Phone phishing, just one way to social engineer information from end users

Social engineering is used to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

The following is a recent real life example which would seem very innocuous.

An associates phone rings.  The person identified herself as working for the accounts receivable department.  She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer.  She asked if he could provided the model and serial number for her records.  (Before we go any further, how many of you reading this sit “near” and HP printer?)

The user was keen enough to ask the caller’s name.  She responded with only a first name “Kathy”.  Fortunately this set off a red flag that something many not be completely legitimate with her request.  He then indicated it wasn’t necessarily a good time for him and asked if he could get the information and send it to her in an email.  Still suspicious but now afraid the caller may just hang up, the user stalled and answered “oh yes, there is an HP printer right here” and gave the model number, but nothing specific to the device or the company he works for (serial number or IP address).

After saying this, the caller seemed more interested again and continued to ask how they administer and maintain the printers.  The end user indicated he wasn’t sure and would have to ask.  He then asked for her last name to which she responded “White”.  Being resourceful, the user quickly checked the companies Active Directory.  No users matched that specific name.

He then offered to get the rest of the information and call her back.  The caller indicated that the phone she was using was only able to make outbound calls and she wasn’t sure what number would call her area (does this sound like any phone in your company?).  When he insisted he’d need to call her back, she quickly hung up on him.

By asking specific and probing questions, a caller may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.  While each of those pieces of information may seem insignificant by themselves, in total, they may give a hacker just the information they need to footprint a company or network in order to run a targeted attack on the environment.

Google Chrome and Instant Pages. A hackers new best friend?

Image representing Google Chrome as depicted i...

Image via CrunchBase

This is one of those articles where I start reading thinking, this is an interesting approach.  It seems to take caching to a new level to help speed up your web browsing experience by “pre-caching” sites before you ever go to them.

http://www.technologyreview.com/computing/37818/

But then I make a switch from right brain “this is cool and forward thinking” to left brain “immediate paranoia”.

One of the methods (discussed ad naseum) to promote malware is the utilization of popular search terms and optimized sites to get good search engine results.  Many AV providers use a “search ahead” feature to look at the sites in your search result and give you a visual indicator of what may be a malicious page.  If Chrome independently makes the decisions to load the pages on your behalf (to make your web browsing experience better), this also provides an effective avenue for malware delivery.

While I’m certain there will be an option to disable this feature, this raises enough concern to not use Chrome 13 for me.

Why is my iPhone logging my location?

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

Apple officially acknowledged the growing controversy over the logging of location data on the iPhone and iPad. They have published a Q&A on their website which clearly states:

Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

It then goes on to address the other concerns that have been commonly used in articles hyping the issue:

Quote from acknowledgment:

The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

Interestingly Apple does admit that this wasn’t entirely well thought through and are considering the lack of ability to completely disable the function a “bug”

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

Apple has now released IOS 4.3.3 which:

  1. makes the location cache size smaller, thus limiting the amount of data collected on your location (and presumably the amount of time that can be traced back)
  2. No longer backs up the cache information to your iTunes account on your computer.
  3. Allows for complete disablement of the cache when you turn off the location option in your settings.
If you are not using an application that needs location services, why not take the safer route and turn off the feature until you find you need it?  As odd as that sounds to many iPhone users, a quick check of a few iPhones near me revealed that 3 out of 7 users (highly informal poll I know) did not have their location services on and were quite happy with their iPhones.

Obama Birth Certificate search results yield malware

It’s long been a tactic of ne’er-do-wells to capitalize on topical issues to deliver malware.  Today is no different.  Many of the “1st page” Google image results for “Obama Birth Certificate” yielded images which had embedded exploits which would take advantage of known browser and/or Java vulnerabilities.

When you think about it, this is a very effective mechanism for malware delivery.  In our post-physical newspaper society, many get their news from online news sources.  Of that many, some will consistently goto the same sites to get information, the rest will simply search for (dare I say Google) what specific piece of news they are looking for.

Malware authors are well aware of this and capitalize on it quite often. While users may have become more aware of this when looking a links in a typical Google search, they may not be as aware when doing searches on images (like have occurred recently with Charlie Sheen and the Obama Birth Certificate searches).

So what can you do to help protect yourself in this ever changing malicious environment we call the Internet?

  1. As a “safe browsing technique” – try to use known, “reputable” new sites when you are looking for topical information.  I will concede that just because news site is well known does not make it immune from being hacked or to be delivering malware.  But the chances are much less with those sites than general unknown sites.
  2. Certainly use caution with all pop-ups that ask you to download, install, or run anything.  Also do not rely on the little red X to close those windows.  Chances are, it won’t do what you expect it to.  You are best off to bring up your system processes and just kill off your browsing sessions and start over.
  3. Make sure you operating system and security applications are kept up to date.  If you stay current with your patches and keep your security protection suite updated, you have reduced the opportunity for any of the known exploits to actually work on your system.
Follow these precautionary steps and you could be “winning” too…

Indian Government “give us access to all email!”, RIM “I’m sorry we can’t do that, would you like some text messages?”

Image representing Research In Motion as depic...

Image via CrunchBase

I have expressed concern in the past with RIMs position that it would explore providing access to communications between it’s devices in some countries.  My concern had usually stemmed from the fact that RIM has a proprietary encryption system and has sold itself to the business community as being the most secure communication medium for cellular devices.

As China, India, and Germany have pushed RIM and demanded access to their communications in order to continue to operate in their regions, I’ve waited to see what the ultimate outcome of this standoff would be.  Would RIM hold it’s line on securing it’s platform and risk loosing the ability to do business in those countries or would it cave to the demands of these governments (and in my opinion risk loosing much more business in many other countries).

Well it appears the answer is BOTH!  Fortunately the communications that go through RIMs network and their communication servers (the BES) will not be opened to these parties.  However RIM has offered that it can, and will provide Blackberry Messenger communications, if the proper local legal procedures have been followed to request those messages.

So what does that mean?

Emails and communications that use RIMs Enterprise services (i.e. the Blackberry Enterprise Server services) remain encrypted with the proprietary encryption and will not be accessible.  These communication services are dependant on the BES server being in place and sending and receiving communications.

What is available is the Blackberry Messenger service which utilizes PIN messaging.  What the key difference is that this is nothing more than a fancy interface into SMS messages that traverse the carriers secondary cellular channel and can provide messages directly from device to device without the need of a BES server.  Because this avoids the enterprise server (and the logging capabilities of the server) many users prefer this method of communication as they know their employer is not able to see/log the messages they send each other (without physically having the device).

Will the Indian gov’t accept this as meeting their initial request?  No, not likely.  However it was a pretty good concession by RIM to provide something without completely jeopardizing their ability to provide service in these regions.  I applaud RIM for not conceding and providing access to their encryption scheme.  I hope they can hold the line on this one…

Related Articles