VIDEO: Defenses Against Espionage

It never ceases to amaze me how many of the cardinal rules of security and threat mitigation are relevant know matter which era or platform they are adhered to in. This video is a perfect illustration of that. It's a video produced by the National Security Council for government contractors who worked with classified projects. It follows a fictional case wherein a company loses a key piece of classified information they produced.  Of interest to security practitioners are the human security vulnerabilities exposed. Many of the fictional characters are exploited using social engineering. While the manner in which the information is much more elaborate than what we say in modern corporate espionage, the lessons are the same.

Identity thieves tell their secrets...

Identity theft is a crime that every criminally-minded individual should participate in because it is one of the easiest crimes a person can commit with little to any experience and minute chance of being caught in the act.  This is largely in part to law enforcement agencies and financial institutions being deluged with requests to handle the investigations involved in these transactions to catch every thief.  While there was a significant drop in identity crimes reported, there were 8.1 million adults who reported being victims (myself included).  Moreover, very few victims file reports or know what it is that made them a victim in the first place.

In the report below, CBS News did something very few media outlets have done - interview real identity thieves.  The two ladies featured in this video describe how these crimes are committed and how they often get away with them.  They detail everything from how they obtained false fingerprints to using social engineering to withdraw large sums of money from victims' accounts.  They also provided some good information for banks and consumers.  

100th Blog Post and Book Review: Ghost in the Wires

For our first book review, we'll be looking at Ghost in the Wires: My Adventures as the World's Most Wanted Hacker .  This is the first autobiographical work of a hacker-turned-security consultant I've ever read.  I could hardly put it down.  The book takes us from Mitnick's journey from being a ham operator to some of his most famous and infamous hacks.  What was startling to learn was the absurd nature of the comments levied against him.  One law enforcement official declared he could "launch ICBM's (inter-continental ballistic missiles) by whistling into the phone".  Seriously?

Mitnick was candid about his first marriage and how he naively trusted his hacking partners not to "rat" him out when in fact they did.  He also made no qualms about letting the reader know he has since established relationships with some of pursuers.  Most interesting was how much information he had gathered in his own defense.

There revelations of what they perceived he was capable of and what he actually did were often very different.  I found it illuminating that Mitnick would mention hacking had become an "addiction", as he never sought profit or fame for his hacks.  I recall seeing the "Free Kevin" bumper stickers once he was captured and wondering in astonishment how people could be demanding the release of such a dangerous person.  I regarded Mitnick as person who sought to damage information systems or steal data outright.  What I didn't know was Mitnick did neither.  Hacking was a puzzle with dangerous consequences he became addicted to.  I realize not all hackers are like Mitnick and are in it for nefarious reasons and should be treated as a threat by any security entity.  

Perhaps, the most telling part of his book is learning he was great at phone system hacking otherwise known as "phreaking" but his specialty lies in "social engineering".  "Social engineering" is the use of pretexts and verbal manipulation to gain access to systems through human interaction.  Basically, he "conned" people into believing he was someone he wasn't to get access to all sorts of information which aided his hacking pursuits.

Overall, if you're looking for a real "page-turner" with interesting characters and an honest portrayal of Mr. Mitnick and his journey, I HIGHLY recommend this book.  In celebrating this book review and our 100th post, I'm offering a $25.00 Amazon.com gift certificate to the person who can solve this message:

Lfd ran cqn ydtxl jveena ofa 6bc sffx anivnj ofa Pqfbc ve cqn Jvan.   

To claim your prize, email scrivenlking@gmail.com your answer.

Now, You Know Why I Have Issues With Doctors

Jacksonville Police are looking for a guy who's been posing as a doctor at Wolfson Children's Hospital. To make matters worse, the guy was seen walking in the operating room. Wow, talk about a lawsuit!

The man was stopped because he smelled of alcohol and proceeded to leave once he realized his cover was about to be blown.

The following is a bit disturbing:

Later that day, an employee found the black computer bag the man was seen carrying. The bag was under a car in the parking garage and contained everything the man was seen wearing in the surveillance video, including a badge from Shands-Jacksonville Medical Center with a picture of a young child that was cut out and taped on the badge.

“That in and of itself shows you that this persons possibly was up to something but maybe his attempt was foiled,” Jacksonville Sheriff’s Office spokesman Ken Jefferson said.

The last comment by the spokesman was a bit disturbing because usually people don't impersonate professionals like doctors if they're not up to something. So how did he get access? He used the usual items like a medical coat, a badge, a stethoscope and a clipboard. I swear i you need to get into building in the world all you need is a clipboard and an ID badge.

Social Engineering

Above is a presentation given at DEFCON 15 (world's largest hacker convention) on social engineering. Social engineering is the art of getting information and/or access via the exploitation of certain social norms and behavioral patterns. This can be done through causal conversation or cold calling a prospective mark. I HIGHLY recommend watching this video to get you started on learning about most thieves procure most of the details they need to get inside and steal your resources.