How people look at your profile page ?!!

I don’t want to talk so much as the picture I have posted below talks enough about itself… This is how people look at your Facebook profile page. This information is based on a study conducted by eyetrackshop.com and it pretty much shows how people unwantedly care about your personal information.

If you want to see the result of the study on the profile pages of the other social networking websites, you can go to this link.

Cheers

Social Engineering by Fake and Deceiving Support Calls

We have had a lot of talk about technical things and how to protect our environment from a technical point of view, however we still need to pay more attention to social engineering techniques that intruders use to penetrate into your computers and networks because honestly there is no patch for human’s stupidity.

It might be unbelievable but there are so many hackers who call people at home or on their cell phones and ask the person if they’d need support for any issues and they introduce themselves as technical staff calling from Microsoft or any other pretty well-known corporation. You may not believe how excited people (Especially those non-technical ones always looking for support) get to receive help from somebody calling them up from heaven and wanting to help them and I get frustrated when I see how easily people are deceived and will give away their personal information such as their computer’s username and passwords or credit card information or etc. Some even very easily click on a link to download a software on their computers to receive support from the person behind the phone.

Trustworthy Computing Team at Microsoft has conducted a survey of 7000 people and realized that more than 1000 of them had received such phone calls and nearly 22 percent of them (234 people) were deceived and 184 of them even lost money. (Something around 800 USD all of them in total)

It is always really easy to deceive people and much easier than hacking into a computer system which can be pretty up-to-date with all these automatic update services running on machines. I believe there needs to be more seemless training provided to people through different types of media because not all the people read security websites to get to know about such threats. After all, to keep people’s confidential information secure on the net is the main purpose of the professionals and authorities in charge of security and in order to do so, learning is the most fundamental thing to be done.

Above said, I have some very quick tips that I want to share with you people to keep you away from such fake calls:

  • In case of such calls claiming to be from a well-known company, ask for the person’s name and phone number on the other end of the call and ask him/her if you can call him/her back. Ask him to give you the company’s phone number so that you will call the company not his direct phone… (Do not be ashamed, you just want to make sure he is the right guy)
  • Remember Microsoft will never have such support services calling you without your request for any given on-the-phone services… I’m not sure about any other companies but well as far as I can remember I have never seen any company giving such services by cold calling people.
  • Never give the guy on the other end your name, username and password of your computer or any website you are a member of, your credit card information and other confidential information.
  • Ask the person upfront if you will have to pay for this service and try to realize why that person has called you.
  • Do not click on any link on any website that the caller gives you even if it seems to be a pretty well-known trusted website.
At the end, if you feel like you will never be deceived by these fake callers, at least try to increase the awareness about such threats by letting your friends and family members know about them.
Cheers

Social Engineering, Still a Big Threat…

If you are working as a security engineer or analyst in a large enterprise, you probably have to constantly deal with a large number of different attacks always threatening the network. One of those types of attacks is social engineering which has gotten a new shape these days due to the complexity of relationships and with the vast growth of social networking websites such as Facebook.

Social engineering, in its easiest definition, refers to the act of talking people into doing something without them even knowing that it harms the company or themselves even. It’s usually planned and done by hackers in order to find a way inside the big organizations’ networks at the early stages of hacking. Even right now penetration tests performed by security engineers check the social vulnerability of the employees working in that organization.

With this rapid increase in this type of attacks which is really difficult to handle by the security people, as I mentioned above we can see new types of social engineering attacks taking place. Hackers reach employees through social networking websites to achieve what they cannot achieve using the old methods of cracking. This is pretty much the easiest way an attacker can penetrate into the network. For instance Phishing attacks by using social networking websites which could be called a kind of social engineering technique has jumped significantly from 8.3% in January 2010 to 84.5% in December which pretty much shows its popularity among internet criminals.

But seriously what could be done to stop these attacks from happening?

This really depends on the level of awareness against these types of attacks among the employees. Before I go any further into this discussion, let me ask a question…

Which one would you prefer? Buying the latest and the most expensive Firewall appliances for your network or having regular seminars among the employees?

I am sure more than half would go for firewalls. No one would ever think that security starts from that very employee working inside the organization or company. Even a janitor can reveal so much information about a network. You might think it’s silly but it’s true. Have you ever asked yourself this question that who is the person knowing exactly who is on shift at work or who is the one that knows exactly the person always checking the server room or what time do employees leave their rooms for a break or … ? Yes, that’s the janitor who sees and knows all these… How easy do you think it is to get all this information from a janitor? 1 minute? 2 minutes? 15 minutes? or maybe 1 hour when you treat him for a coffee…

Again I say that might seem funny but these are the real world threats even nowadays… Nowadays that devices are that strong and sometimes unbreakable, hackers would think of human mistakes and vulnerabilities. Yes that’s true… Here is a link to a roundtable video with two guests from Microsoft talking about social engineering threats.

Trust me guys… Hacking and penetration is as simple as this… Go and think of the culture you need to create among the people in your company and try to create an awareness about any possible attacks…

Good luck