Professional Documents
Culture Documents
Professor messer flashcards
Professor messer flashcards
Identity fraud
Eliciting information
• How are they so successful? • Social engineering with a touch of spoofing
– Digital sleight of hand - it fools the best of us – Often delivered by email, text, etc.
• Typosquatting
– A type of URL hijacking https://professormessor.com – Very remarkable when well done
– Prepending: https://pprofessormesser.com • Don’t be fooled
• Pretexting
– Lying to get information
– Check the URL
– Attacker is a character in a situation they create • Usually there’s something not quite right
– Hi, we’re calling from Visa regarding an automated – Spelling, fonts, graphics
payment to your utility service…
• Reconnaissance
• Targeted phishing with inside information
– Gather information on the victim
– Makes the attack more believable • Background information
• Spear phishing the CEO is “whaling” – Lead generation sites
– Targeted phishing with the possibility of a large catch – LinkedIn, Twitter, Facebook, Instagram
– The CFO (Chief Financial Officer) is commonly – Corporate web site
speared • Attacker builds a believable pretext
• These executives have direct access to the corporate – Where you work
bank account – Where you bank
– The attackers would love to have those credentials – Recent financial transactions
– Family and friends
Is it legal to dive in a
Protect your rubbish
dumpster?
• It’s the Internet. Believe no one. • A threat that doesn’t actually exist
– But they seem like they COULD be real
– Consider the source
• Still often consume lots of resources
• Cross reference – Forwarded email messages, printed memorandums, wasted
– http://www.hoax-slayer.net time
– http://www.snopes.com • Often an email
• Spam filters can help – Or Facebook wall post, or tweet, or...
• Some hoaxes will take your money
– There are so many other ways...
– But not through electronic means
• If it sounds too good to be true... • A hoax about a virus can waste as much time as a regular virus
– So many sad stories
• Determine which website the victim group uses • What if your network was really secure?
– Educated guess - Local coffee or sandwich shop – You didn’t even plug in that USB key from the parking lot
– Industry-related sites • The attackers can’t get in
• Infect one of these third-party sites – Not responding to phishing emails
– Site vulnerability – Not opening any email attachments
– Email attachments • Have the mountain come to you
• Infect all visitors – Go where the mountain hangs out
– But you’re just looking for specific victims – The watering hole
– This requires a bit of research
– Now you’re in!
Because that’s where the Watching the watering hole
money is
• Unsolicited messages
• Unsolicited email
– Email, forums, etc.
– Spam over Instant Messaging (SPIM)
• Various content
– Stop it at the gateway – Commercial advertising
– Non-commercial proselytizing
before it reaches the user – Phishing attempts
• Significant technology issue
– On-site or cloud-based – Security concerns
– Resource utilization
– Storage costs
– Managing the spam
Ransomware Crypto-malware
Protecting against
Trojan horse
ransomware
Potentially Unwanted
Backdoors
Program (PUP)
Protecting against
Bots (Robots)
adware/spyware
Plaintext / unencrypted
Preventing a logic bomb
passwords
• Difficult to recognize
• Some applications store passwords “in the clear”
– Each is unique
– No encryption. You can read the stored password.
– No predefined signatures
– This is rare, thankfully
• Process and procedures
• Do not store passwords as plaintext
– Formal change control
– Anyone with access to the password file or database
• Electronic monitoring
has every credential
– Alert on changes
• What to do if your application saves passwords as
– Host-based intrusion detection, Tripwire, etc.
plaintext:
• Constant auditing
– Get a better application
– An administrator can circumvent existing systems