Human beings make life so interesting. Do you know, that in a universe so full of wonders, they have managed to invent boredom..- Terry Pratchett
This newsletter is the second of a two part series
educating about the dangers of social engineering. The original article can be
found
here:
Here are seven social engineering attacks that I hope are a good example of each
one of the deadly vices, but note there is always overlap and things are not
that clear-cut. We are dealing with humans after all!
Thoughtlessness: The combined U.S. and Israeli intelligence arms created the Stuxnet malware which sabotaged Iran's Natanz uranium enrichment centrifuges. It
was carried in via a simple USB attack on one of their scientists. The Mossad
slipped a USB drive to the scientist who plugged the stick in his laptop at his
house, went to work and there connected the laptop to the internal Natanz
network. Social Engineering jumped the air-gap due to a scientist who should
have known better.
Shyness: A Brad Pitt look-alike walks up to the internal reception of the Human
Resources Department of a French multinational's Boston office. He profusely
apologizes for being a few minutes late and shows a piece of paper with coffee
stains. He explains he spilled coffee over his resume and if the receptionist
"pretty please with sugar" can print a fresh copy for his interview? He hands
over the USB drive, the shy receptionist does not confront him with the company
policy that no foreign devices are allowed on the network, quickly prints a new
copy and hands him the stick back. The young man disappears to the rest rooms
and the network is so owned.
Apathy: Q: Which is the most useful to a social engineer? Ignorance or apathy?
A: I don’t know and I don’t care
The three employees of the shipping department all got the same generic phishing
email from UPS popping into their inbox more or less at the same time. None of
them took the time to hover their mouse over the link and see that the link
really went to a Slovak site with '.cz' at the end. Furthermore, not one of them
'prairie-dogged' up from their cubicle to warn the others. Two of the three
clicked on the link and got their workstation infected with nasty malware that
required a wipe-and-rebuild of their machines.
~Janet