The Art of Deception - A Book by Kevin Mitnick

The Art of Deception - Controlling the Human Element of Security by Kevin D. Mitnick.

I've always enjoyed reading about the art of social engineering and i even wrote an article to Pentestmag entitled "Social Engineering: Penetration Testing the Human Element" back in 2013. So i got this book from Amazon and yes, Kevin goes in depth into this art sharing scenarios and what are ways to prevent such things from happening. 

Here are some of the contents that interests me.

On Stanley Rifkin

"A few days later Rifkin flew to Switzerland, picked up his cash, and handed over $8 million to a Russian agency for a pile of diamonds. He flew back, passing through U.S. Customs with the stones hidden in a money belt. He had pulled off the biggest bank heist in history-and done it without using a gun, even without a computer. Oddly, his caper eventually made it into the pages of the Guinness Book of World Records in the category of "biggest computer fraud. Stanley Rifkin had used the art of deception-the skills and techniques that are today called social engineering. Thorough planning and a good gift of gab is all it really took.  And that's what this book is about - the techniques of social engineering and how to defend against their being used at your company."

On Passwords

"On the surface this appears to be a simple message to get across to employees. It's not, because to appreciate this idea requires that employees grasp how a simple act like changing a password can lead to a security compromise. You can tell a child "Look both ways before crossing the street," but until the child understands why that's important, you're relying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten."

 Educating Cleaners and Piggybacking

"Also, cleaning crews should be trained about piggybacking techniques (unauthorized persons following an authorized person into a secure entrance). The should also be trained not to allow another person to follow them into the building just because the person looks like they might be an employee."

On Security vs Productivity

"Of course, corporate security policy should mandate system administrators to enforce security policy through technical means whenever possible, with the goal of not relying on fallible humans any more than necessary. It's a no brainer that when you limit the number of successive invalid login attempts to a particular account, for example, you make an attacker's life significantly more difficult.

Every organization faces that uneasy balance between strong security and employee productivity, which leads some employees to ignore security policies, not accepting how essential these safeguards are for protecting the integrity of sensitive corporate information."

On using the power of Authority

"Because Kurt was pretexting as a vice president in his conversation with Anna, a clerk in Finance, he kenw that it would be very unlikely that she would question his authority. On the contrary, she might entertain the thought that helping a VP could gain her favor."

A Potential Fatal Mistake

"The nurses who received these instructions did not know the caller. They did not even know whether he was really a doctor (he was not). They received the instructions for the prescription by telephone, which was a violation of hospital policy. The drug they were told to administer was not authorized for use on the wards, and the dosage they were told to administer was twice the maximum daily dosage, and thus could have endangered the life of the patient."

Double Standards on Spyware?

 "Anitivirus software doesn't detect commercial spyware, thereby treating the software as not malicious even though the intent is to spy on other people. So the computer equivalent of wiretapping goes unnoticed, creating the risk that each of us might be under illegal surveillance at any time. Of course, the antivirus software manufacturers may argue that spyware can be used for legitimate purposes, and therefore should not be treated as malicious. But the developers of certain tools once used by the hacking community, which are now being freely distributed or sold as security-related software, are nonetheless treated as malicious code. There's a double standard here, and i'm left wondering why."

 On Baiting the Victims

"The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a password. Many people, motivated by convenience, have the propensity to use the same or a similar password on every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and password that have been enetered during the Web site registration process."

On the need to challenge the executives

"Employees must be trained not to assist people they do not personally know, even if the person making the request claims to be an executive. Once security policies concerning verification have been put in place, management must support employees in adhering to these policies, even when it means that an employee challeneges a member of the executive staff who is asking the employee to circumvent a security policy."

SANS Holiday Hack Challenge 2013 - Honorable Mention

So last year, i was introduced to this Holiday Hack Challenge organized by SANS and i took part in it. With a career as an Ethical Hacker and graduated from a Cyber Forensics Degree, i took this challenge to see how i can exploit my knowledge to answer this.

(Source: http://pen-testing.sans.org/holiday-challenge/2013)

Well, it wasn't easy of course. Given just a PCAP file, i need to analyze, figure out the chain of events, create hypothesis and find evidence of attacks and finally suggest solutions on how to prevent this.

I spent over 3-5 nights using various PCAP analysis tools such as Wireshark, Network Miner, Xplico and Netwitness Investigator. One of the challenges i faced was the timestamp of the PCAP file. Since this PCAP file was created from the US, i only realized it 2 nights later that my Computer clock and Timezone settings was affecting the chain of events. Once i set it to the US timezone, then the chain of events made sense.

After completing the challenge, i submitted to SANS and the next day, i got a reply from Ed Skoudis! It was a compliment about my submission and it made me very confident about being one of the 4 winners.

When the results were out, i was a little disappointed that i didn't manage to get any of the top 4 positions. I looked at the answers by the Winners and i was shocked and satisfied..they were really in detail, diving deep into the technicalities of their analysis. They even managed to find something that i overlooked! A huge KUDOS to them! Truly deserved winners! 

But not all was gloomy for me. When i scrolled down under the section 'Honorable Mentions', i was excited to see my name was among the many other honorable submissions! This was what mentioned:

"Fadli B. Sidek: Fadli's response was amazingly detailed, lavishly illustrated, and beautifully formatted. It's an awesome entry from an obviously gifted information security analyst who knows how to convey information extremely effectively. This answer also pulls in the little lulzsec cartoon character near the end, to good comedic effect."

(source: http://pen-testing.sans.org/blog/pen-testing/2014/01/20/holiday-challenge-2013-winners-and-answers)

It made my day and put me in a cloud 9 for a while! I was happy that my nights spent to do this got rewarded! Anyhoo, i would like to share the report i submitted to SANS:

Special thanks to Ed Skoudis and the whole SANS team for organizing such as great challenge for all the nerds and geeks out there! Looking forward to participate in more challenges like this!

Books to Read in 2014

Ordered 5 books from Amazon and just arrived few days ago! Will be reading them all and hope to complete them by end of 2014.

Check If You Have Been Pawned

Adobe made a huge news when it was hacked and millions of accounts compromised. Other accounts such as Yahoo and Sony also made the news about its users accounts being compromised.

Source: http://petapixel.com/2013/11/07/number-adobe-accounts-hacked-now-150m-check/

There are several sites to check whether your Adobe accounts been compromised. Here are 2 of them:

Source: https://lastpass.com/adobe/

And another one. This one also has a database of hacked accounts of Yahoo, Snapchat, Sony and others beside Adobe.

Source: https://haveibeenpwned.com/

#OpExposeHeatherChua - Uncovering 'Her' McLaren

Here's another analysis of a picture Heather Chua posted claiming that 'she' owns a McLaren.

Let's take a look at this picture. Notice anything? Well, let's look closer shall we?

The First Two Mishaps

The 3rd and 4th Mishaps

Verdict

The plate number that we see here is NOT the original plate. The image of the plate number was deliberately taken, copied and pasted over the God knows whose McLaren... And again, 'she' cropped the picture to a point the whole car could not be seen so that it cant be searched online for similar images. You can fool many but not to those who have eyes for details...

#OpExposeHeatherChua - Uncovering 'Her' Bentley

So the self declared rich, elite, well to do 'girl' Heather Chua who has been posting hate messages on 'her' Facebook account criticizing and insulting the Malays, the ITE students, the Middle class and the Poor is now the talk of the town. SMRT Ltd (Feedback), the page made famous from its constant awesome trolling of others has gone on a personal vendetta to find out who this person actually is. 

While i did my fair share of recon on this person, i realized that there have been many others who posted about their findings on 'her'. I already suspected 'her' to be a fake profile ever since i came across 'her' profile. To cut the story short, i did my part for the curious Singaporeans to analyze some of the photos 'she' posted and here is one of my analysis.

So on the 29th December, 'she' posted about her Bentley proudly talking about it on Facebook. Something just caught my eye and aroused myself to launch a 30 minute investigation/analysis on this picture she posted.

The Facebook Post and the Picture of 'her' Bentley.

Looks Normal? Well Look Closer....

Focus on the Plate Number and i found 3 mishaps

Now that's not all. 'Her' statement below also aroused my suspicion when she said "not only did i shade the number off but i also changed the background colour to another effect so don't bother asking." 

The only reason why she changed the color of the background is because she might not want others to do a cross image reference using online forensic image cross referencing tools. Google has the ability to allow users to upload any pic and Google will search, based on the color, background image, density, tone of the image uploaded and search its database to see whether similar photos are uploaded or located elsewhere. This could also be a reason why 'she' cropped her photos to a point where Image finder couldnt reference it with other pics. Well played 'Heather'. You might be able to fool some but you can't trick a trickster. 

Oh and 1 last thing. For a pretty woman who have it all, its weird for someone like 'her' to spend 80% of her time insulting others on Facebook. 

Like Dominoes they Fall One by One

Recently i received an email from my wife asking to help her as she was having financial problem in Norway. The moment i saw that, i knew it was a Spam. However, when i looked closer, i realized that when i clicked 'Reply', it was addressed to my wife's yahoo email address. I took a snapshot and sent it to my wife and informed her to quickly change her password. That's when my wife told me that she couldnt log in to her email account. Something was fishy.

The next thing i know, people started calling and messaging her on Facebook. According to the private messages, she was asking people in her friendlist for help and money. She got bombarded with calls of concern. To make matters worse, she could not log in to her Facebook as well as her Hotmail account.

30 minutes later, we realized that she was hacked! And she was not the only one. Over the last few weeks, i received news on my newsfeed how my other friends got their email accounts hacked and unable to log in as well. 

Thus, i went into a hunt for the hacker... (but this will be another story to post)

So i asked her whether her passwords were the same as the other accounts to which she replied No. All her 3 accounts have 3 different set of passwords which is a good thing. Then i asked her about the complexity of her passwords. With that i know why. 

Surprising Find

I went on a recon to find other victims to which the accounts were hacked. To my shocking surprise, i saw THOUSANDS of Yahoo, Hotmail, Gmail, Facebook accounts with passwords leaked out in the deep web! And they all have one thing in common: simple passwords! 

These are some of the accounts that was leaked.

I looked closely at the passwords combination used and i could tell that these passwords are easily guessed, simple combinations of alphabets and numbers. This is what we in the security community as WEAK passwords. 

10 years ago, a complex password would be at least 8 characters with a combination of alphabets and numbers. At that time, the technology for password cracking isn't as awesome and as fast as now hence the previous requirements was sufficient. But now, 8 characters is easily cracked especially when it is not complex enough. Another mistake that most of us make is using the same password for all other accounts. Thus it is not surprise when one account is hacked after another by using a single password. 

How Did the Hackers Hacked Then?

There are many ways a hacker could hack into our accounts. One of the ways i know is by collecting email addresses gathered by automatic scavengers tool and save it into a database. Once all these email addresses are collected, the hacker will run a cracker against a huge dictionary file or by other sophisticated crackers. All the hacker needs to do is to play the waiting game. Once the accounts are hacked, the hacker will publish it online, in forums and if they want to make a profit out of it, sell them to potential buyers and scammers. These scammers will then use the compromised account and start their phishing emails to the contacts in the email's address books. 

So How Can we Prevent this?

1. Use at least 16 characters long! Remember, the longer the better!

2. Raise the complexity of the passwords by using words that only YOU will know and not from the dictionary.

3. Use Uppercase and Lowercase alphabets

4. Use numbers

5. Use special characters such as &^%

6. Use different password for each account

7. Do not login to sites from public Wifi networks or LAN 

8. Do not provide your passwords from emails asking you to provide.

9. Provide contact number to the account for password reset. This is very important and a secure way to do password reset as only YOU would have your mobile phone/number and not the one in Nigeria.

A good example of a password is : UzuM@k!@P0C@l%p$3