The Anatomy of a Social Engineering Attack

John Podesta, a key staffer for the Hillary Clinton presidential election campaign received an email, appearing to be from Google, warning him that someone had attempted to access his account and prompted him to change his password. John clicked on the link and entered his current username and password. Unfortunately for John, this was a phishing email and the link that he used to change his password was set up by the hackers to steal his credentials. The hacker used his credentials to download all his emails. These emails were later released to the public by WikiLeaks causing a bit of a stir.

Why are we so susceptible to falling for these attacks? There are six (6) principles that social engineers use to deceive us. The first is reciprocity. Reciprocity suggests that people feel obligated to reciprocate favors received by others. If you do something for me, I will be happy to do something for you. Many scams use a free gift or a prize to entice the victims to click their link or provide information.

Another method that social engineers use is social proof. This concept suggests that people are more likely to conform to the actions if they see others doing it. This works especially well in ambiguous or unfamiliar situations. A familiar tactic would be the website that says 57 people in your area have recently purchased this item.

Authority is a huge tactic that social engineers use, and the one employed above to get John to click on that link. Scammers often pretend to be people from the government or your IT department or one of your trusted vendors. Since they are in authority, you usually trust them and do what they suggest.

Commitment and consistency suggest that once individuals make a public commitment or take a small initial action, they are more likely to remain consistent with that commitment or action in the future. Some phishing scams ask recipients to confirm their email addresses for security purposes. Once they click the link, the victim feels commitment to engage in the sender. The scammer subsequently asks for more personal information or login credentials.

Social engineers use “likability and empathy” to build rapport and trust with their targets by establishing a sense of familiarity and likability. They may mirror the victim’s behaviors, interests, or communications styles.

The final principle to discuss is scarcity. The emotion being pushed here is the fear of missing out. This may look like those familiar statements “for a limited time only” or “while supplies last.” This encourages the target to act quickly out of emotion, rather than slowly, logically, and methodically considering what is being offered.

Let us look at some of the scams out there to see what they are using. The tax collector scam impersonates an IRS agent usually contacting by text or a prerecorded voicemail. They may send you a form to pay and may ask for gift cards or bitcoin in payment. The scammer uses “Authority” to intimidate people to do what they ask, sometimes threatening arrest or revocation of driver’s license. They also use commitment and consistency. Once they pull the victim into the trap, they are committed to continue the discussion. Some issues to note on this scam are the IRS will not ask for payment in Bitcoin or gift cards. They will not send forms via email – forms pulled from the website. The IRS cannot revoke your driver’s license.

The “pig butchering” scam uses “likability and empathy” to capture the victim’s trust and “commitment and consistency” once the victim is engaged. This scam usually starts with a wrong number text or a dating app. Once the scammer builds trust, they mention their success in Bitcoin and connection to an insider. This is the concept of “scarcity.” They share their fake website for trading with the victim.

When the victim uses the site, they watch their money grow and invest more money hence the name of the scam. They are fattening the victim up until they cut contact and take their money. Do not use any digital wallet that you have not thoroughly researched.

So, if you are approached via email, text, or phone slow down, take the emotion out, and determine if it is legitimate. If the proposal sounds too good to be true, identify what social engineering principles are being employed and why.

Original article can be found here.

Cybersecurity Risks in Achieving UN SDG 16.9 with Blockchain Technology

The United Nations (UN) Sustainable Development Goal (SDG) 16.9 aims to provide legal identity for all, including birth registration, by 2030. This ambitious target underscores the critical importance of identity in accessing a wide array of services and rights, from voting to healthcare. As we harness technology to realize this goal, blockchain emerges as a promising solution (1) for its ability to offer secure, decentralized, and tamper-proof ledgers. However, the integration of personally identifiable information (PII), personal health information (PHI), and other significant life events into a blockchain ledger brings to the forefront significant cyber risks that must be addressed.

Blockchain technology offers a revolutionary approach to managing digital identities, ensuring that every individual on the planet has a unique, unfalsifiable, and secure identity. By leveraging blockchain, we can create a system where all forms of PII and PHI are securely encrypted and stored, making them accessible only to authorized individuals and entities. This could dramatically reduce identity theft, fraud, and unauthorized access to personal information.

Using blockchain to manage sensitive data introduces complex cybersecurity challenges. While blockchain itself is highly secure due to its decentralized nature and cryptographic hash functions, the endpoints interacting with the blockchain, such as user devices and applications, remain vulnerable to hacking, phishing, and other forms of cyber-attacks. This vulnerability could lead to unauthorized access to the blockchain ledger, risking the exposure of sensitive personal information.

Second and maybe more importantly, blockchain data is permanent. It therefore presents a double-edged sword. Using blockchain to record EVERY event in your life ensures that once an event is recorded, it cannot be altered or deleted. This means it is an immutable history of an individual’s life events. This immutability raises concerns regarding the right to be forgotten. One may accurately suspect every individual has made choices they’d rather forget. This is not feasible with a blockchain-based digital ID. In Europe, the right to be forgotten is enshrined in data protection regulations like the General Data Protection Regulation (GDPR). Modifying or deleting personal data from a blockchain, once entered, is inherently difficult, if not impossible. This poses significant privacy concerns.

The concentration of vast amounts of PII and PHI in a single ledger, even if decentralized, creates a highly attractive target for cybercriminals. A breach could have far-reaching implications, potentially exposing the intimate details of individuals’ lives. While blockchain technology can significantly contribute to achieving SDG 16.9, ensuring the cybersecurity of such a system is paramount. And not to get overly controversial, errant governments could use the information in your personal life ledger to restrict access to important assets like your bank, or your job. This is already happening in China.

To mitigate these risks, a multifaceted approach is necessary. First, enhancing the security of endpoints through regular updates, robust encryption, and user education on cybersecurity practices is crucial. Second, implementing dynamic consent mechanisms where individuals have control over who accesses their information and for what purpose can help address privacy concerns. Additionally, exploring technological solutions, such as zero-knowledge proofs, can allow for the verification of information without revealing the information itself, further safeguarding privacy.

International cooperation and the development of global standards for blockchain security in the context of digital identities are essential. This would ensure a unified approach to tackling cyber risks, fostering trust in blockchain-based identity systems.

While blockchain presents a promising though possibly troubling pathway towards achieving UN SDG 16.9, it is imperative to navigate the associated cyber risks with a strategic, multifaceted approach. In this way, we can cautiously use blockchain technology to provide secure and immutable digital identities for all (if a person chooses to participate, but that’s another argument for another article), thereby unlocking access to essential services. One could even speculate that tying essential life services to a digital ID might do more harm than good.

Original article can be found here.

(1) https://unite.un.org/sites/unite.un.org/files/emerging-tech-series-blockchain.pdf

Every Move You Make, Adware Is Watching You

How were the U.S. intelligence services able to track Vladimir Putin’s movement without a local spy, special satellites, or hacking? They simply bought advertising data for the country of Russia.   Although it did not track Putin’s phone, the data tracked his entourage’s phones.  The phones belonged to his drivers, security personnel, political aids and other support staff through advertising data.  

With the prevalence of smartphones, who needs a map anymore?  Our phones are GPS tracking devices capable of taking us anywhere in the country – just put the address into your map application and you have turn-by-turn instructions.   Your phone is constantly sending your exact location to your map app … as well as almost every other application running on your phone.   

There is a saying about free applications.  If it’s free, then you are the product.  It turns out selling your data, to include location, is a billion-dollar business called the advertising exchange.  Advertisers bid on the exchange for a block of data in a particular geographic area.   In 2020, for a few hundred thousand dollars a month, you could access the global feed of every phone on earth.  Here’s how it works.   Whether you have an iPhone or an Android phone, your device has been given an “anonymized” advertising ID. It’s a long string of numbers and letters and looks like gibberish.   The advertisers don’t know your name, but they do know your location.  That is helpful for them to serve up targeted ads for the local restaurants or stores.  Other data includes the specifications of your device, what other applications you may have loaded on your phone, and even your browsing habits.  

Even though your advertising ID is anonymized, it is relatively easy for anyone who buys the data to find out where you live, work, and shop.  They can find out who you know and how often you visit them and for how long. They know what your hobbies are whether they are running, target practice, knitting, homebrewing, hiking, or biking.   

The military uses of this technology are alarming.   One of the companies that was developing their tools for the intelligence community began with data in the U.S.  They tracked phones that were in McDill Airforce Base, FL.  This is the home of the US Special Operations Command units.  They watched the phones go to Canada, Turkey, and end up in a small town in Syria.  Without trying, they uncovered a forward operating base of the deployed Special Forces personnel in the anti-ISIS campaign.   

Some of these advertising data mining tools are being used in the United States by government agency, such as the DIA, FBI, US Customs and Border Protection, Immigration and Customs Enforcement, and the Secret Service.  They would use this data for finding border tunnels, tracking down unauthorized immigrants, and trying to solve domestic crimes. 

What apps can track you? Look at your privacy settings on your phone to find out.  

Apple Advertising – View Ad Targeting Information is on by default which opens a wide range of information for the advertisers to see. 

The biggest setting that provides advertisers your GPS location is “Location Services.” Without this, your map program will not work and many other apps that you may depend on, so it is not the greatest idea to turn this off altogether. However, you should review the apps that use it and decide for yourself what you want to share. Almost all my installed apps used to have access to my location – from weather and driving directions, to grocery stores, browsers, banking, and insurance. Set these as you see fit.  

Another area inside location services is called system services. Look at those options. Significant Locations tracks your every movement. Mine is off. I would also caution against the use of the “improve analytics” for any application and “product improvement” settings. They pull even more data from your phone. 

Be careful where you take your phone.  Every move you make, every step you take, Adware will be watching you.   

Original article can be found here.

EMP Effects on the Power Grid versus Cyber Attack

We live in a marvelous time where technological advancements have boundlessly expanded human capabilities and opportunities.  Unfortunately, we also live in a time where the specter of electromagnetic pulses (EMPs) looms as a stark reminder of our vulnerability. An EMP is a burst of electromagnetic radiation emanating from certain types of high energy explosions, such as a nuclear detonation in the atmosphere, or from a suddenly fluctuating magnetic field. The concept, while sounding like something straight out of a science fiction novel, carries significant implications for modern society. 

EMPs can disrupt or destroy electronic devices and systems, potentially crippling infrastructure, communication networks, and any technology reliant on electricity. The pulse works by inducing high voltage currents in electronics and electrical systems, overwhelming circuits and rendering them inoperative. The range and severity of an EMP’s effects can vary depending on the altitude and magnitude of the explosion. The higher the altitude of detonations the larger the land area affected. 

The threat of EMPs is certainly dramatic.  Experts consider the likelihood of such an attack on the United States to be low. The complexity of executing an EMP attack, together with the global ramifications of detonating nuclear weapons, places it firmly in the realm of extreme scenarios. However, it serves as a theoretical benchmark for understanding vulnerabilities within the national power grid. 

Contrastingly, a more plausible threat to the U.S. power grid comes from cyber-attacks and physical sabotage. Unlike the broad, indiscriminate impact of an EMP, targeted attacks on the power grid can be conducted by nation-state actors, terrorist groups, or even nefarious skilled individuals. These attacks can disrupt power supply, damage infrastructure, and incite chaos without the need for nuclear intervention. The barrier to entry is significantly lower.  

The power grid (a complex network of power plants, transmission lines, and distribution centers) is integral to the functioning of the country. Therefore, it is a tempting target for our adversaries. Cyber-attacks, in particular, have become increasingly sophisticated, with potential attackers exploiting vulnerabilities in software and hardware to gain control over systems, shut down operations, or even cause physical damage.  According to a report from the security firm, Armis, global attack attempts on utilities increased 200% in 2023 compared to 2022.   

Comparing an EMP scenario with the more likely threat of cyber-attacks or physical sabotage on the power grid highlights significant differences in preparedness and response. While the former requires hardening electronics and infrastructure against an overwhelming and indiscriminate force, the latter necessitates robust cybersecurity measures, physical security enhancements, and continuous monitoring of the grid’s health. Today the only truly viable solution to the cyber threat is called “Zero Trust.” 

Zero Trust is a security strategy where one of the main principles is that each request is verified even if it lies behind a corporate firewall. It’s like going to Costco. You need to show your membership card to get in and check out. Another principle is to limit user access to just those areas necessary to do their job.  And lastly, in a Zero Trust environment, the designers assume a breach and structure the network to limit the damage that an incident could cause.  

The U.S. government and utility companies have recognized these threats. The Executive Branch has decreed Zero Trust is the future. Such an initiative includes upgrading existing cyber defenses moving from a default-allow to default-deny; conducting regular vulnerability assessments; and participating in national grid security exercises. These efforts aim to mitigate the risks posed by targeted attacks, ensuring the resilience and reliability of the power grid. 

While the concept of an EMP attack captures the imagination with its catastrophic potential, the reality is that more mundane threats pose a greater risk to the U.S. power grid. Cyber-attacks and physical sabotage represent tangible, immediate challenges that require ongoing attention and resources to defend against. By understanding and implementing a Zero-Trust approach for these likely scenarios, the United States can ensure the stability and security of its power grid against the evolving landscape of threats in the digital age. 

Original article can be found here.