Sponsored by:

Hackers Archives

ChicagoCon '09: Hacking Humans - Part 2

user-pic
GeekToMe posted Apr 24, 2009 | no comments

Posted at 8:30 a.m. - Friday, April 24

As I mentioned in my last posting, the ChicagoCon Ethical Hacking Conference returns on May 8-9th, 2009 with a focus on 'Social Engineering.'

Yesterday, Donald C. Donzal, Editor-In-Chief of The Ethical Hacker Network & the founder and organizer of ChicagoCon, explained what Social Engineering was.  Now he helps non-nerds understand what they can do to prevent getting scammed by 'human hackers':

G2M: What are some of the things that people need to be aware of?

Donald Donzal: I’m glad you used the word aware. Awareness is the most powerful tool against these types of attacks. Now that you simply know of some examples from the above answers, do you think you are less susceptible? I would think so.

G2M: Is 'social engineering' always a bad thing?

DD: No. If the same techniques are used by an organization to test their own security, then they can plug the holes that will eventually be used by the bad guys. This method goes by many names including ethical hacking, penetration testing or if you’re an accounting firm, it’s an audit. There are even courses that teach corporations how to incorporate the thinking of the bad guys into their own audits of the internal networks, wireless networks and web-enables applications. One such class even exists for SE. The Social Engineering Master Class instructs students on how attacking humans is actually a repeatable process suitable for inclusion in their audits. I thought this was such a fantastic idea, that I brought the class to my local security event, ChicagoCon May 4 – 9.

G2M: What are some of the most famous/infamous cases of social engineering?

DD: (Bernard) Madoff is the best example right now. He took advantage of people based on three very human traits: 1. Our ability and need to trust  2. Our desire to make money 3. Our need to feel good about ourselves and give to charitable organizations. He later added a fourth which is our desire to be part of the ‘in’ crowd. You couldn’t just go to Bernie Madoff and ask to be part of his investment group. You had to be recommended by a current client… er… victim. Now that’s slick. As far as a popular attack not necessarily linked to a single case, there’s phishing. Phishing and its variants are huge right now. In fact, there’s so much information of individual people online these days that Spear Phishing, direct attacks on specific individuals, is much easier. If you can target one person or a smaller group of people who have what you want, your rate of success is much greater. And if an email message looks like it came from your bank, the link looks like your banks web site and the graphics match your banks logo and envelopes, then it must be from your bank, right? And now for the final push over the edge, why don’t we just add a small threat like, “If you don’t act now, your account will be frozen.” That’s pretty slick, too. And it again preys on our natural fears as human beings.

G2M: What are some simple things that people can do to protect themselves?

DD: There are many answers to this, but the simplest answer should come first. The use of common sense works like a charm. These attacks were here long before computers, so the best defenses are the same that they were 2000 years ago. If a Nigerian Politician needs you to send him $30,000 to get him out of the country, and I turn he’ll give you $1,000,000, just delete the email! When people got this in their snail mailboxes 50 years ago, throwing it away was the best answer. That remains true today. Awareness as mentioned above is also a great protection.

******************
For more information on ChicagoCon09, visit the event website and also be sure to check out the Ethical Hackers Network site!

Published in Events, Hackers, Web/Tech

ChicagoCon '09: Hacking Humans

user-pic
GeekToMe posted Apr 23, 2009 | no comments

Posted at 12:50 p.m. - Thursday, April 23

The ChicagoCon Ethical Hacking Conference returns on May 8-9th, 2009 with an interesting new topic: 'human hacking' AKA 'Social Engineering.'

In advance of the conference, Donald C. Donzal, Editor-In-Chief of The Ethical Hacker Network & the founder and organizer of ChicagoCon, explains what Social Engineering is:

G2M: For those who are not familiar, explain 'social engineering.'  How does one 'hack a human?'

Donald Donzal: Social Engineering is defined by Wikipedia as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.” While not totally accurate, it serves as a good starting point for the uninitiated. So how does one do this? It’s actually much easier than you might think. In these tough economic times where tax refunds are almost like that crucial extra paycheck, it might be very beneficial to get that money quicker. What if I sent you an email message with a way to do it for free? All you have to do is click on this link, send me your personal information including bank accounts for direct deposit, and I’d be willing to bet that lots of people would do it.

G2M: Is his something that happens solely on the internet, or can it happen in any social situation?

DD: One simply has to look at the (Bernard) Madoff case to see that not only are humans easily duped, but even the ones that are highly educated and affluent. So whether the attack is over the phone, via snail mail or on the Internet, the common denominator is trust. If we feel like we trust the person, the look of the envelope or the source of the email message, we are more likely to trust the contents. This has been true long before computers, and will continue long after the next big thing.

G2M: What does a 'social engineer' stand to gain from 'human hacking.'?

DD: Easier access into systems with no trace except for a memory in someone’s head. Even better is that the shame of being duped is another protection in the attacker’s favor. Imagine if I convinced you over the phone that I was one of your local technical support staffers that was helping your company recover from a possible breach in security. In order to prevent you from losing access for a day or more to network resources or even the Internet, I can help you on the phone right now change your password. All I need is your current username and password, so I can help you avoid any downtime. How many would fall for that? Now I have full access to whatever that person had. And if anything bad happens, do they find me? No. It looks like the employee I impersonated.

G2M: What is ChicagoCon?

ChicagoCon is actually 2 events in one, training and a conference. Training courses like the SE Master Class are held from Monday to Friday afternoon May 4 - 8. Then at 2:00 PM on Friday and all day Saturday is where the fun is. This is an entire 2-day Ethical Hacking Conference May 8 – 9 focused on helping the good guys learn the tools and techniques of the bad guys to bring back to their own businesses for better security. We have numerous presentations, free career counseling for this exciting field, a hands-on computer lab with a Capture the Flag contest, a lock picking instructional session, food and much more. Tickets to the 2-day Conference are just $100. Details can be found at www.chicagocon.com

Next up: How To Protect Yourself from Getting 'Hacked' by a 'Social Engineer.'

Published in Events, Hackers, Web/Tech

Ethical Hackers in Chicago?

user-pic
GeekToMe posted Oct 20, 2008 | no comments

Posted at 9:35 a.m. - Monday, October 20

October 27th will see the start of ChicagoCon, the Windy City's ONLY Ethical Hacking Conference for Computer and IT Professionals, and in advance of the event, organizer Donald Donzal is sharing some tips and tidbits with Geek To Me readers.  Our first nugget of cyber-wisdom comes in the form of a Top 5 list for non-nerds:

Top 5 Non-Technical Ways to Improve Online Security by Donald C. Donzal

The Big 4 technical solutions are still needed: Automatic Updates, Anti-Virus, Anti-Malware and Firewalls, and there are many Suites of products that combine them all and more. But the bad guys are no dummies. They realize that the weakest link in the security chain was, is and will remain people. With that in mind, here are 5 simple ideas to prevent the hacking of wetware… your brain:

1. Don’t Get Click Happy – It is human nature to just shoo away pop-ups like annoying gnats. Take the time to actually read what is being displayed before clicking anything. Or better yet, just close the window. Don’t click anywhere inside the window as it may just be a picture of a cancel button and take you elsewhere.

2. Use Real-World Common Sense – The exiled African Diplomat scam we have all seen plastered in our Inboxes actually predates the Internet, computers and for that matter telephones. Email is simply a new, cheap way to get more of you to fall for this scam. If this or any other hoax hit your real mailbox at your home, you’d throw it in the garbage without a second glance. Use that same real-world common sense in the electronic world.

3. Don’t Open Attachments – Currently, the number one way for a criminal to take control of your computer is through email attachments. Even if it’s from your Mother, question it. Especially if it ends with .exe!

4. REMEMBER: Everything Online Can be Captured – It’s not just your favorite search engine recording your buying habits. There are numerous ways that numerous groups (good and bad) can record everything you do online. If you keep this in the ‘front’ of your mind at all times, it may just change your habits.

5. Be Password Savvy – Passwords are not perfect, but they secure the vast majority of systems today. Try using pass-phrases instead of passwords. Don’t use the same password for MySpace as you would for online banking. And finally, learn the fine art of lying. When asked a special question for those password reminder forms – LIE!! Especially if you are a government official whose secret question may be answered with a simple Google search… Gov. Palin!

LOL!  Good one, Don!

You can learn more about the ChicagoCon - Ethical Hacking Conference by visiting their web site.  Also, read more of Don's security tips on The Ethical Hacker Network web magazine.

And keep checking back here on the Geek To Me blog!

Published in Computers, Events, Geek Web Sites, Hackers, Web/Tech

Subscribe via Email