Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security.  KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware. 

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team.  What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate. 

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems.  They stopped him before he could do any damage.  Here is how it happened, how they stopped it, and some lessons learned. 

The human resources team did their jobs.  Background checks came back clean because the imposter was using a valid but stolen US-based identity.  They conducted 4 video conference-based interviews validating that the person matched the photo on the application.   The imposter took a stock photo and used AI to merge his features to the photo.  HR even verified his references. 

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.”  The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems. 

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network.  He downloaded and attempted to execute malware.  He then used some technical trickery to cover his tracks. 

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter.  The imposter claimed criminals must have compromised his router.  The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data.  The imposter was unresponsive once he figured out that he was caught.  

Here are some lessons learned.  When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device.  When hiring workers, don’t rely simply on email references.  Do not ship laptops to locations that don’t match the applicant’s address.  Make sure applicants are not using Voice over IP (VOIP) phone numbers.  Lastly, watch for discrepancies in address and date of birth.  

With all the process failures, KnowBe4 did not suffer a breach.  They understood defense in depth.  They had multiple lines of defense in case one (the employee screening process) was breached.  All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network.  The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.   

When it comes to protecting your business, you cannot rely on the minimal protections.   Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser.  Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training.   Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies.  They have since updated their hiring policies.  Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others.   Be the wise man. 

Ransomware Shuts Down Municipalities; How To Protect Our Cities

On June 9, 2024, the city of Cleveland, Ohio uncovered a “cyber incident” which was later determined to be a ransomware attack. Since the attack, city hall has been closed to the public for over a week.  Citizen facing services have been offline as well. To contain the damage of the ransomware, the city shut down the affected systems until they could restore them safely.  On a positive note, emergency services, works, utilities and healthcare were not impacted. 

Details about the attack have been kept close-hold as the investigation continues.   Some employees were allowed back to work on the 12th, but many issues remained.  They could not process building permits and birth/death certificates.  After over a week, the mayor’s office still has not disclosed what information was exposed.  The city did say that they were not negotiating with the hackers and will not pay the ransom.

This is not the first major city in the U.S. to get hit with ransomware.  In 2019, the city of Baltimore, MD was hit with a devastating attack that crippled their municipal services for weeks.  The cleanup cost the city over $18M.  In May of 2023, Dallas, TX was hit with ransomware that disrupted the city’s 911 emergency services. New Orleans, Knoxville, and Las Vegas also have joined the Ransomware Victim Club. 

Don’t think that this only happens in faraway places in different states.  The city of Kingman, AZ experienced a significant cyberattack where the city’s computer system was compromised.  The breach included social security and driver’s license numbers mostly affecting employees. 

There are several reasons why hackers target city governments.  For one, cities have valuable data.  This includes sensitive information such as personal records and financial data.  Secondly, hackers assume that municipalities are a soft target.  Municipalities often lack the necessary funding and skilled personnel to address technology challenges.  Often the IT infrastructure is outdated, making them vulnerable to attack.  Lastly, municipalities provide critical services.  Hackers think that if they take down critical services, the city will gladly pay the ransom.  

Many of these municipalities had cybersecurity services which monitored their systems.  So, how did the hacker install the ransomware?  The problem with this method is that the hacker must be actively inside the network before the threat can be identified, and sometimes that is too late. New malware (zero-day attack) is not in the antivirus databases and is not automatically stopped.  

The solution to this problem is “application whitelisting” or “application allow listing.” With this method only applications which have been validated previously can run on the computer.  Even if an employee clicked a malicious link, when the software tried to run on the local system, it would fail. It is not on the allow list.  There is upfront friction with this implementation where users cannot load anything they want whenever they want.  They submit a request for their new software to be put on the allow list.  The cybersecurity personnel validate the software in their testing environment looking for unusual behavior.  If it checks out, the software is approved for use.  

Another cybersecurity aspect which is often neglected by municipalities is continuous cybersecurity training.  The one-time annual cyber classes are not effective. However, if the training is kept short, about three minutes per week every week, delivered to user’s email box, the results are exponentially better. Cybersecurity is top of mind. 

The lesson to be learned is that every government municipality is a target, not just big cities.  The data is valuable to hackers.  If they can take down emergency services, the hackers expect a fast payment.  Does your local government have the proper cybersecurity measures in place, such as application whitelisting and continuous training, to avoid the disaster that Cleveland is experiencing?

The original article was published in the Sierra Vista Herald and can be found here.

The Rising Importance of Cybersecurity in Our Digital Age

Tom and Dan were camping deep in the woods one night when Dan runs into the tent and says “There’s a bear attacking our site, we have to go!” Tom is confused when Dan stops to put his shoes on. Tom says, “What are you doing that for, you can’t outrun a bear?” Dan says, “I don’t have to outrun a bear, just you.” That’s how it is in the cyber world. In general, hackers are lazy. If it’s too hard, they move along to an easier target. 

Cybersecurity is crucial to our very survival. As technology continues to advance, so too do the threats that lurk in the deep recesses of the World Wide Web. From individuals to businesses and governments, everyone is a potential target for cybercriminals who seek to exploit vulnerabilities for their gain. 

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes. The internet is ubiquitous. The proliferation of connected devices means the scope and scale of these attacks have grown exponentially. Cybersecurity is no longer a concern solely for large corporations or government agencies. It is a critical issue for individuals and small businesses as well.

One of the most common types of cyberattacks is phishing. Phishing attacks involve sending fraudulent emails that appear to come from reputable sources, tricking recipients into revealing sensitive information like passwords or credit card numbers. Another prevalent threat is ransomware. It is a type of malware that encrypts a victim’s files and demands a ransom payment to restore access. Ransomware can have devastating consequences, leading to financial losses, reputational damage, and operational disruptions.

The increasing frequency and sophistication of cyberattacks highlight the need for robust cybersecurity measures. You must be vigilant about protecting your personal information online. Simple steps such as using strong, unique passwords for different accounts, enabling two-factor authentication, using an adblocker on all your browsers, and being cautious about clicking on links or downloading attachments from unknown sources can go a long way in preventing cyberattacks.

For businesses, cybersecurity must be a top priority. It is no longer a cost center. It is a revenue guarantee. Businesses need to implement comprehensive security policies, conduct regular security assessments, and provide continuous cyber education for employees. Small businesses are particularly vulnerable. They often lack the resources and expertise to defend against cyber threats. They can take advantage of various tools and services designed to enhance their cybersecurity posture. For instance, investing in a zero-trust provider can help protect sensitive data and prevent unauthorized access.

Businesses should develop and practice an incident response (IR) plan to quickly address and mitigate the impact of a cyberattack. The IR plan outlines steps taken in the event of a security incident, including notifying affected parties, containing the threat, and restoring normal operations. By being proactive and prepared, businesses can minimize the damage caused by cyber incidents and recover more swiftly.

Cybersecurity is an essential component of our digital world. As cyber threats continue to evolve, it is imperative for individuals and businesses to take proactive measures to protect themselves. By staying informed and implementing robust security practices, we can collectively enhance our resilience against cyberattacks and safeguard our digital future. The key to success is to make yourself a hard target so that the bear goes after the easy prey instead of you. 

The original article was published in the Sierra Vista Herald and can be found here.

The Saga of Joe Public, A Social Media and Email Tragedy

This is a story about Joe. Joe could be any one of us. During the day he is a nose-to-the-grindstone, focused, and hardworking employee. After work, however, he is careless and free, enjoying all that social media has to offer: posting photos, catching up with friends, reading the links his friends on social media post, and yes, he does enjoy the occasional cat video. He is active on his email account too.

Unfortunately, Joe is not really keen on cybersecurity hygiene. He clicks on any link he gets via email or social media without checking the URL first. He makes his life easy by using the same password for all his different accounts. Two-factor authentication is too much work and why would he need it anyway. Nobody would hack a regular guy. Since he is so friendly, his social media account is open to the public, so everyone knows everything about him. What he had for his birthday dinner last night; where he was born; his mother’s maiden name; and even the name of his first pet. 

Although Joe seems to be the life of the party when it comes to social media, Joe was not ready for the party crasher. After work, as Joe was ready to relax and catch up on some email, he discovered he could not login – password failed. That’s strange. He had not changed the password to his email account. Ever. So, he decided to check his Facebook account to see if anyone else was having trouble with their email provider. And what do you think happened to his Facebook account? He was locked out of Facebook too. As he sat back to ponder what was happening, a friend from high school called. His friend asked why he was sending out emails pretending to be a Nigerian prince looking for money? He also noticed that Joe started posting advertisements on social media for the Pink Princess Palace. That’s when Joe figured out that he had been hacked! How could this have happened to him?

The hacker could have come in from many different attack vectors. After checking the website, https://haveibeenpwned, Joe noticed that his username and password were compromised in 17 different breaches. Since he used the same username and password for every site, it was easy for the hacker to take over his email and social media. Also, the hacker could have just used Joe’s username combined with all the information on Joe’s Facebook profile to answer the typical “security” questions many web applications use for password resets. 

What does Joe do now to get back into his accounts and secure them? First, he should get in touch with his email and social media providers to let them know what happened to regain access to the account. This could even involve sending Facebook a copy of his Driver’s License to prove his identity. He will need to change his password to a nice long pass phrase – 16+ characters. He will also need to change his password on all his other accounts because the password has been compromised. Next, he should set up two factor authentication for all email and social media; and any other account he doesn’t want breached (like his bank and investment accounts). Two-factor authentication involves having the web service send a text with a one-time code. Even better, Joe would use a third-party application like Duo or Microsoft Authenticator. 

To do this on your Facebook account for example, you need to login to your account. Click the arrow icon in the top-right corner and select “Settings & Privacy” and click “Settings.” In the left-hand navigation bar, choose “Security and Login.” Scroll down to the “Two-Factor Authentication” section and click “Edit” next to “Use two-factor authentication.” Follow the instructions from there based on the way you choose to receive your notifications. All email and social media apps have this option. 

Now that Joe has so many usernames and passwords to remember, he decided to use a password manager to help him out so that he only needs to remember one long password. He downloaded Bitwarden to his computer and added the Bitwarden extension to all his browsers so that he has his secure passwords wherever he goes. 

Joe is so excited about securing his email and social media that he tells his brother, John Q, and the rest of his friends so that they don’t have to go through similar torture. Joe has since become the lead blogger for the Cybersecurity Evangelist.

This article was originally published in the Sierra Vista Herald and can be found here.

Bob’s Social Security Tale, Is Yours Safe 

Social Security benefits are a lifeline for many retired Americans, providing essential income for daily needs and a comfortable retirement. The sad part is that it’s relatively easy to redirect your checks to a threat actor’s bank account. It really is a growing concern. Understanding how this can happen and how to protect yourself is crucial. 

Bob (names have been changed to protect the victim) is a 70-something retiree who had always been diligent about protecting his personal information. He kept his Social Security number safe and was cautious about sharing his personal details. Bob suddenly realized something was wrong when for the second month in a row his social security check hadn’t been deposited. The gnawing in his stomach was overwhelming. He contacted his bank and the Social Security Administration (SSA). He discovered his benefits had been redirected to an unknown bank account. Bob was a victim of a scam. 

Bob’s situation is, unfortunately, not uncommon. Scammers often use phone calls, emails, or even postal mail to impersonate SSA officials. They may ask for personal information, claiming there is an issue with your account or that you need to verify details to continue receiving benefits. Once they have your information, they can use it to change the bank account where your benefits are deposited. 

There are steps you can take to minimize the probability and the impact of this type of scam. First, guard your personal information like it was a pot of gold. Because it is. Never share your Social Security number, bank account details, or other personal information over the phone, email, or online. One way to ensure you survive a phishing attack is to contact the bank or other financial organization using a number you have called before. One you know for sure is the correct number.

Second, remember, the SSA will never call you and ask for personal information. If you receive a suspicious call, hang up immediately without uttering a word. Occasionally the scammer will ask questions designed to get you to say the word “yes”. Then they will manipulate the audio of the call and use it nefariously.

Third, regularly check your bank account and Social Security statements for any unusual activity. If you notice anything suspicious, report it immediately. 

Fourth, if you have created an online account at https://www.ssa.gov/myaccount enable the multifactor authentication to secure your benefits. Also, make sure the password you use here isn’t used anywhere else. Not even a permutation of the password. All the websites you use to manage your money should be secured with the strongest password the app allows, and absolutely enable multifactor authentication. 

Lastly, if you believe you are a victim of identity theft or fraud, contact the SSA and your bank immediately to report the issue and take steps to secure your accounts.

Bob’s story is a cautionary tale. It is a reminder to be vigilant and to trust no one. These simple steps will not guarantee you will never be a victim, but they WILL contribute to a more secure future. 

Any communication, regardless of the form, that causes you to feel an emotional response (urgency, catastrophe, or promise of punishment or reward) is most likely tied to a scam in some way. So, talk to someone you trust face-to-face. This can help calm you down and ensure you take careful methodical measures to resolve an issue.

Beware: Phishing Attacks Enter the Deepfake Era 

Bob’s boss was asking for something really weird. A wire transfer this big was never done. In all the years Bob worked for Alice, she had never asked for a transfer of this magnitude. But there she was in the zoom meeting, in the flesh (well, digital flesh anyway). How was Bob to know that wasn’t really Alice? 

In the digital dimension, threats to our life aren’t always the mortal kind. They also lurk behind screens, ready to exploit our human weaknesses. Those are the ones that we too often overlook. While phishing attacks are nothing new, they have evolved. Welcome to the Deepfake world. Oh, is that word new to you? Well, buckle up. You need to learn it… and fast. A deepfake is a video or audio of yourself or someone you know created by Artificial Intelligence (AI) out of parts and pieces of other audio or video. With deepfake voice and video capabilities, cybercriminals can now mimic your trusted contacts (like your boss) and authority figures (like your spouse) with alarming accuracy, aiming to deceive and manipulate you. If you use the internet to do banking or email, you are a target. You need to understand the risks and implement precautionary measures to safeguard your online identity and personal information. 

Deepfake technology uses AI to combine audio and video recordings, seamlessly grafting a person’s likeness onto another’s voice or image. This tool, once restricted to Mission Impossible, is real. And it has been weaponized by cybercriminals seeking to exploit your trust in familiar voices and faces. 

Imagine receiving a phone call. On the other end someone is demanding you confirm sensitive account information. The voice on the other end sounds EXACTLY like your boss, complete with the cadence and intonation you’ve come to recognize. Or perhaps you receive an email from your biggest client requesting urgent wire transfers, accompanied by a convincing video message imploring immediate action. In both scenarios, the other person isn’t a person at all. It’s an AI impostor, leveraging deepfake technology to deceive and manipulate you. 

The consequences of falling victim to a deepfake phishing attack can be dire – from financial fraud and identity theft to reputation damage and compromised personal data. The ramifications are deep. Being deceived by someone you trust, even if it was a fake someone, creates a psychological fissure that erodes your confidence in digital communications and exacerbates feelings of vulnerability and distrust. 

The threat posed by deepfake phishing attacks is unsettling. But there are proactive steps you can take to mitigate risks and bolster your defenses. 

Verify Identities: Before responding to any requests for sensitive information or financial transactions, independently verify the identity of the sender through alternative channels. Contact your bank or employer directly by phone using a number you know to be good to confirm the legitimacy of any requests. 

Exercise Caution: Whenever you receive unsolicited emails, phone calls, or messages treat them with profound skepticism. This is especially true if they contain urgent or unusual requests. Scrutinize the content for inconsistencies or irregularities. It may indicate a phishing attempt. 

Stay Informed: Find someone you trust to keep you informed about emerging cybersecurity threats and trends, including advancements in deepfake technology. Educate yourself and your loved ones about the risks posed by phishing attacks.  

Use Multi-Factor Authentication: Implement multi-factor authentication wherever possible to add an extra layer of security to your online accounts. This additional step can help thwart unauthorized access, even if your credentials are compromised. 

Report Suspicious Activity: If you encounter a suspected deepfake phishing attempt, report it to the relevant authorities, such as your IT department, cybersecurity agency, or the Federal Trade Commission. 

The emergence of deepfake technology underscores the evolving nature of cyber threats and the importance of proactive cybersecurity measures. By remaining vigilant, verifying identities, and staying informed, you can safeguard yourself against the perils of deepfake phishing attacks. Together, we can navigate the digital landscape with resilience and confidence, thwarting cybercriminals at every turn. 

The original article was publish in the Sierra Vista Herald and can be found here.

The Anatomy of a Social Engineering Attack

John Podesta, a key staffer for the Hillary Clinton presidential election campaign received an email, appearing to be from Google, warning him that someone had attempted to access his account and prompted him to change his password. John clicked on the link and entered his current username and password. Unfortunately for John, this was a phishing email and the link that he used to change his password was set up by the hackers to steal his credentials. The hacker used his credentials to download all his emails. These emails were later released to the public by WikiLeaks causing a bit of a stir.

Why are we so susceptible to falling for these attacks? There are six (6) principles that social engineers use to deceive us. The first is reciprocity. Reciprocity suggests that people feel obligated to reciprocate favors received by others. If you do something for me, I will be happy to do something for you. Many scams use a free gift or a prize to entice the victims to click their link or provide information.

Another method that social engineers use is social proof. This concept suggests that people are more likely to conform to the actions if they see others doing it. This works especially well in ambiguous or unfamiliar situations. A familiar tactic would be the website that says 57 people in your area have recently purchased this item.

Authority is a huge tactic that social engineers use, and the one employed above to get John to click on that link. Scammers often pretend to be people from the government or your IT department or one of your trusted vendors. Since they are in authority, you usually trust them and do what they suggest.

Commitment and consistency suggest that once individuals make a public commitment or take a small initial action, they are more likely to remain consistent with that commitment or action in the future. Some phishing scams ask recipients to confirm their email addresses for security purposes. Once they click the link, the victim feels commitment to engage in the sender. The scammer subsequently asks for more personal information or login credentials.

Social engineers use “likability and empathy” to build rapport and trust with their targets by establishing a sense of familiarity and likability. They may mirror the victim’s behaviors, interests, or communications styles.

The final principle to discuss is scarcity. The emotion being pushed here is the fear of missing out. This may look like those familiar statements “for a limited time only” or “while supplies last.” This encourages the target to act quickly out of emotion, rather than slowly, logically, and methodically considering what is being offered.

Let us look at some of the scams out there to see what they are using. The tax collector scam impersonates an IRS agent usually contacting by text or a prerecorded voicemail. They may send you a form to pay and may ask for gift cards or bitcoin in payment. The scammer uses “Authority” to intimidate people to do what they ask, sometimes threatening arrest or revocation of driver’s license. They also use commitment and consistency. Once they pull the victim into the trap, they are committed to continue the discussion. Some issues to note on this scam are the IRS will not ask for payment in Bitcoin or gift cards. They will not send forms via email – forms pulled from the website. The IRS cannot revoke your driver’s license.

The “pig butchering” scam uses “likability and empathy” to capture the victim’s trust and “commitment and consistency” once the victim is engaged. This scam usually starts with a wrong number text or a dating app. Once the scammer builds trust, they mention their success in Bitcoin and connection to an insider. This is the concept of “scarcity.” They share their fake website for trading with the victim.

When the victim uses the site, they watch their money grow and invest more money hence the name of the scam. They are fattening the victim up until they cut contact and take their money. Do not use any digital wallet that you have not thoroughly researched.

So, if you are approached via email, text, or phone slow down, take the emotion out, and determine if it is legitimate. If the proposal sounds too good to be true, identify what social engineering principles are being employed and why.

Original article can be found here.

Minor Mistakes, Costly Consequences

The Launch:  It was 6:45PM on December 11, 1998.  After years of engineering effort and toil, the Mars Climate Orbiter was being launched.  This space vehicle was designed to study Mars from orbit and serve as a communications relay for space probes.  The goal was to determine the distribution of water on Mars and monitor the Red Planet’s daily weather and atmospheric conditions.  The team celebrated as the Mars Climate Orbiter started its first step in the over nine month journey to Mars.

The End:  Fast forward 286 days to September 23, 1999.   The orbiter had successfully navigated 140 million miles (225 million kilometers) to Mars with only some minor corrections required on the way.  This was the day the Mars Climate Orbiter would enter into the orbit of Mars.  The key to success was to keep the spacecraft higher than 80 km above the surface.  Go any lower and the fragile spacecraft would shatter into Mars’ atmosphere.    The first sign of trouble occurred during the insertion burn into orbit.  The engineers were expecting a communication loss, however, the loss of signal occurred 49 seconds earlier than expected.  Instead of regaining signal twenty minutes later, it never returned.  

What Happened:  The celebration was replaced with an investigation.  What happened?  It turns out that the orbiter went past the 80km safety zone and was within just 60km smashing into the atmosphere.  After traversing space for over 225 million kilometers, how were they 40 km farther than they thought?

The Answer:  American standard versus metric.   Yes, one part of the software in the orbiter’s thruster calculated pounds of force and the second piece of code that read the data assumed the metric unit – Newtons per square meter.  Although this resulted in a factor of four times, it was a relatively small difference in fuel.  Several engineers commented during the route when they had to make minor corrections, but no one made the connection along the way.  

Costly: This was a $327 million mistake – $193 million on spacecraft development, $92 million on the launch, and $42 million for mission operations.  Wow!

Employee Mistakes:  Hopefully, mistakes at your workplace don’t cost your company that much, but statistics show that many of the cybersecurity breaches are caused by employees making mistakes.  These are instances where the breach could have been avoided if not for the employee making a mistake.

No Public WiFis:  One of the biggest mistakes that people make is to trust public wifi hotspots.  That’s right, do not trust any public hotspot.  Public hotspots are hotbeds of cybercrime.  

Proper Use Required:  Another mistake of employees is “inappropriate use of IT resources.”  Examples of this are: non-work related web surfing, peer-to-peer file sharing, unlicensed software, pirated music or videos, and non-approved remote access programs.  Remember, on the internet, if something is free, then you are the product.   These sites and applications are riddled with malware and allow hackers a foothold into your organization.

Social Engineering:  Another employee mistake in the cyber arena is falling for social engineering. Hackers use human emotions to manipulate people into downloading their malware or buying gift cards or wiring money.  Either out of fear or a sense of helping someone, we get tricked into doing something that harms us.  

It’s Avoidable:  Just like metric conversion in the Mars Climate Orbiter, these mistakes can be avoided.  Education and training are key.   Your staff should be able to identify a phishing attempt or know enough to avoid public wifis. Cybersecurity training should not be a once a year requirement.  Employees should get periodic cyber training and phishing scenarios.  Breaches are costly and as the old saying goes, “An ounce of prevention is worth a pound of cure.”

Avoid the Pain, Train: Whether you are orbiting Mars or providing services to valuable clients, it is always prudent to check your math and your cybersecurity.  Train to avoid the pain.