Jennifer Raby

Oct 142013

Hacking Your Mind
Cyber criminals have learned that the easiest way to take control of your computer or
steal your information is to simply ask. Use common sense. If a person or a message
seems suspicious or too good to be true, it may be an attack.

The Attack
Today, much of your interaction with other people is done virtually; you no longer need to be  in physical contact to communicate. You talk to people on the phone, chat with them via instant messaging, send SMS messages on your smartphone or communicate with email. These technologies have made it much easier to communicate and work with people from
around the world. However, these technologies also make it much easier for cyber criminals to launch one of their most effective attacks against you: social engineering.

Social engineering is not a technical attack, meaning it does not exploit vulnerabilities in your computer. Instead, it is a psychological attack that exploits vulnerabilities in you. Cyber criminals build trust by pretending to be a person or organization you know. They then exploit this trust to obtain whatever they want, such as access to your computer, your money or your information. Cyber criminals have learned that often the easiest way to steal something is to
simply ask for it. Social engineering attacks use the same tools you use every day, including email, smartphones and the web.

Protecting Yourself
Social engineering attacks are the hardest to protect against because technology alone cannot solve the problem. You are the best defense. Understand that you are a target and that cyber criminals will use any technique they can to fool or trick you. The simplest way to protect yourself is to use common sense. If an email, message on Facebook or phone call seems suspicious or sounds too good to be true, it is most likely an attack. Below are several common social engineering attacks.

Malicious Email
You receive an email from your bank saying that your account has been locked for security reasons. You must log into your account and reset it right away or you will be permanently locked out. The email then provides a link for you to click on. If you click on the link you are taken to a website that looks just like your bank. However, in reality this is a fake website controlled by the hackers, whose goal is to harvest your username and password when you log in. In some cases, instead of sending you to a website to steal your username and password, they send you to a website that will automatically hack into and infect your computer. The best way to protect yourself is not to click on any links in emails you were not expecting. If you are  concerned that the email may be legitimate, open your browser, type in the URL to your bank yourself and then log in instead of clicking on the link. That way you know for sure you are connected to your real bank.

You receive a text message on your smartphone announcing you have won the lottery. To collect your lottery winnings you must contact a person and provide them your banking information. When you contact the person they explain that to receive your lottery winnings you must first pay a transaction fee or taxes. Once you provide your information and pay the fees, the cyber criminals disappear with your money and information, never to be seen again. The simplest way to protect yourself is simply ignore and delete the email.

Your friend posts on her Facebook page that she is on vacation in London and has just been mugged. She needs someone to send her money right away so she can get back home. However, this is a lie; your friend is not really on vacation, nor has she been mugged. Instead a cyber criminal has hacked into her Facebook account, then posted this fake message in an attempt to scam money from her friends, such as you. In this case, the best way to protect yourself would be to call your friend on the phone and confirm if she needs help.

Tech Support Scam
You receive a phone call from someone claiming to be from a computer support company. They believe your computer is infected and have been tasked to investigate and help you secure your computer. They then ask you if there are specific files on your computer and tell you how to find them. When you locate the files on your computer the caller confirms your computer is infected. In reality this is all a lie, your computer is not infected, these files are standard files that every computer has.

Once they have you fooled into believing your computer is infected they will then pressure you into buying their security software. However, this software is really a virus that gives them total control of your computer. In the end, not only has the caller tricked you into infecting your computer for them, but you just paid them to do it.

Print this newsletter: Module02-SocialEngineering-Newsletter

© The SANS Institute 2013  /  Used with permission from The SANS Institute.


Oct 032013

Many people mistakenly believe they are not a target and their information or computer has no value. However, your personal information and your computer have tremendous value. In fact, you are one of the cyber criminal’s primary targets.

Crime has existed for thousands of years, and attacks such as fraud, identify theft, and extortion are very common. However, the Internet has made these crimes much more profitable, much simpler to commit, and with far less risk to the criminal.

Before the Internet, criminals could only steal what they physically had access to. Today,
criminals use the Internet to target millions of people worldwide, twenty four hours a day,
seven days a week. And they now have access to sophisticated tools that automate these
attacks — meaning you are constantly under attack by thousands of worldwide criminals.

The simplest way to hack into an organization is by targeting its employees. Unaware employees are the greatest weakness because they make common mistakes, such as clicking on malicious links or using infected USB sticks. As a result of these mistakes, you have become a primary target.

The simplest way to hack into an organization is by targeting its employees. Unaware employees are the greatest weakness because they make common mistakes, such as clicking on malicious links or using infected USB sticks. As a result of these mistakes, you have become a primary target.

The first step is to understand you are a target. Too often, people believe no one would want to attack them because they have nothing of value. As a result, they do not take the necessary steps to protect themselves, their family, or their information.

In this newsletter, we explain why you are a target and how cyber criminals can find and attack you. By understanding how these threats operate, you will be able to better defend yourself, and we will teach you some fundamental concepts on how you can protect yourself, your family, and our organization.

How and Why Cyber Criminals Find You
Cyber criminals are out to make money — their goal is to make as much money as possible as fast as possible. Once a cyber criminal infects your computer or steals your information, they can then use that information to commit identity theft and fraud, or they can sell your information to other cyber criminals. Cyber criminals will often attempt to not only steal your personal information, but will try to hack you to get into your organization.

The easiest way to accomplish this is to target everyone in the world. If you have an email address, bank account, or computer or mobile device connected to the Internet, you can be attacked. Attackers achieve this by using highly sophisticated tools that fully automate the process of hacking. For example, cyber criminals can scan every computer and mobile device connected to the Internet, and, if they find any system vulnerable, they will automatically hack into it.

Another approach attackers use is building (or purchasing) a database of millions of email
addresses. Criminals will craft email attacks and send those emails to every address in the
database. Unfortunately, the number of emails cyber criminals have access to is constantly
growing. Every time they hack into an organization, they steal email addresses and use them for future attacks, or sell those email accounts to other cyber criminals.

Cyber Crime Is Highly Organized
Over the past decade, cyber criminals have become more and more sophisticated. When cyber criminals first appeared, they often worked alone. They had to build their own attack tools, manually find and hack into computers, send out spam, steal account information, and transfer or wire stolen money all by themselves.

Today’s cyber criminals are far more sophisticated. Each criminal now has their own specific field of expertise, and working together, they have developed their own highly organized community. One group is dedicated to developing and supporting sophisticated attack tools. Another group specializes in hacking into other computers or stealing personal information. Others work to sell compromised computers or stolen bank accounts, while an entirely different group transfers and launders stolen money.

An entire cybercrime economy has emerged, which is constantly improving its tactics and becoming more effective and efficient in making money every day. These criminals form a highly sophisticated threat, one that will be with us for many years to come.

Print this newsletter: Module01-YouAreTheTarget-Newsletter

© The SANS Institute 2013  /  Used with permission from The SANS Institute.


Oct 012013

This a public awareness campaign that is sponsored by the Department of Homeland Security and supported by private and public organizations alike, including many institutions of higher education.

During the month of October, the ITCS IT Security team will be reaching out to the ECU community to raise awareness of the threats to our personal information and to share best practices for protecting ourselves online. IT Security will dedicate each week of October to a different cyber security issue:

Week 1 – You Are the Target: Explore why you ARE a target in the digital world and protecting yourself online at work and at home.

Week 2 -Social Engineering: How to identify and respond to social engineering attacks—both technical and non-technical.

Week 3 – Social Networking: Weigh the risks of posting your private information on social networking sites, such as Facebook and LinkedIn, and helpful steps to protecting you and the University online.

Week 4 – Passwords: Explore the value of strong passwords and protecting your passwords from others.

Stay tuned!