What are we who like to call ourselves “security professionals” trying to learn our users when it comes to plugging USB devises unknown USB devises that they find or get as hand outs?…. Don’t plug them into your computer!
And what do I get as a hand-out at a the BlackHat Europe security conference?… a USB dongle…. Need I say more?
From when I gave a talk at the Ciber Experis CPU about cyber warfare. (the talk is in Norwegian)
From when I gave a talk at the Ciber Experis CPU about the result of a CyberSecurity survay done in Norway (the talk is in Norwegian)
A recent survey done in Norway shows that 67% of companies and organizations in Norway put bad luck and coincident down as a reason for security incidents within their organization. Is it just me or is that a very worrying number? I mean 2/3 thirds of the 1500 companies and organizations interviewed put “bad luck” down as the reason for security incidents occurring within their organization If it was 3 or 5 percent or maybe even 10, I would have shrugged and thought “well, yes fair enough” And just to be clear we are here talking about real companies and organizations, some of them delivering critical services to the public, we are not talking about superstitious old ladies that are walking under a ladder while a black cat is crossing the road.
It is very unsettling that so many Norwegian companies have a management are comfortable with putting down “bad luck” as the root cause: To me that indicates lack the basic understanding of the value of their own company, why they are hit by security incidents and what makes their company a potential target for threats that can cause security incidents.
One word of advice to the companies that are putting down “bad luck” as the root cause for security incidents; If you value your company and customers, spend some time on money on information security, hire a CISO and don’t rely on luck as your main security control.
Maybe I should seek some comfort in the fact that back in 2016, 74 percent listed bad-luck as a contributing factor, so maybe we are heading in the right direction. If only I didnt see that black cat crossing the road earlier today.
After spending over 90 minutes on the phone with our “Friends” at “Windows support” I’m not at all surprised that people get tricked into giving them full control of their PC’s and giving them their credit card details. They are actually extremely service minded (much more the a real service desk usually is…) Never thought I would be able to keep them on the call for 90 minutes before they called my bluff and I had to cave in.
As usual It started with a call from Windows Support, and this time around I thought… well I’m sitting at home, I have a VM to spare, let’s see where this takes me. On the other end of the line was this nice girl speaking with an Indian accent, she could inform me that someone was trying to break into my computer and steal all my personal stuff. And if I booted up my computer she would show me what was happening. And while she was talking to me she dropped all the keywords to build trust between me (the victim) and her. It was an endless stream of “trusted partner, hackers, security keys, and encryption” and of course the magic sentence “we will fix this for free and we will make it so no one can attack your computer again.” Did I say it was for free? So to show me what was going on she got me to run some commands in the windows command shell (cmd) commands that for the regular PC user might look advanced and super complex. But for an old sysadmin, not so much (but entertaining). After winning my trust and convincing me that yes indeed there is something very suspicious going on (I guess in some way she was correct) She handed me over to a second line specialist that would help me clean up.
The very nice and very very very patient gentleman that was acting as the second line specialist was tasked with playing on this new-found trust and gain remote access to my computer. And again, the keywords was secure, hackers and free. The only catch was that if he was going to fix all my security problems on my computer he needed remote access, so he very painstakingly guided me through the process of installing team viewer. (I had my stupid hat on that day, so it took some time to get it done) But finally it got installed and he had remote access to my computer, and both of us was very happy. He could then show me the content of the windows event log, and with a very worried voice he told me that each of the red icons in the event log represented a successful attack against my poor computer. For those of you who have seen an windows event log you would understand that an ordinary PC user would be very worried, since the stream of red icons can seem endless.
It all came to an end when he wanted my credit card number to renew my Microsoft premium support agreement that apparently had expired. The proof of this was an expired certificate in my computers cert store (that had nothing to do with any support agreement) and he could only fix my poor little PC if I reactivated the support agreement. Unable to provide him with a valid credit card number I had to confess my sins and that I had just been playing along all the time.
But I as I said in the beginning, I now understand why people keeps getting tricked by this scam. Because they can be very convincing if you are an ordinary user (as most people are).
… like to think I saved an little old lady from getting ripped off 🙂
To my daughter, now that you are moving into the world of snapchat and Instagram. But probably not Facebook, since its only us old farts who still hang around there.
So here is some advice, in a badly re-written version of the Robbie Williams song “Go Gentle”
You’re gonna meet some perverts.
Welcome to the zoo.
Except for one or two.
Some of them are pretenders.
Some of them are mean.
Most of them are twisted.
Few of them are clean.
Now when you go flirting with
boys on snapchat.
Just keep it simple.
You don’t have to send nudes though.
Don’t waste time whit the idiots
Think that they’re heroes.
They will betray you.
Take care your friends
Don’t try to make them love you.
Don’t answer every troll.
Baby be a giant.
Let the world be small.
Some of them are deadly.
Some don’t let it show.
If they try and hurt you.
Just let your daddy know.
Now when you go giving your heart make
Sure they deserve it.
If they haven’t earned it.
Keep searching, it’s worth it.
it is interesting to see that even on security conferences you will find every thing that warn our users about. Things that we as security professionals tell our friends and co-works that no no, you must not touch.
- Free USB thumb drives. On the last conference I attended I got a free floppy disk, but I doubt that represent any major risk, unless it contains Brain.exe
- Free and Open WiFi. A security conference is probably the last place you want to connect to a open WiFi.
- Free gadgets made in China that you can plug into your laptop or connect to your phone
- The opportunity to sell your contact information to get a sticker on a piece of paper (well why not, you might win a prize and if you are really lucky the prize is a malware infected thumb drive, or more likely the chance to get a flooded mailbox)
And no, I’m not pretending to be any better then the rest of the conference participants… I’m also a sucker for free stuff we all get. Lets plug in this Chinese Bluetooth hands free without a user manual in English, nothing bad can come of that right? Maybe its best to stick to the occasional t-shirt or baseball cap.