this.You’ll also want to change all the default passwords on devices, otherwise you’re opening up your network to hackers. Follow for more data security articles like thisMake passwords long and complexThe longer your password, the better. Just like larger encryption keys are harder to break, longer passwords are more difficult to crack. The PCI DSS recommends businesses have passwords of at least eight characters, though I recommend at least 10-15 characters.You’ll also want to make them complex, using a mixture of numbers, symbols and letters. This seems like a no-brainer, but you’d be surprised how many people don’t follow this rule.Reset passwords oftenTrain your employees to reset passwords at regular intervals. For example, you could have them change passwords every 30, 60, or 90 days. Switching passwords often can help prevent the vulnerabilities of brute-force attacks. The less time hackers have on your password, the less likely they’ll crack it before you change it. The best approach is forcing users to change their passwords using technology per the current policy.Have limited login attempts:Set a number of times your employees can try to log into a system. After a number of unsuccessful logons, have the account lock out the one trying to get in. This will help prevent brute-force attacks and social engineers trying to guess passwords.SEE ALSO: 3 Data Security Best PracticesHow to create a strong passwordpassword managementNow days, using your favorite sport as a password doesn’t cut it anymore. Here’s a list of the top ten popular passwords for 2015:123456password12345678qwerty12345123456789football12341234567baseballSome additional passwords in the top 25 include, “dragon,” “welcome,” and “starwars.” None of these passwords are secure because they’re too easy to guess, being too common or relying on keyboard patterns. Hackers know these lists well and often use them as a first step to cracking your password.  If any of your passwords are on this list, you’ll want to change them as soon as possible.Your best practice is to do a passphrase that’s unique to you. Take a phrase such as “I wear my sunglasses at night” and use the first letter of each word. Combine it with a number, such as a date, and you have a stronger password. Example: I wear my sunglasses at night= Iwmsg@n1980!You likely know these, but a few other basic guidelines for passwords include:Use a mixture of upper and lower-case lettersDon’t include name or other personal informationReplace some letters with numbersUse nonsense phrases, misspellings, or substitutionsDo not use repeating patterns between password changesDo not use the same passwords for work and personal accountsYou can’t really afford to have weak passwords. Ultimately a password isn’t going to completely secure your data. What you really need is to use a combination of multi-factor authentication, encryption, and other protocols to make sure your data is secure. But having a strong password is a good start.George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. SecurityMetrics Guide to PCI DSS Compliance

Fighting Phishing Email Scams: What You Should Know

phishing email scamsPhishing email scams are more effective than you may think. Read our infographic Don’t Let Phishing Emails Hook Your Employees.By: Brand BarneyWhen you think of social engineering, you may think of someone walking into your business and stealing data from servers, computers, etc. But companies aren’t just getting socially engineered in person; it’s happening online too. Many employees fall victim to phishing email scans, which can lead to potential data breaches and loss of important information.What is a phishing scam?phishing email scamsPhishing is a type of Internet-based social engineering. Cybercriminals use legitimate businesses and situations to email and convince their victims to give them their personal information such as social security numbers.Some phishing emails will have the victim click on a link, which introduces malware to the user’s device. The malware can then grant access to the attacker, leaving them free to steal sensitive data. Other emails will state that an item you purchased online can’t be shipped because the credit card number wasn’t correct, or the billing address was wrong, etc. They then have you click on a link to a spoofed website and ask for updated payment/shipping information.SEE ALSO: Top 10 Types of Phishing EmailsWhy do phishing email scams work?With all the online scams that are happening, you’d think we’d be more wary of phishing email scams. Yet, these types of scams are responsible for a lot of lost data in companies. Here are some reasons why phishing scams still work:Tweet: Check out these reasons why phishing email scams still work. http://bit.ly/1KakS1V #datasecurityTweetWe’re trustingWe’d like to believe the people emailing us are genuine. It’s human nature to want to trust others, especially those that reach out to us. Unfortunately, social engineers take advantage of that and use it to steal from companies.Good phishing emails look officialSome emails can recreate a company logo and make the email look convincing. Just like a social engineer in person looks like they belong in your company, phishing emails look like they are part of the company contacting you.Follow for more data security articles like thisThey prey on our fearWhen we’re scared, we tend to not act logically. Some phishing emails take advantage of that, using scare tactics to cause us to make an impulsive decision. For example, you may receive an email stating that you have had a breach of your personal banking information, and you need to click on a link to log in and change your online banking password. The attacker is banking (pun intended) that you will want to quickly protect yourself or check your online balance to ensure you still have money after the “breach.”SEE ALSO: 7 Ways to Recognize a Phishing EmailHow do you combat phishing email scams?Be skeptical: Always verify everything with the company you are working with, especially if it involves sensitive information. If a banking institution emails you, asking for credit card information, call them from their business phone to verify. Avoid giving important data over email when possible.Train employees: Make sure your employees are aware of phishing emails and what to do if they suspect they’re receiving one. Hold quarterly training meetings, if not monthly.Have policies: Establish procedures employees should follow should they receive a phishing email or anything that seems suspicious. This could include how to verify if an email is legitimate, who to notify, and how to deal with such an email.Let us help you train your employees against phishing!Phishing is easier than you thinkPhishing email scams are more of a danger than many companies realize. And it doesn’t take a particularly skilled attacker to create a successful phishing campaign.Similar to social engineering, phishing targets the company’s weakest link in security: the employees. An untrained employee can inadvertently cause a lot of damage to their company if they fall victim to a phishing campaign.Remember, when it comes to emails, be smart and be careful with sharing your data.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.Want to learn more about spotting phishers? Check out the infographic below!

A Hacking Scenario: How Hackers Choose Their Victims

hacker techniques tools andSee the step-by-step ways the average hacker looks for valuable data.  David Ellis, SecurityMetricsBy: David EllisBusiness owners who have suffered a data breach at the hands of some hacker often say, “Why me? Why did the hacker choose our business?” Many people think hackers selectively pick each business they hack. However, I suspect that in 90% or more of the businesses that are hacked, it all began based with the random discovery of a hackable vulnerability. Hackers typically begin a data breach scenario by conducting port scans across large ranges of IP addresses, specifically looking for certain open ports that may provide them a place to start digging. Let me take you through a typical hacking scenario.1) Scan for open portshacker techniques tools andThe hacker starts by running a port scan to probe a large range of IP addresses, and then he heads off to bed and lets the scan run all night. The goal is to find particular open ports to exploit a known or potential vulnerability. In the morning the hacker peruses the results of last night’s port scan, looking for certain ports that are actively “listening” (meaning they’re open). He likely has some automation at work that gives him a list of IP addresses with port numbers, 20, 21, 23, 513, 3389, 5631, 5632, and so on. He’s interested in these exact ports (and a handful of others) because they all relate to some form of remote access into their networks. For example, if a hacker sees ports 5631 and 5632 are open, he knows the remote access application pcAnywhere is installed and active. Or if he sees port 3389 is open, he knows Windows Remote Desktop is likely configured. If he can hack the remote access credentials, he doesn’t have to worry at all about complex firewall configurations or other perimeter protections.If the remote access application was not configured to require two-factor authentication, he can probably guess the username and crack the password, and once he’s done that, he’s in. Everything on your system that you can see, he can see as well.SEE ALSO: Infographic: Cybercriminals Love When You Use Remote Access2) Try out default passwordsMany users fail to change or delete the default username or password that was configured with their remote access product when it was first installed. So, the hacker merely begins by trying the known pcAnywhere (or Windows Remote Desktop, or VNC, or FTP or whatever other remote tool) default username and password. At this point, does the hacker know that he’s attacking Acme Hardware? No. And he doesn’t care. He’s simply attacking a potential vulnerability via port 5631. The IP address might be for a business or it could be my grandmother’s ten-year-old PC. If the default password was left on the system, the attacker has now successfully gained access to the system. If the default password tactic doesn’t work, it’s just a minor inconvenience. Password cracking tools are plentiful and are getting more powerful all the time. At this point, the hacker runs his password-cracking tool and takes off for lunch while the tool does the heavy lifting. When he returns in an hour, or a couple of days, his tools have often detected the needed password, and he’s in.SEE ALSO: Two Factor Authentication – Security Beyond PasswordsThere are other, even less technical ways to breach perimeter security like imbedding malware in online games or other legitimate website activities and waiting for users to inadvertently download a RAT to their system. (RATS are remote access trojans, and can be purchased online for just $40. They give the hacker covert remote access and establish persistent backdoor access to your system.) These types of malware can also be accidentally installed by the user through an email phishing scam.Follow for more data security articles like this3) Once he has controlWhether the hacker cracked your remote access credentials or you opened a malicious email link, you’re now in the hacker’s clutches and he begins prospecting. Up to this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system holds information of value, such as credit card account numbers, banking, real estate, or healthcare records (since these often contain social security numbers or other data that he can turn into a payday). To discover the nature of the environment where he has landed, the hacker will often run keyword searches. For example, if his keyword searches discover the system he’s hacked is a Micros system, he knows he’s in a business that accepts credit cards. (Micros is a provider of POS hardware and software used by many hotels, restaurants and other small businesses.) He will probably try Micros default passwords to try to get into their server. 4) Install malwareIf the hacker is successful in breaching a commerce environment, he will attempt to install data-capturing malware on the POS system. His malware will seek to detect credit card data, capture it, and export it out of the system. He then either reproduces the stolen credit cards or sells the stolen account data on the black market. Depending on the malware installed, from the point of malware installation through the moment that the breach is detected and eradicated, every single customer credit card transaction made on that computer (and perhaps on the entire network) would be at risk.5) Search for affiliated IP addresseshacking process, how hackers hackBy now, the hacker has probably sifted through enough company data to realize he’s hacked Acme Hardware. The hacker realizes he’s hit a potential jackpot, because Acme Hardware is a national chain (in this scenario). Since the hacker doesn’t know the IP addresses of the other chain locations, hacking them could be difficult. However, if he finds remnant data on the system that includes the other IP addresses, or connections to the corporate servers, Acme Hardware could be in some serious trouble (we’ve seen many cases where the breach of a single locale lead the hacker to the corporate environment and all of the stores in the chain). Remnant data left on systems does occur. In a forensic investigation we conducted, a POS installer inadvertently left a partial client list on a POS system that contained the names and IP addresses of 28 other clients. All 28 were also hacked because of a careless installer. 6) Leave no traceAt this point, the hacker has a couple of choices: he can leave the malware in place and harvest customer credit card data until the breach is discovered and/or the vulnerability is closed (the most common alternative in commerce breaches), or he can choose to clean up his tracks and get out of the hacked system (seen in cases of corporate espionage or theft of corporate secrets). Most attackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, run malware from RAM instead of the hard drive, which often goes undetected by most antivirus software, and employ many other “anti-forensic” tactics in order to escape unseen. SEE ALSO: How do Hackers Hack?Hackers don’t care who you are. They just care how rich you can make them.Now that you understand hackers don’t pick and choose their hacking victims out of the phone book, you should also understand the flaw in the common belief held by small businesses, “I’m too small for a hacker to care about me!”A hacker doesn’t care if you’re small. He just cares if you have data from which he can profit.Tweet: Hackers don't care if you’re small; they just care if you have data to steal. http://bit.ly/1J4HxMr #datasecurityTweetSo it’s more crucial than ever to implement data security! Need help securing your data? Talk to one of our consultants! David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.data security learning center, SecurityMetrics