Posts Tagged kevin mitnick

The Other Engineering: Social Engineering

Last night I was interviewed by Jasmine Huda on St. Louis KMOV-TV Channel 4 news about a scam used to steal information from PCs.  The attackers are calling random people and claiming to be from Microsoft Technical Support.  They say they received an error report from their computer and have found a problem that they will help them fix over the phone.  Many PC users see those send error report dialog boxes after a crash, and often click to send the report.  Of course, the scammers did not see those reports – they go directly to Microsoft who treats their content confidentially.  In addition, if you think about it, does your PC know your phone number?

This seems to be a recent report of this in Denver, Colorado, although you can find variants of this scam all over the world and over a few year period, such as this one in the UK.

This is an example of the other engineering – social engineering.  Social engineering is a confidence game of tricking someone into sharing their computer password or installing malware on their computer or visiting malicious websites.  Unfortunately, it is all too easy, especially if they have a small amount of information (or a lucky guess, such as that you recently clicked on a send error report message).

For a complete analysis of social engineering, I’d recommend Kevin Mitnick’s The Art of Deception.  Or, to read his incredible real-life account of how he used social engineering to take over telephone networks, try Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.

Everyone should be aware of social engineering and how to protect themselves from it.  The most important thing is to never give out information or access to your computer to someone who calls you, even if they sound legitimate.  If you think it really is Microsoft calling you, or your bank, or your credit card company, then ask for their case number, hangup, then lookup the phone number of the business or bank and call them back at that number.  (Note that you can’t ask them for their phone number or call the number shown on Caller ID – you can’t trust that information either, and some attackers can even working have toll free numbers).

I do hope, however, that people don’t stop sending those error reports.  I’ve heard from my friends who are software developers that these reports are a goldmine for them in terms of fixing bugs and improving their software.

Advertisements

, , , , , , , ,

1 Comment

Explaining Security

I spent all last week in Austin, Texas at the Internet Telephony Expo, ITEXPO conference.  In addition to giving the SIP and RTCWEB Tutorial and having a board meeting of the SIP Forum, I moderated a security panel at the 4th Generation Wireless Evolution 4GWE conference.  It was a great panel, with Patricia Steadman, CEO of Telesecret,a company founded by Phil Zimmermann to commercialize the ZRTP media security protocol, and a good friend and former colleague from Avaya, Andy Zmolek from LG Electronics.

As I enjoyed the cool and damp weather back in St. Louis (the opposite end of the weather spectrum from last week!), I was elated to discover that my novel “Counting from Zero” was ranked #12 on Amazon’s Computer Network Security sales list! (Of course, this ranking changes minute-by-minute, so it might very well be ranked a bit lower when you read this.)  I mark this as yet another milestone with this book, my first attempt at fiction.  To have it doing so well in a ranking filled with security text books is very exciting!

I was also thrilled to see two other books I greatly admire ranked just above me at #7 and #9:  The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers by Kevin Mitnick and William Simon:  I use both these books as references in my book.  I was thinking of Kevin all last week during my travels as I finished reading his newly released memoir Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker.  It was an amazing read, and I highly recommend it.  Maybe I’ll post a full review here one day soon.

My original goal with “Counting from Zero” was to teach the fundamentals of computer and Internet security, but to do it in a non-traditional way.  I had written one other book on security, “Understanding Voice over IP Security”.  Its sales have not been great, compared to some of my other SIP and VoIP books.  One reason is perhaps that security books tend to be dry, and a little theoretical, not well-connected with real life.  In “Counting from Zero” I tried to invent a plot that would not only teach security, but help motivate it.  I set out to create a character, Mick O’Malley, who would initially seem over-the-top in his security, but have the subsequent action and events make him seem more normal, and the rest of us who barely give security a thought the strange ones.

I have greatly enjoyed the reviews of the book, and those complementing my characters, writing, plot, etc.  But I enjoy hearing the most that a reader learned something from the book.

If you have an interest in Internet or computer network security, my book will help explain some basic concepts and help motivate the topic.  If you have ready my book (thank you!) and learned something useful from it (fantastic!), I’d love to hear from you…

, , , , , , , , ,

Leave a comment