Archive for the ‘Uncategorized’ Category

Hacking Tweeps: Twitter and LinkedIn as social engineering tools

“My internal marketing department is looking to issue a communication around Twitter account security (with a business focus).”

Use of Twitter is growing, not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, or politicians with their constituents. Twitter has become a forum for sharing all manner of expression on all subjects.

That’s why businesses need to take special care in their security training regarding Twitter and other types of social media.

Twitter and LinkedIn are fertile sources of information for hackers preparing a social engineering attacks. By gathering benign information about a company and “name dropping” in a DM (direct message) conversation, attackers may build a level of trust with insiders and thereby gain secrets.

Employees post seemingly innocuous information on Twitter that may be gathered and assembled by an adversary easily. For example, photos of office space and co-workers, descriptions of work (My d-bag boss makes me fill in his TPS report every Friday #ihateexcel), and names of customers or clients, all reveal enough information for an attack to recruit unwitting accomplices.

I’ve used that technique in my operational penetration testing. I will call an employee claiming to be a new guy from a different office, and that my boss is yelling at me to give him a weekly TPS report, and that I’m having trouble with the macros, “could you please forward me one of yours so I could copy the formulas….”

I recommend a business have a policy that is well-“socialized” around the office with the following components.

  • Encourage employees to limit posts to personal interests, and not related to their work, office, or co-workers
  • Never to share information with strangers, even longtime “connections” on LinkedIn or longtime “tweeps.” Instead refer them to your corporate webpage, or say you will have someone get back to them.
  • Always ask for a callback number or email address from anyone requesting information by phone, LinkedIn or Twitter, and forward the request security or to marketing.
  • Twitter profiles should not indicate place of employment.
  • LinkedIn profiles can be more complete, but only connect with people you actually know or who are personally introduced to you. (Social Engineers create fake, legitimate-sounding profiles on LinkedIn and connect to hundreds of people in a particular industry to appear legitimate.) Just because a person is connected to (or follows) many of the same people as you, does not mean that they are legit.

Twitter and LinkedIn are great tools for business, which, if used properly by well-informed employees, won’t be a gateway for hackers.


Categories: Uncategorized

Why Worry About Public Surveillance? Are you Hiding Something?

September 15, 2014 1 comment

In the aftermath of the killing in Ferguson, MO, three police officers – none of whom are from the Ferguson police department – were suspended after blatantly racist and extremist comments and unacceptable behavior. A Rock Island, IL sheriff recently pled guilty to cyberstalking and resigned.

Do you think that, given an opportunity, these local law enforcement officers and others of their ilk would use information gleaned from your cell phone in a responsible manner? Would they respect information privacy?

Local law enforcement does have the opportunity. In September, news broke that owners of encrypted cell phones had identified 19 fake cell phone towers in various parts of the United States; it wasn’t long before the towers were connected to the NSA, as well as local, regional and state law enforcement.

This enables something as simple as tracking a user’s location or as potentially sinister as so-called “Man in the Middle” attacks where calls and texts can be heard or read before being forwarded on to a legitimate cell tower and the intended recipient. Is this a violation of physical security or cybersecurity? Or both?

Do you trust your local law enforcement to protect your information privacy? How many police officers or sheriff’s deputies are trained to understand these limits? In Florida a local police department used cell phone location information to conduct a search without a warrant. What else can and will they do? What have they done?

And what does this do to our expectations of information privacy?

Categories: Uncategorized

Google says Don’t Worry

September 15, 2014 1 comment

“Google Says Not to Worry About 5 Million ‘Gmail Passwords’ Leaked” So said a headline on If you have a gmail account, were you at all concerned that your email address and password was among the 5 million? Of course you were.

Continued data breaches are a cybersecurity headache. They’re also a major public relations nightmare. Telling your customers not to worry doesn’t sound like a good strategy.

So far no one is saying how the Russian Bitcoin security forum actually got the gmail addresses paired with the passwords. Some speculate that, instead of a gmail data breach, whoever was responsible grabbed them from other sites at which gmail customers used their emails and passwords to sign in.

It’s still a public relations problem for Google. Covering various parts of your body and telling everyone not to worry only serves to make people leery. They don’t believe you and suspect your ability to handle cybersecurity and even physical security.

So, whether it’s a data breach or some other problem, most PR professionals believe honesty is the best policy. Tell people their information privacy has been violated, whether via a cybersecurity or physical security breach. Give them directions for changing their passwords. Admit you don’t know what happened, but, by golly, you’re going to find out. And apologize. For goodness sakes, apologize.

People understand apologies, especially if they are followed by a vow to find and fix the problem.

Then tell them when it’s fixed.

Categories: Uncategorized

Convincing the skeptical CIO to support security

August 25, 2014 8 comments

I have a new client, a billion-dollar service company, whose CIO is going to test my skills. He is suspicious about security and risk management, and questions everything. I should be happy, but I’m not. I should be happy because his questions mean he’s engaged – antagonistic is better than apathetic I always say. He’s willing to hear my arguments about the value security brings to the business, but he’s stubborn. How am I going to win him over?  READ my answer HERE.

Categories: Uncategorized

Prioritizing is the Key to Defending against Advanced Threats

August 24, 2014 2 comments

IT GovernanceHere are some helpful tips for the security manager who wants the right governance in light of advanced threats.

Most organizations have struggled for years with just cleaning and prioritizing security alerts generated from numerous point products. The value proposition for SIEM products was couched in terms of correlation and prioritization, but SIEM has only succeeded in checking a compliance box without addressing the problem of advanced persistent threats. Stopping targeted attacks in the shortest time possible is now the top priority for advanced security solutions. Read the tips HERE


Categories: Uncategorized

Four ways to build a more empowered security team

Every Chief Security Officer, CISO, and risk manager I know believes that their security and risk operation has strengths and weaknesses; in some areas best practices reign supreme, and in others the blunders threaten catastrophe. If managing risk were merely a matter of crafting great policies, we’d read about very few security failures indeed. Unfortunately, managing risk and security always plays a wildcard: the security personnel. How can we ensure that our security teams are putting their best efforts toward the objectives of the department and the business?Consulting-sized

Read it here.

Categories: Uncategorized

Unusual Data Breaches, and other posts

I am a guest blogger at a number of other sites. Here is a sampling a some of my recent posts.

The greatest threat to data is also the least studied

Physical loss of information was difficult to quantify, so said the editors of the 2014 Verizon Data Breach Investigations Report (DBIR2014) that came out this month. That imprecision is why your cyber security precautions mean squat against the gargantuan physical risk you face.Verizon DBIR

The report, anxiously awaited each Spring, this year included a summary of ten years of breach data. Among the findings is a section on Physical theft and loss. The editors described physical loss of information not sexy and “cyber-y,” and the numbers about this type of information leakage a little iffy. However, they rightly point out that physical loss is among the most common causes of data loss/exposure.

In short, they claim that one of the most common types of information loss is also the least measurable.  Read it here


Balanced Scorecard for Security

Security executives who’ve used the Balanced Scorecard over the years, set their IT budgets by first determining the strategic role that security will play in the organization, then established a companywide funding level that enables security programs to fulfill that objective. Since the first step in implementing a Balanced Scorecard starts with strategy, it follows that this can be an effective method for aligning security with that strategy. Read it here.





Categories: Uncategorized

Get every new post delivered to your Inbox.