Fish hack, no seriously..

Image result for fish face

Credit: Getty Images. NB. not the actual fish involved

We have talked about phishing before and warned you of the dangers of phishing emails that spread malware, ransomware and other toxic payloads. Today however we are talking fish. Actual fish.

It was never going to be long before the obsession with web-enabling everything from air conditioning to kettles, caused a bit of a problem. In this case, a web-enabled fish tank (stay with us) was hacked and using this fish tank’s connection, criminals managed to move through the network and steal data from the fish home a ‘smart tank’  in a casino…

If you consider the use web-enabled equipment, including any animal enclosures, please risk assess it thoroughly and please protect it properly from fishers, phishers and other cyber botherers. Criminals will head for the point of least resistance every time and you need to know where that is before they do.

If you want to view some free content of ours on cyber protection, head over here.

 

What is Social Engineering

Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.

Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability.  In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know.  In other words, they hack information or access it from an individual.

More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.

The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard.  Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.

The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords.  The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.

Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site.  Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack.  When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.

As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider.  The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.

Human nature enables social engineering to develop and become increasingly sophisticated as well as technical.  It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.

Betfair and the 3.15 million stolen account details

Gambling online

Its ten days since Betfair’s Director of Security, Sean Catlett, fell on his sword after the frankly unbelievable data breach at Betfair. In those ten days everyone has talked about the fact it was hushed up due to Betfair’s impending float on the London Stock Exchange in October 2010. But that’s hardly surprising is it? The key point is it happened. Not going public is a matter for Betfair and its shareholders, who bought their shares in good faith, blissfully unaware of the theft of millions of credit card details. The point is, this is an online gambling business – securing their customers’ card details is critical. How did it happen?

We are now ten days on and I am quite surprised that there has been no hysterical mainstream media coverage. In fact, only the Telegraph seems to have paid it much attention. I realise there has been some stiff competition for news coverage of data breaches and the NHS seems to have managed the most column inches, a dubious distinction. Sony are challenging with their lockdown yesterday – all of these have been widely reported. I wonder if editors are becoming tired of reporting such breaches as they appear to be happening with monotonous regularity.

Another source of confusion for us here at Advent IM, as Security Consultants, was that Betfair had ISO27001 and we are presuming (a dangerous thing to do) were/are fully PCI compliant. One wonders then, what kind of ongoing compliance checking was happening. Gaining accreditation is important, of course it is, but its the first step on the route to risk managed data security. Threats change all the time and complacency can lead to situations like 3.15 million credit card details being stolen.

Continual checking, refinement, improvement is the way of good quality security policy whether that is ISO27001 or PCI compliance. Complacency invalidates the work required to gain accreditation and secures very little.