We know virus come from malware, but did you know about the lucrative business that drives these sorts of attacks? Watch / read to learn more

 

Transcript

Davis: So, Dan, I know you’re not the only one to come home or go to work to encounter screens full of frightening messages. In case our audience includes individuals who have encountered the same thing, let’s get into it: why does this happen?

Dan: Well, it usually happens because some kind of malware got installed on the machine. That could happen because the owner of the machine clicked on a link or opened an attachment from an unknown source, or it could be because they fell victim to an all-too-common attack called social engineering.

Davis: So, fortunately, we’ve talked a lot about those data privacy techniques that keep us out of malware land, but what on earth is social engineering? And how does that come into play? How would you define this term and what do we need to know?

Viruses happen because the owner of the machine clicked on a link or opened an attachment from an unknown source, or it could be because they fell victim to an all-too-common attack called social engineering.

Dan: Social engineering is trying to get someone to do something they don’t want to or shouldn’t do. Think about the times you may have called a customer service line and told a small white lie to get a device repaired under warranty, even though you dropped it, or when you convinced the help desk to reset your password without you giving them your secret identity code, because you left your phone that generates that code at home. These are all forms of social engineering, but sometimes they take on different forms when done by bad actors, like when they call your help desk and pretend to be the CEO’s assistant claiming they’re trying to get into the CEO’s mailbox and he has an urgent presentation to give and needs it right now. You can see how social engineering can be used in a whole different way into very different ends.

Davis: That is just about as clear as an explanation I’ve heard, so thank you for that. What is it about us as human people that makes us vulnerable to this type of thing?

Dan: Humans are built to want to be helpful, so we try to do so at every turn. In the example I just gave, the caller will likely play on the fact that the help desk agent can aid in making this big deal happen, maybe pretending it’s for a huge investment in the company, to make a help desk agent more likely to want to help, even if it means bending the rules.

Adding an urgency also makes the drive to help greater and makes the person who is needing to act less likely to think through the validity of that request, because time pressure is being applied. You’ll often see urgency and social engineering efforts and in phishing emails, too. “Your account is about to expire! Act now to keep your data!” Things like that example also calls out another human trait that comes into play in social engineering: a lot reticence to ask a superior to confirm something.

Note that the attacker used the CEO in this scenario, someone that a help desk agent is not likely to know personally and will not immediately think, oh this seems strange, I’ll call the CEO to confirm. I spend a lot of time building a culture into my organizations to establish that calling anyone up to and including the CEO is a-okay when you think something is suspect. That’s a great defense against social engineering.

Davis: The examples you just gave illustrate some amount of research being done by the people perpetuating these things. So how do folks who perform acts of social engineering know personal details about us? That seems super creepy and it also seems like a recipe for manipulating users into taking steps they might not otherwise take.

Adding an urgency also makes the drive to help greater and makes the person who is needing to act less likely to think through the validity of that request, because time pressure is being applied.

Dan: As we talked about in series three, there’s a lot of data about us floating out there from data brokers that collect about our personal lives, to other types of data brokers that build dossiers on organizations from roles and titles and phone numbers and email addresses, and more for use primarily by sales teams to better sell into a company. But that data is also available to anyone who wants to buy it. Add in the information that we provide ourselves on places like LinkedIn and Twitter and you’ve got a great stockpile of who’s who and what they do. Makes the story you can tell in social engineering attempts all the more realistic, and gets you a better chance of your request being fulfilled.

Davis: Right, so if anyone follows me on Twitter and perpetuates social engineering against me, they can just talk about cats and I’m theirs. What are some clues that you’re the subject of a malicious attack when this happens to befall you, Dan?

Dan: Well, first your CEO and your leadership team will likely never ask you to buy them iTunes gift cards, full stop. If they do, call and ask them to verify. But I’ll wager they really didn’t. Gift card scams have become so prevalent that the point of sale systems at places that sell gift cards now actually warn buyers if they’re buying based on an email or other online request that they got it’s likely a scam. The other is unusual urgency in the request, the claimed inability to talk over voice — “I can only do this over text” — or email and phone numbers and email address that aren’t the norm — “I’m locked out of my corporate email account so I’m mailing you for my personal gmail. Can you please help me here?”

Davis: What might cause someone to engage in this sort of behavior? It seems maladaptive to me.

Dan: When there’s money to be made, there’s crime. And in this case, there’s organized crime. There’s large syndicates of groups that make tons of money perpetrating attacks on individuals and organizations trying to get money out of them one way or another. These groups run like businesses and have leadership structures and tech support organizations and rules and policies of how and when and who to attack. It’s a really lucrative business.

There are also cases where nation states can engage in social engineering to attempt to get information against other governments or agencies. They use this to get contact details or convince someone to run something that installs spyware or malware that lets them do recon, or get information about their target, or allow them to come back later and gather more information, or take some action against that network or system. These same things can happen in crime-based social engineering attacks, but the intent is really different.

Davis: If those of you watching are as creeped out by all this as I am, not to worry: our next episode gets into how we can prevent these things from happening in the first place. And if you’ve been through a situation where your devices were hacked or you fell victim to a scam we’ve got an episode on how to move forward, also coming up soon.

Ransomeware is a growing problem for organizations and municipalities everywhere. In this series, we'll talk about how to stay safe

 

Transcript

Davis: Hello and welcome to the fourth series of training videos from NYC Digital Safety. I’m Davis Erin Anderson from METRO Library Council and I’ve been having a great time talking to friends and colleagues about the thornier issues around data privacy and information security. This time is no different. I’m pleased to welcome back one of my favorite colleagues and friends, Daniel Ayala. Dan, as you know, I usually open these videos with a spooky scary story about data privacy, but I’m more than happy to give you the honor. So if you could please share a bit about yourself and then you can borrow my flashlight for your own data privacy scary story.

Dan: Hey Davis. It’s great to be back for another series of NYC Digital Safety. I’m a career information security and privacy practitioner. I started out protecting networks and workstations and servers and I’ve spent the last 27 years on things like fixing system vulnerabilities, incident response, identity and access, and security strategy. About 10 years ago, I picked up privacy into my roles, too, and I love having these two things together because good security is required to enact good data protection, which is sometimes what we call privacy here in the U.S., but also that security and privacy sometimes tug at each other, so having to find the balance between them means having to really understand both sides to make the best decision for any particular situation.

Imagine coming into your work one day, and the system you’ve used every day and has all your work on it is found with a screen that says “this system has been encrypted and you must pay x dollars to get it back.”  What do you do?

So I mentioned incident response was one of my roles in my past, and that means detecting what happened when there’s some kind of an attack, and then figuring out why and how it happened. While I can’t go into a lot of detail, I can tell you that this means that I’ve seen some events that have reminded me why it’s so important to educate and constantly be aware of what’s going on around you. Imagine coming into your work one day, and the system you’ve used every day and has all your work on it is found with a screen that says :this system has been encrypted and you must pay x dollars to get it back,” where x is a number that’s way larger than you can or want to afford, and your life’s work is on that machine, and you haven’t been backing up your data to a place where it couldn’t be touched by such a thing, and you have a deadline coming up soon. What do you do?

Unfortunately, this is a common refrain from people in that experience ransomware firsthand and have to find their way back from it, either individually or across a whole organization. And I’m sure we’ll talk lots about this throughout the next episodes in this series.

Davis: Dan, that sounds super scary and stressful, so thanks for sharing that with us. You’re totally right: in this series of videos, we’re going to get into it. What’s malware? What makes our devices and us as human people vulnerable to it? And how this is a social problem as well as a technical one. So stay tuned for our next episode where we’ll cover how and why malware happens.