Phone phishing, just one way to social engineer information from end users

Social engineering is used to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

The following is a recent real life example which would seem very innocuous.

An associates phone rings.  The person identified herself as working for the accounts receivable department.  She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer.  She asked if he could provided the model and serial number for her records.  (Before we go any further, how many of you reading this sit “near” and HP printer?)

The user was keen enough to ask the caller’s name.  She responded with only a first name “Kathy”.  Fortunately this set off a red flag that something many not be completely legitimate with her request.  He then indicated it wasn’t necessarily a good time for him and asked if he could get the information and send it to her in an email.  Still suspicious but now afraid the caller may just hang up, the user stalled and answered “oh yes, there is an HP printer right here” and gave the model number, but nothing specific to the device or the company he works for (serial number or IP address).

After saying this, the caller seemed more interested again and continued to ask how they administer and maintain the printers.  The end user indicated he wasn’t sure and would have to ask.  He then asked for her last name to which she responded “White”.  Being resourceful, the user quickly checked the companies Active Directory.  No users matched that specific name.

He then offered to get the rest of the information and call her back.  The caller indicated that the phone she was using was only able to make outbound calls and she wasn’t sure what number would call her area (does this sound like any phone in your company?).  When he insisted he’d need to call her back, she quickly hung up on him.

By asking specific and probing questions, a caller may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.  While each of those pieces of information may seem insignificant by themselves, in total, they may give a hacker just the information they need to footprint a company or network in order to run a targeted attack on the environment.

Steve Jobs 1 – Adobe 0

Adobe Flash Player Icon

Image via Wikipedia

Apparently Steve’s bet on mobile platforms free from Flash will have ramifications beyond Apple IOS devices.

While competitors happily used the lack of Flash support to help spur sells of their non-Apple devices, Adobe has now abandoned a strategy to continue to develop Flash for mobile devices (I think they mean mobile OS’s) and instead will work more diligently to comply with the HTML5 standard.

More information can be found in the exclusive ZDNet article here.

Is a 10 minute nationwide RoadRunner outage noticeable? Uhhh… yeah.

While all the details aren’t out yet.  It looks like Time Warner Cable/Road Runner took a 10 minute network outage today at 6:10 PDT.

From what I noted and backed up with other online resources, it looks like there may have been a “flap” with one of the core routers (pulled from DSL reports board).

Even some speculation that it may have been related to this issue noted via twitter regarding the a Juniper bug and a BGP route distribution.

Regardless the hit was widespread and has shown to have disrupted services across the globe.

Noticeable?  Absolutely.  Sadly the first indication I received was from my wife indicating that nothing at home was working.  Instinct was to call the TWC help number already preprogrammed into my phone.  When the major support numbers from TWC all inaccessible, it occurred to me that there may have been more than a local outage.

When we finally saw some monitoring reports, it was confirmed.  My wife is quicker than your average network monitoring tool.  :)

Simple AirPlay setup for whole house audio

I’ve been enamored with home audio since I was a very young.  I can recall turning on radios in separate rooms of the house so I could run from room to room playing my guitar along with the radio, preparing myself for future “rock-stardom”.  Fortunately for us all the long hair and spandex didn’t survive the 80’s but my desire to have audio in every room of the house didn’t.

Since then, I’ve spent more time (and money) than I should trying to build a fully distributed, multi-source audio distribution system, or what has been marketed at Whole House Audio but the big A/V vendors.  None of these efforts have been inexpensive, user friendly, or as functional as I would have wished.

Needless to say, I was very excited at the potential uses of AirPlay when it was initially introduced by Apple.  Utilizing this feature built into IOS devices and iTunes, you can easily put together a reasonable system (from a cost and complexity standpoint) that will give you fairly good results.

I’m certain there are more ways to do this than I’ll give you here, so please don’t flame me for forgetting your preferred method….

Step 1 – Start with a source

The most basic of AirPlay sources is iTunes.  If you’ve accepted iTunes to be your central storage for all digital media, this gives you a good based from which to start. iTunes gives you a lot of flexibility here and can easily be controlled via the Apple remote app from any IOS device.

From iTunes or the Remote app you can select your music or playlist as well as the destinations within your home.  Each AirPlay target has a separate audio level control available so you can balance out the levels to your preference (or the devices capability).

If you don’t want to use your media library and you prefer to stream your music selections, you are in luck.  You can use a streaming source, like Pandora, to feed AirPlay.  In this case I will use an iPad which I have Pandora set up on.  Launch the app and start playing your preferred playlist.  Once it starts you can double-click the home button to bring up the “multitasking bar”, swipe to the right and you’ll see your audio controls, from there you can click on the AirPlay button to choose which target you would like to use.

Step 2 – Simple target devices (or audio destinations)

Since AirPlay has been out for just over a year now and manufacturers are now starting to integrate it’s features into their devices.  Audio/Video receivers from Denon and many small speaker/dock devices have implemented AirPlay, but I’ve yet to see one of these solutions that are reasonably priced to use if you wanted to stream music to say 5-7 locations in or around your home.

The approach I’ve taken doesn’t really care if the speakers or stereos are “AirPlay enabled” or not.  In fact, most of my target systems are built from either powered speakers or systems we’ve had in our home far longer than the existence of AirPlay.

So how do I connect them?

One of the simplest and underrated devices from Apple is the Airport Express.  While it has the capability to extend your wireless network (albeit at the expense of your throughput), make USB devices like hard drives or printers wireless, or provide ethernet connectivity to a non-wireless device, the biggest feature is it’s ability to be an endpoint in an AirPlay environment.

On every airport express is a combination mini-toslink and analog miniplug connection.  So you can connect to a RCA input with a mini to RCA cable or directly to a digital input with the mini-toslink to toslink cable.  I am very aware that Apple sells a nice “kit” with both these cables for an astonishing $39.  A quick Google search will find an appropriate cable for your application for less than $5 per cable.

I have Airport Expresses using both options.  Where I have a bookshelf stereo unit with optical input, I’ve connected the AE via the toslink cable.  However in a simple and somewhat portable setup, I’ve used another AE simply connected to a pair of powered computer speakers.  With these two options, you can probably accomodate most any stereo or powered speaker setup you have in place today.

To extend my options a bit further, I’ve also utilized Apple TV2s as target devices for AirPlay.  ATV2s fit quite a different category of use verses the AE.  The biggest difference for me is the lack of an analog audio out on the ATV2.  While it has a full size optical output, it can perform the same function as an AE connected to a receiver with an optical input.  This is truly a matter of preference, do what you wish here.  The deciding point for me is what is the end device.  If it’s really at TV, then the ATV2 is the preferred component.  If it’s an audio only device, then the AE is my preferred device.

So now rooms like bedrooms and the family room don’t necessarily have to have a dedicated audio system in them to have audio streamed to them.  The downside to this particular option is that you have to have the television on in those rooms in order to have the audio output.  Whereas you can leave the stereo or speakers connected to the AE always on and set to a preferred volume level.

Step 3 – MultiSource?

While not a traditional multi-source setup, you can get a similar function from this setup.  I cannot use iTunes running from my central media server to serve up different playlists to different rooms/targets.  This would be a wonderful feature if someone on the iTunes dev team could work that out.  However you can use a couple of sources (possibly multiple iTunes or IOS devices) to control separate sets of speakers.  So my daughters could use the iPad to connect to speakers in the bedrooms upstairs to play Radio Disney while I have iTunes or my iPhone streaming music to all the speakers downstairs or outside.

If you’re looking to distribute audio on a fairly reasonable budget, I don’t believe you can easily beat this setup.  It definitely gives you a lot of flexibility about what you want to put where (from a target perspective) and can easily grow to fit your needs.  As each iTunes and IOS update come out, I eagerly look to see what new AirPlay options may be enabled.  Especially as Apple starts to introduce the ability to distribute video in the same manner.  But that’s a whole other topic…

iNeed a new Thermostat?

There was a time, nearly 4 years ago, when a $600 cell phone on the AT&T network was an absurd idea.  You would want to keep that thought in mind when you look at the new home thermostat from Nest that comes in at a mere $250.

Except this is the brainchild of some of the original Apple team that developed the iPod.  In fact the simple user interface of a large scroll wheel and simple screen are very reminiscent to the iPod itself.  NEST cites the stat that a mere 6% of programmable thermostats are actually programmed to provide the function they were purchased to do.  NEST resolves this issue by making the interface intuitive and having the thermostat “learn” your patterns to program itself.

Given the price range for wireless programmable thermostats are already in the $100+ range and I can personally attest to them being rather difficult to program.  If/when I purchase and install, I will write up a quick review.

WSJ Live on Apple TV 4.4, an underrated update?

With all the noise about iOS 5 today, it’s been pretty easy to miss the updates for the Apple TV.  In fact, with all the news surrounding Apple, the iPhone, it’s iCloud service, etc, you would almost forget that Apple still had this TV “hobby”.

Most users will be focused on two new features.  Display mirroring and iCloud sync for photos.  However I think the Wall Street Journal Live addition should get top billing for the new feature set.

When Apple added the NBA and MLB subscription services back on March 9th this year, this is the first showing of a streaming “channel” approach that would compare to the live streams on other “web enabled” television devices.

Obviously the hardware is prepared and can handle it.  I’ve watched quite a bit of today’s WSJ live programming (and not because I was interested in the content) and was impressed with the implementation.  Now it’s in the hands of Tim Cook to see if he can leverage Apples ability to deliver the content and persuade other broadcasters to get on board also.

I will eagerly await the next quietly deployed set of Apple TV features…

(Hey Tim, Apple TV App Store?  Anyone?)

Roku LT announced… looks like a Roku 2 HD with an instant rebate.

Roku announced yesterday a new device to it’s lineup, the Roku LT.  The Roku LT specs look amazingly similar to the Roku 2 HD.  Looking through multiple write-ups on the device the only discernible difference I can find (besides the odd Roku Purple color of the box) is the fact that it may (or may not) contain a microSD card slot.  Roku touts that the microSD is only to hold channels and games.  Since this device (like the HD) does not have bluetooth (for enabling the control of games) there shouldn’t be as much of a concern over the amount storage, thus no need for the microSD slot.

The omission of bluetooth may also mean the IR remote won’t have the incessant sleep problem that the bluetooth remotes have.  Here’s hoping…🙂

So for omitting the microSD and bluetooth, Roku lowers the price to $49.99.  If your looking to use this device for what it was primarily designed for (streaming television) then you won’t miss those features and will appreciate having the extra $10.