Archive for RB

| April 29, 2014
Comments Off on Social Engineering Terms

Social Engineering Terms

Social Engineering Terms Social engineering means manipulating a person to get access without authorization. Practically speaking, it’s a blanket term for non-technical hacking. FierceITSecurity gives the classic example: Hacker calls target and pretends to be “from the IT department,” getting the target to divulge a password or other sensitive corporate information.

non-technical means.Derek C. Slater at FierceITSecurity discusses a short-list of social engineering terms with Chris Hadnagy, author of the book “Unmasking the Social Engineer: The Human Element of Security.” The author explained that some of the terms below aren’t social engineering per se, but they are related to the same goal: Gaining unauthorized access to information, systems, and facilities through deception and other non-technical means.

In his Social Engineering course, Mr. Hadnagy tells participants that one goal is that every target “will be glad to see them” because the social engineering methods covered seem friendly, not antagonistic. “It’s amazing how much information people will give you if you’re just nice to them,” he says. “Con men don’t look malicious–they’re the guys with the biggest smiles.

Social Engineering terms

Confidence manConfidence trick: The ‘con’ in “con man” refers to gaining the confidence of the target before attempting to exploit him. Examples: The movie Grifters with John Cusack, and every Ponzi scheme from Charles Ponzi himself on through to Bernie Madoff and whoever’s doing it now. And somebody’s doing it now warns the article.

Amygdala hijacking: Your amygdala is the part of your brain that manages decision-making and emotional responses. “Amygdala hijacking” in the social engineering context means putting the target emotionally off-balance by causing stress, or contacting the person during an unusually stressful time, according to Hadnagy. That means the target is less rational and more vulnerable to exploitation.

Amygdala hijackingExample: Friday at 4:30 pm, or the day before holiday vacation starts, many employees–not you or me, obviously–are anxious to get out of the office. That’s a perfect time for a pretexting call (see below) or a hacker-simulated crisis, putting the target further off-balance and making them more likely to do whatever is expedient–giving information over the phone or via email to make the “crisis” go away.

Elicitation: means getting information without asking for it directly.

Influencing:  Mr. Hadnagy says influencing means provoking a desired response from the target “while getting them to think it’s their idea.”

Manipulation: involves getting the target to perform the desired action, regardless of whose idea they think it is. Unlike influence, manipulation could involve a direct or implied threat, for example.

Pretexting: Mr. Hadnagy’s definition, is equal to method acting. The social engineer doesn’t just say “I’m Bob”–he becomes Bob.

Example: Contracted to test one company’s defenses, Hadnagy gained access to various facilities by posing as Paul the Pest Inspector. “I had the uniform with the name patch, I had Paul’s business cards, and for a day before the event, my team was calling me ‘Paul’,” he says.

Phishing: is the use of email as a conduit for social engineering attacks.

PhishingExample: Know those emails that start “I’m Prince Phillip and I need help transferring my royal fortune to an American bank”–the venerable so-called 419 or Nigerian scam? People still fall for those. It’s a phishing attack and an example of a confidence scam.

Spear-phishing: Spear-phishing is a more targeted form of phishing. Instead of blasting that “I’m a Prince” email to everyone with an email address, a spear-phishing attack is personalized to reach a small group or individual.

Example: A hacker identifies a target, Fred, and finds personal details, professional connections, and current project information via Fred’s LinkedIn profile. He then sends the target an email that is correctly addressed to Fred, appears to come from a real colleague, and references specific project details. Fred is much more likely to click on malicious links or open attachments in this email than he is likely to respond to Prince Phillip spam.

These next four terms don’t involve deception. However, they’re all important non-technical information attacks and can work in concert with social engineering efforts.

Harvesting – is using publicly available sources–particularly on social media, these days–to gather information about a target for later use in social engineering.

Dumpster diving – means what it sounds like: rooting through the trash to find discarded papers or items with valuable information. This is less glamorous than social engineering, but it’s also a useful form of harvesting and doesn’t need human interaction. (rb- I have covered the dangers of dumpster diving on Bach Seat since 2010.)

Shoulder surfing – means reading sensitive information on-screen and over the shoulder of a legitimate user.

Tailgating – is the ancient practice of going through a physical access point on the heels of someone who has an access card, key, or entry code. Catching the door before it shuts behind them, as it were.

rb-

Whether it is your home or corporate email account, social engineering is dangerous. Being educated about the risks of social engineering is critical. The next time someone reaches out via email or the phone, take a second and ask a few questions before you give away your digital identity unless of course they also have a candy bar

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| April 23, 2014
Comments Off on No More POTS!

No More POTS!

No More POTS!A.G. Bell‘s question to Watson over a century ago may be relevant again. Tom Nolle at No Jitter explains how that can happen if the FCC expedites the transition to VoIP. Mr. Nolle, the founder of CIMI Corporation does not think that the basic quality of voice service is at risk. He does believe but there are some truly profound consequences to a decision to abandon TDM voice. He believes it will happen, it’s smart to think about the end of POTS — as relates to both opportunities and risks.

70% of business voice is still TDMTelecommunications has long been more than analog voice and copper loops. The author points out that regulations have stayed in the “TDM” Dark Ages. Operators like AT&T (T) have demanded the FCC modernize things. To deal with these issues, the FCC bundled its transitions (TDM-to-VoIP, fixed to mobile, copper to fiber) into a single Technology Transition Policy Task Force. The recommendations from that activity will hopefully launch experiments in promoting change while controlling the risk of unfavorable impacts. The recommendations of the TTPTF (quite the acronym!) are posted online (PDF) and he says it’s a clarion call for change. So instead of talking about the process, let’s look at the impact.

Who still uses TDM

Mr. Nolle the CIMI principal consultant estimates, that 40% of US households still have TDM voice. Businesses have a higher TDM commitment. The article says that nearly 70% of business voice is still TDM. Suppose we saw TDM voice go away completely; what would happen?

Transition access lines and trunks to EthernetFirst, little besides voice that requires TDM services and trunks. Which he says means we would see all access lines and trunks transition to packet–almost certainly to Ethernet. The author says this could increase the number of Ethernet business connections by about 28%. it would also likely increase the access bandwidth commitments by branch offices and SMBs (using DSL, fiber, cable, etc.) by over 50%. Metro and access vendors would benefit from this almost immediately because it’s likely that operators would start to promote Ethernet access and IP voice more strongly as soon as the “experiments” showed signs of success.

Operators already like the notion of an “access-first” strategy where they supply a fat pipe to a customer and then build ad hoc services over it. Ethernet or packet access encourages that, so giving that to everyone would drive operators quickly to look for rapid service deployment tools so that they don’t lose all the new access-generated opportunities to the over-the-top players (OTTs). The author believes that operator interest in software defined networks (SDN) and network functions virtualization (NFV) are linked to this very thing. After all it’s silly to talk about “improved service velocity” if you have to restring an access connection to upgrade service.

Impact on Internet policy

Net neutrailityThe second impact Mr. Nolle sees is on Internet policy. This voice transition raises the question of the difference between “packet” or “IP” and “the Internet”. You can do VoIP over any IP, including private networking. That’s done with a lot of IP voice today in fact. Operators could in theory augment their services to customers by building IP services that bypass the Internet, but that would pose issues in linking the services to current devices in the home or in businesses. OTTs would surely want to get involved in any new service opportunity, and all that raises the triple-threat question of QoS, settlement, and Net Neutrality.

There’s no barrier to QoS in “private” IP networks, but on the Internet, the Net Neutrality order last year said that you could offer QoS only if the subscriber pays for it. Most practical Internet QoS opportunities arise because an OTT like Netflix (NFLX) could gain by offering QoS to customers. They’d pay the ISPs and either embed the cost or perhaps eat it to improve their differentiation. But the FCC said “No!” Now the new FCC Chairman, Tom Wheeler, says “Perhaps”–at least he did in a speech to a university audience. If that were to become policy, it would likely drive QoS for Internet services, and that would drive settlement among ISPs and content players.

QoS stops where the ISP hands off the trafficSettlement has been a big issue for the Internet since the 1990s. Customers pay their own ISP, so if there’s no money flow from that ISP to others, QoS stops where the ISP hands off the traffic. That’s inhibited the value of the Internet for applications that need QoS, but it perhaps encouraged smaller players and startups who couldn’t pay like Google (GOOG) or Netflix could. Whether this small-player benefit is more for VCs who then have to raise less funding to get an OTT off the ground is an interesting question–but in any event, adding settlement and QoS to the Internet would almost certainly increase operator interest in providing service quality for a fee, which in turn would increase network investment, helping equipment vendors and carriers alike… In short, it would change the industry.

Mr. Nolle concludes that VoIP could be a back door to making the Internet a real network and not a service on top of carrier IP infrastructure. That could remake our experiences online, and the vendors’ fortunes in the marketplace. So watch the progress of this initiative; it could have huge impacts.

rb-

ATT has already made its move to get rid of POTS lines in Michigan. ATT has bribed gotten politicians in Lansing to introduce Senate Bill 636. Michigan SB 636 would amend the Michigan Telecommunications Act (PDF) to let ATT and their fellow travelers eliminate POTS lines in Michigan.

Melissa Seifert, associate state director for government affairs for AARP Michigan says eliminating POTS lines in the Great Lakes State would impact many people. It would affect small-business owners who use fax machines and credit card verification systems, she said, as well as emergency services in parts of the state where cell phone access is unreliable. According to the Michigan Public Service Commission, roughly 3 million Michiganders subscribe to landline service. About 90 percent of households of folks ages 65 and older still use landlines for “lifelines.”

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| April 16, 2014
Comments Off on Non-Compete Clauses Hurt Worker Productivity

Non-Compete Clauses Hurt Worker Productivity

Non-Compete Clauses Hurt Worker ProductivityJeff John Roberts at GigaOM writes about research published in Harvard Business Review that says non-compete clauses, which limit workers’ ability to move from one firm to another, may do more harm than good. The research suggests that workers are less motivated and perform worse when subjected to terms that limit their job mobility.

Job searchThe study paid online participants to search matrices for numbers that add up to ten. The article explains that a sub-group of people subjected to a mock non-compete clause, 61 percent decided to drop out and forgo the money compared to 41 percent in a control group. The non-compete group also performed much worse at the task, making mistakes at twice the rate as the others. According to the authors of the study:

We believe that limits on future employment not only dim workers’ external prospects but also decrease their perceived ownership of their jobs, sapping their desire to exert themselves and develop their skills. The resulting drop in performance may be more damaging to companies than the actual loss of the employees would be.

subject to non-complete clauses.Mr. Roberts concludes that the findings could carry big implications for the American workforce, where more than half of engineers and 70 percent of executives are reportedly subject to non-compete clauses.

The study authors also say that existing research shows higher levels of innovation and productivity in regions that outlaw limits on worker mobility.

Silicon Valley and California stand out in this area. Courts there have explicitly banned non-compete clauses on public policy grounds, a situation that makes it easy for companies to poach each others’ employees.

rb-

I’m not a lawyer, so get your own legal counsel, but I can google and it seems that enforcing or challenging the enforceability of a non-compete agreement under Michigan law invariably boils down to four issues:

  1. Do the non-compete clauses protect a legitimate business interest?
  2. Is the duration reasonable?
  3. Is the geographical restriction reasonable?
  4. Is the type of employment or line of work restriction reasonable?
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| April 9, 2014
Comments Off on Project Manager Shortage Predicted

Project Manager Shortage Predicted

Project Manager Shortage PredictedOrganizations may soon find themselves short of project managers. The shortage will put them at a great disadvantage as the economy continues to recover according to David Weldon at FierceCIO. The article cites the recent ESI International ESI 2013 Project Manager Salary and Development Survey.

Project managementThe project management training company surveyed 1,800 project managers in 12 different industries in the U.S. and found, “Budget constraints, an aging base of professionals and a looming talent war all contribute to a talent crisis that should be addressed from the highest levels of the organization,” Mark Bashrum, VP at ESI told CIO.com. The ESI VP continued, “The growing needs of businesses demand a more strategic view of the staffing, development, and promotion of their project managers since project execution impacts an organization’s bottom line and its ability to satisfy its customers.

CIO.com says the study, identified three primary factors for the project manager shortage:

  1. As the economy rebounds, many organizations are growing. In and of itself, growth is a good thing for businesses, but growth means more markets, more products, and more systems and that means more projects for which there aren’t enough PMs.
  2. Many project managers are reaching retirement age and leaving the workforce. According to the Project Management Institute (PMI), 60 percent of their members are over the age of 40. “This is a real problem because these are the people who understand the business,” says Mr. Bashrum. “Over the years they have not only acquired project management skills, but also an understanding of their industry and their organization; knowledge which is not easily replaced.
  3. Many organizations have stopped actively developing their existing project manager talent due to reductions in training budgets. “In many cases, this means they have very little in the way of ‘bench strength’ and do not have a qualified group of mid-level project managers ready to move up to the senior ranks as project demand increases,” he says.

Poor hiring praticesThe problem is especially severe for senior-level project managers, either because companies haven’t hired enough in the job market, or haven’t developed enough among internal staff.

Add to that the larger issues of shortsighted hiring practices, a lack of competency planning, and a reduced focus on training and development, and many company’s business objectives are at risk,” the article notes.

Mr. Bashrum says the survey found it can take up to 10 months to bring an otherwise experienced project manager up to speed in a new organization. He also told CIO.com the specifics are different for each organization, but in general, Bashrum says business acumen and communication skills are at the top of the list. He adds that negotiation skills, critical thinking, and problem-solving skills are also extremely important.

rb-

The study seems to say that demand has steadily been increasing while supply has been flat which should mean higher salaries for all PMs, but even more so for specific industries and for senior PMs. 

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Project Management | Tags: , , , , ,
| April 1, 2014
Comments Off on Limit Admin Rights to Close Microsoft Holes

Limit Admin Rights to Close Microsoft Holes

Limit Admin Rights to Close MSFT HolesIt’s been best practice for a very long time: all users and processes should run with the fewest privileges necessary. That means no Admin rights for users. This limits the damage that can be done by an attacker if the user or process is compromised.

Avecto logoZDNet says that running users without admin rights on Microsoft (MSFT) Windows XP was generally impractical. It is a much more reasonable and manageable approach on Windows Vista, Windows 7, and Windows 8, but many organizations still run users as administrators because it makes things easier in the short term.

Impact of running with “least privilege”

ZDNet cites a new study from UK software company Avecto which demonstrates the real-world impact of running with “least privilege”. In 2013, Microsoft released 106 security bulletins and updates to address the 333 vulnerabilities identified in them. 200 of the 333 total vulnerabilities would be mitigated if the user were not running as administrator. 147 of the vulnerabilities were designated critical; 92 percent (135) of these would be mitigated.

Dark Reading says that the Avecto results also revealed that removing admin rights would also mitigate:

  • running with "least privilege"91% critical vulnerabilities affecting Microsoft Office,
  • 96% of critical vulnerabilities affecting Windows operating systems,
  • 100% of vulnerabilities in Internet Explorer and
  • 100% of critical remote code execution vulnerabilities.

Breakdown of Microsoft V\vulnerability Impact in 2013

Avecto told ZDNet that non-administrator users can still be compromised, but it’s much less likely that they would be and, if they were, the impact would likely be greatly limited. Least privilege is most effective as part of a more comprehensive security architecture including the prompt application of updates to patch vulnerabilities.

Paul Kenyon, co-founder, and EVP of Avecto told Dark Reading, “This analysis focuses purely on known vulnerabilities, and cybercriminals will be quick to take advantage of bugs that are unknown to vendors. Defending against these unknown threats is difficult, but removing admin rights is the most effective way to do so.”

rb-

Employees with admin rights can install, modify and delete software and files as well as change system settings making more work for the help desk folks. The report demonstrates that many companies are still not fully aware of how many admin users they have and consequently face an unknown and unquantified security threat. It is also conceivable that privilege management would have made high-profile attacks such as the recent one on Target if not impossible then much harder, by reducing the potential for the abuse of partner access, believed to have been at the heart of the breach.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
« Older Entries   Recent Entries »