Curiosity Killed the Cat 5 Network

Last year, i wrote a technical article entitled 'Social Engineering: Penetration Testing the Human Element' to Pentestmag.com which focused on the process of social engineering assessment using the art of deception and how easy it could be with simply a smile accompanied by an act of confidence.

In the book by Kevin Mitnick, 'The art of deception', he dives deep into that art and shares the tricks he used to deceive people into giving him vital information. Not only did he succeed into tricking the common employees, he also managed to trick security administrators, managers, CIOs and other people holding top position in organizations.

Then again, not many can be as charming, as confident and as cunning as Kevin be it from tele conversation or face to face meetings. Thats when hackers use the art in other forms; from cloning a website and hoping someone fall for it (phishing) to sending malicious links or attachments via emails and crossing their fingers hoping someone clicks on it.

Earlier this month, KrebsonSecurity reported that the famous hack and breach at Target could be the result from an email attack, a malware-laced email phishing attack sent to employees.[1]

These trend of users easily falling prey to social engineering tactics even led to a vendor suggesting to punish careless employees to reduce security breaches. [2]

Looking back at the past, the spread of malware such as the famous 'I love you' virus, the 'Melissa' and the 'Zeus' viruses were all being spread via invoking the curiosity of humans. A single click. Thats all it takes.  And thanks to this curiosity, those viruses managed to spread over 50 million computers worldwide. Even important organizations such as the Pentagon, the CIA and the British Parliament were not spared. [3]

Employees play a huge role in ensuring the security of the organizations. 

Organizations may have placed the best security mechanism to block from any external intrusion but if one thing hackers learn from history is that they have evolved into attacking the human curiosity first because it is much easier to fool a person than a system. Like i wrote above, one click is all it takes to bring the organization down to its knees. 

To quote the security rockstar Bruce Schenier, "Amateurs hack systems. Professionals hack people." 

References:

[1] http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

[2] http://www.csoonline.com/article/746986/punish-careless-employees-to-reduce-security-breaches-vendor-says

[3] http://support.pandasecurity.com/blog/malware/virus-iloveyou/ 

2014 - Year of the Privacy?

2012 was a year known famously for the amount of security breaches made. From Sony to Yahoo to Google have inadvertently had their personal data being leaked out. Most breaches were done from the server side.

Source: http://venturebeat.com/2012/09/17/2012-security-breaches/

Source: http://venturebeat.files.wordpress.com/2012/09/securitybreaches_25.png

2013 on the other hand was labelled as the year of the hack. As early as March 2013, companies from Apple, to Facebook and Twitter got hacked and this does not include the hacking incidents in Singapore.

Source: http://www.transfirst.com/blog/extensive-hacking-incidents-label-2013-the-year-of-the-hack

For Singapore, 2013 is seen as the year with a record of hacking incidents. Hacking related incidents such as the hack on Kong Hee's wife website to Anonymous threats to Singapore Government, the XSS attack on PMO and ISTANA website, the web defacement to Singapore schools websites, Singapore's Museum website and personal information got leaked and recently, the bank statements of Standard Chartered high profile clients got stolen.

Kong Hee's Wife Website Hacked

Source: http://www.straitstimes.com/the-big-story/chc-funds-case/story/city-harvest-church-leader-kong-hee-condemns-hacking-his-wifes-we

AMK Town Council Website Hacked

Source: http://sg.news.yahoo.com/ang-mo-kio-town-council-website-hacked-102124881.html

Anonymous Threats and Hacks in Singapore

Source: http://www.straitstimes.com/breaking-news/singapore/story/government-agencies-alert-after-hackers-threaten-attacks-20131101

Source: http://singapore.coconuts.co/2013/10/31/video-anonymous-hacktivists-warns-singapore-government

Source: http://sg.news.yahoo.com/singapore-newspaper-straits-times-hacked-020043975.html

Singapore Art Museum Website Hacked

Source: http://www.straitstimes.com/breaking-news/singapore/story/sam-website-hacked-second-cyber-intrusion-within-month-20131129

Singapore Schools Websites Hacked

Source: http://www.straitstimes.com/breaking-news/singapore/story/twelve-13-school-websites-hacked-wednesday-still-down-9am-thursday-201

Standard Chartered Clients Statements Stolen

Source: http://www.todayonline.com/singapore/standard-chartered-clients-monthly-bank-statement-stolen

With such a record number of hacking incidents in Singapore, 2013 will be known as the year Singapore got hacked the most. The year many security professionals from private organizations to governments, were placed on high alert and standby. It was indeed a tough year for security professionals in Singapore.

So what will 2014 be? 

A preview of whats going to happen were shown throughout 2013. Privacy has been another hot topic besides hacking. The case of Edward Snowden leaking out files from the NSA which tackles the US government spying on its citizens, the security of encryption keys, the spying of Malaysia by Singapore, the spying of Indonesia by Australia, the privacy of consumers against telemarketers

The Serious Leaks by Snowden

Source: http://www.theage.com.au/comment/snowden-revelations-only-the-beginning-20131229-301j6.html

The Allegations against Encryption Companies

Source: http://www.theguardian.com/world/2013/dec/20/nsa-internet-security-rsa-secret-10m-encryption

The Spying of Indonesia by Australia

Source: http://www.presstv.com/detail/2013/12/06/338456/australia-will-still-spy-on-indonesia/

The Spying Report of Malaysia by Singapore

Source: http://www.reuters.com/article/2013/11/26/us-malaysia-singapore-spying-idUSBRE9AP03P20131126

PDPC Backfires on Consumer's Privacy

Source: http://sg.news.yahoo.com/exemptions-provided-for-do-not-call-registry-033938964.html

All of these are previews of what may happen and will be the hot topic of discussion for 2014. While hacking will not stop, i predict that 2014 will be the year of privacy. The year of consumers questioning the privacy of their data and personal information. The year where companies will start concerning themselves with the security of their clients data. The year security vendors will get the most calls about privacy concerns and solutions. 

Even the Security Rockstar Bruce Schneier in his interview with 'Motherboard' said the following related to the security of our data:

"I'm worried about governments, the US and other governments. I'm worried about how they are using our data, how they're storing our data, and what happens to it. I'm less worried about the criminals. I think we've kinda got cyber-crime under control, it's not zero but it never will be. I'm much more worried about the powerful abusing us than the un-powerful abusing us."

Source: http://motherboard.vice.com/blog/an-interview-with-bruce-schneier

So in summary:

2012: the year of Security Breaches

2013: the year of the Hack

2014: the year of Privacy (just a prediction)

Breaking the Schneier's 'Code'

Well its not exactly a code but if one thinks too much, they will never solve this so-called 'equation'... So here's the 'code'

OHOE

OEYN

KBTJ

i have no idea what i was looking at until someone posted a hint: 'The answer is staring right in front of you' and with that little movement of the page or my eyes, i solved it.... Can you?

A Book about Trust & Security by Bruce Schneier

LIARS & OUTLIERS

ENABLING THE TRUST THAT SOCIETY NEEDS TO THRIVE

"A person might decide to break the norms, not for selfish parasitical reasons, but because his moral compass tells him to. He might help escaped slaves flee into Canada because slavery is wrong. He might refuse to pay taxes because he disagrees with what his government is spending his money on. He might help laboratory animals escape because he believes animal testing is wrong. He might shoot a doctor who performs abortions because he believes abortion is wrong. And so on.

Sometimes we decide a norm breaker did the right thing. Sometimes we decide that he did the wrong thing. Sometimes there’s consensus, and sometimes we disagree. And sometimes those who dare to defy the group norm become catalysts for social change. Norm breakers rioted against the police raids of the Stonewall Inn in New York in 1969, at the beginning of the gay rights movement. Norm breakers hid and saved the lives of Jews in World War II Europe, organized the Civil Rights bus protests in the American South, and assembled in unlawful protest at Tiananmen Square. 

When the group norm is later deemed immoral, history may call those who refused to follow it Heroes." - Bruce Schneier 

Awesome and Inspiring People Met in the IT Security World

I am privileged to meet those people i read about in books during training and conferences. These are some of the amazing and inspiring security Gurus i met along the way during my pilgrimage in the IT Security world.

Me with John 'Capt Crunch' Draper @ Hack In The Box Malaysia in 2012.

Me with Bruce 'Rocker of Security' Schneier at a ISC2 conference and got two books autographed.

Me with Bryce Galbraith, one of the contributing authors of Hacking Exposed Fifth Edition.

Me with Michael Vein, the CHO (Chief Hacking Officer) of SecureNinja.com