At Hypnoticon
January 31, 2008
Well, here we are at Hypnoticon. Melina and I flew in from Chicago today and were, of course, delayed. We missed the majority of tonight’s networking reception, but managed to pick up our badges and are looking forward to getting an early start tomorrow.
The schedule is pretty cool. We’re looking forward to checking out Wendi, Brian David Phillips, and Kim & Tom.
Not to mention tomorrow’s “Walkabout Hypnosis” – it’s social engineering at it’s true finest. This is a group of people who can really do all of the things that I’ve been talking about.
I plan on continuing to post entries throughout the weekend, as well as keeping up on twitter. If you’re at the conference, send me an email or a twitter DM and we’ll sync up.
The funniest spam message ever…
January 26, 2008
So, this is completely off topic, but I had to post it. I received a spam message the other day that had me in stitches from its creative butchery of the English language. The entire message was:
Subject: Lengthen your device length and become sex giant.
Your girl shack up with your friend that’s why you’re alone.
His male device is bigger than yours and this is the main reason of leave.
Don’t warry chap. At present you can change your life to the good. Increase your aggregate size and you will forget about troubles.
This is your chance to change your sexual life.
Brilliant. That’s the only word I have to describe it. It gives me a new idea for a game: Spammer Refrigerator Poetry.
Social Media Marketing in Security – Part 2
January 25, 2008
I started to write a response to Anton’s comment to my previous post on the subject, and realized that it was almost as long as the blog entry itself. Really, I think that Anton is just being pedantic and playing Devil’s Advocate, but he makes an important point:
“Well, what is a company if not a collection of people? … I am on LinkedIn = LogLogic on LinkedIn. I blog and a post goes to Facebook -> LogLogic message speads.”
And that seems to be the entirety of the “strategy” being used by most security companies. Rather than using any sort of coordinated strategy around branding through the social media sites, it seems like most of the companies figure that their employees will “get the message across” by accident.
Something tells me that Anton’s activities on LinkedIn aren’t part of a coordinated strategy conceived by the branding team. Nor is there a LogLogic strategy for the use of Facebook.
Not to pick on anyone, but I’ll use an example I’m intimately friendly with (because I started the blog when I was there) – how is nCircle using those tools to market their blog? Simple answer: they’re not. There’s nobody pushing the use of LinkedIn Answers or Yahoo Answers, no twittering of blog posts, no use of Facebook or (though I hate it) MySpace to drive traffic and/or awareness of what they’re doing. They might argue that it’s not part of branding to their targets, but I’d disagree – I know a lot of people in their target audience that are on each of the social media entities above.
While I singled out nCircle, they at least have a blog, unlike most of the companies in our space.
For two good examples of “how it could be otherwise”, check out the way that Jason Alba uses twitter entries to promote every blog entry he writes. Or the way that Stacy Thayer is using Facebook to market the SOURCE Conference. (Aside: have you bought your tickets yet? They’re going really fast.
Taking the Long View of Careers and Jobs
January 24, 2008
Jason Alba always knows how to get me up on my soap box. In a recent comment on this post, he says:
The big question, for me, is “how can we be more concerned about our careers than our jobs?”
And it’s a great question. Because most of the time, we spend our lives working on our jobs rather than our careers. With the exception of the few days around New Year’s, we rarely stop to take stock of where things are headed and what our next steps are.
Yet, it’s exactly that introspection that leads us to happiness and out of the “Monday” type world that Dan Miller talks about in his latest book and on his blog.
The problem is, most of us are focused on the tactical, without taking time out for the strategic. It’s a problem that I see in business a lot, and even more in life management – we really need to take time out to ask ourselves the important questions around career. It’s much like what Gerber said about the difference between working “in our business” (i.e. doing our jobs) and working “on our business” (i.e. focusing on structures that keep us moving forward).
So, what have you done to work on your career lately instead of just in your career? What are your next steps for growth and the next challenges you want to take on? What conversations do you need to have with peers, bosses, clients, mentors, etc. to take yourself to the next step of your career?
Top 10 CISO Resignation Reasons…
January 23, 2008
You know, I’m often glad that I’m not a CISO, especially in light of the coming economic downturn. (Yes, I said it. I predict a downturn.)
Apparently, someone at CISO magazine thinks so, too. This list was, as my friend Bill P (who needs to blog more!!!) put it, a “water snorter”.
My favorite is #9: The opportunity to be tied in a leather bag with ravenous, rabid ocelots caught your eye on Monster.com.
That pretty much says it all.
Social Engineering “at its finest”?
January 23, 2008
I posted a couple of days ago about how very few in information security know what really good social engineering looks like. Leave it to the inimitable Mr. Schneier to help me make the point with this post that he ends with:
“Social engineering at its finest.”
Okay, so let me get this straight. A guy in the right uniform walks in to the bank and says: “I’m here for the regular guy“.
This takes skill?
To me, this is very much the equivalent of saying that website defacements of IIS in 2001 using RFP’s MSADC script was “hacking at its finest”. Seriously, just because the guy got a uniform and a badge doesn’t make him anything more than a script kiddie in the realm of pulling off the attack.
This is the kind of attack that Mitnick talks about all the time when he says that social engineering usually doesn’t take much more than the guts to ask for what you want.
Let’s consider a better example of what really skilled social engineers look like: this story where two guys robbed a store by talking to the clerk. If you read the article, you’ll get a pretty good idea of what the attackers did. It’s the ultimate example of a “compliance set” (or “yes set” for those hypnotists out there), and it required some knowledge of the target’s adherence to his culture and the cultural cues that would set the appropriate context for the exploitation.
Really, I want to say that I expected better of Bruce, but that wouldn’t be fair. As I said before, our community as a whole has yet to take notice of what really good social engineering is.
In my writing and this blog (which I’ve promised Hoff and Martin that I’ll continue), I’ll probably be talking about this a lot as I do more writing on the book and in other venues.
The problem with awareness…
January 22, 2008
Andy blogged this morning about social engineering and trust. While I loved the post, and I think he made some good points about social engineering, something that he said struck me while reading:
“The important thing is that we make our users aware of social engineering threats and at the very least teach them to not just blindly give out information. If they are unsure then they need to refer the person to management. Teach them to stop and think before acting.”
This is an incredibly normal line of thinking, and it is the traditional way of dealing with social engineering. The main issue with it is two-fold: first, an even half-way prepared social engineer will have prepared a strong enough frame to verify most of the simple checks that a normal user is going to have.
But the bigger issue is that, when we talk about things like “not blindly giving out information”, what we’re really saying is that we need to teach our users not to trust each other.
The problem with this is simple: an agile, responsive and successful business is built on a lack of boundaries and a healthy set of organizational trust. The kind of mistrust that most infosec people would engender intentionally in their users would cause significant inefficiencies within most organizations.
So, if we’re not teaching our users to not blindly give out information, or to verify everything, what do I think we should be teaching them?
Instinct. Most who are in infosec have developed an instinct for when things “don’t smell right”. When an email just seems a little bit “phishy” (pun intended).
I believe that can be taught (well, indoctrinated) into our users, with about the same effort as it takes to teach them not to trust each other.
Social Media and Security Marketing..
January 21, 2008
So, this conversation has come up over and over again in the last few days – I keep ending up in detailed conversations with security marketing people about how to create a presence using social media.
It’s amazing to me that information security people are always on the cutting edge of technology (kept there by, in my opinion, the fact that the most vulnerable technology is always the newest). But we’re terribly bad (as an industry) at keeping up with the cutting edge in marketing. I look at someone like Jason Alba, who is a brilliant marketer with his blog, LinkedIn (and wrote the book on it), Facebook (he wrote the book on that one too), and Twitter.
And then I look at the companies in our industry. Nothing. Zip. Nada.
At least not that I’ve seen. So, I’m putting this one out there: who has good examples of security companies using any of the tools above? How about it? Anything? Bueller?
I’ve got a million ideas about how this could be done, but I’m not seeing it out there in the world. And it makes me sad.
Advanced Social Engineering
January 18, 2008
I was at lunch when a fascinating discussion broke out on Twitter between Alex Hutton (aka @alexhutton and Jennifer Leggio (aka @mediaphyter) (the brains and driving force behind this year’s blogger meetup at RSA and, I’ve learned, quite an intelligent security mind… but she really does need a blog) about “Advanced Social Engineering”. The important part of the conversation for the purposes of this blog:
mediaphyter: “Advanced social engineering” — I am starting to think we use that term way too loosely.
mmurray @mediaphyter Most have no idea what advanced social engineering looks like. They can’t yet fathom…
alexhutton @mmurray: Most parents know *exactly* what advanced social engineering looks like – they just don’t think adults do it too
Alex went on to say that “advanced social engineering” is what kids do with “Lying, Manipulation, False Pretenses, illicit access or gaining of privileges”.
Here’s where I disagree. You see, kids don’t have to do anything particularly advanced as social engineers because they’re trading on relationships. While the parent might FEEL as though they’re being social engineered, they’re not… the fact that they’re feeling it suggests to me that it’s not advanced at all.
Using an analogy to hacking: if you notice that you’re being attacked, the attacker isn’t particularly sophisticated.
This is what I meant when I said that most people don’t know what it is… a truly advanced exploit of a human will leave the attacker richer because of the information/access gained, and the target without any knowledge or awareness of it happening.
The best example of this: This Derren Brown video.
I suppose that this is as good a time as any to announce that I’m writing a book on this subject… on truly advanced human exploitation. Not the typical “pretend to be the help desk guy” stuff, but how to really use language, awareness and context to manipulate a situation and get in and out completely undetected.
That’s what real “advanced social engineering” looks like. And I stand by my original assertion: very few know what it really looks like yet.
The Company Will Take Care Of Me…
January 17, 2008
Over at her fantastic new blog, Melina Murray (full-disclosure: she’s my wife and one of my favorite writers) has a great post about the company’s responsibility toward employees. From the post:
“[The] answer I get is something like this, “Well, I know that if I put in hard work, work overtime with no pay and don’t complain, I will benefit when the company is successful.””
This is such a common way of thinking – I see it all the time in the information security industry, especially. We saw our parents grow up with a company that would take responsibility for their growth and well-being (health care, pension, etc.). And we grew to believe that a company would show us loyalty.
Well, guess what? It ain’t that way any more. This is 2008, and, at the risk of sounding heartless or cold, we have to fend for ourselves. I said it over and over in the Parachute book – your career is your responsibility.
It’s just nice to hear it from someone who thinks from the perspective of HR.