CIPP Guide » Social Engineering

Congressman Twitters Security Breach

jbrook — Mon, 09 Feb 2009 19:19:19 +0000

Personal responsibility. Within any organization, you have to trust someone. You put trust into somebody, expecting they will take the responsibility. Big lapses end up on the evening news. People typically think its the low paid administrative assistant who blunders through a social engineering exercise. Or maybe it’s the disgruntled system administrator trolling through the online personnelle files looking for something of value. Possibly the forgetful road warrior and the expectation that with more mobility, more information will be leaked.

A Wired Magazine correspondent documented the inadvertent disclosures through the use of GPS embedded into many of today’s cell phones. The NSA went through the trouble of securing the BarackBerry not only because he is the boss, but after hearing the vulnerabilities and mitigations, the residual risks were understood. I’m sure the Agency guys didn’t need to explain to him about leaving his phone in an adversary’s hands or randomly text messaging his buddies about hitting the bar later that night.

That’s why I’m puzzled by this weekend’s actions of Congressman Peter Hoekstra – former Chairman, and ranking member of the House Intelligence Committee. This is the guy supporting the warrant-less wiretapping, so that Al-Qaeda wouldn’t know US Intelligence was watching them. During what was supposed to be a secret congressional trip to Iraq, Hoekstra Twitters the details of the weekend trip. I understand a minor slip, those are planned for and around. From the Congressman’s tweets, it seems like he was trying to cause an incident, discussing travel coordination and locations with timestamps:

On the way to Andrews Air Force base.12 hour flight to mid east Be back on Mon instead of tues….3:28 PM Feb 4th

Just landed in Baghdad…..9:41 PM Feb 5th

Moved into green zone by helicopter Iraqi flag now over palace.Headed to new US embassy….11:56 PM Feb 5th

Talk about a lapse in responsibility. This isn’t even a judgement call – Hoekstra jeopardized all of his fellow travellers. Thankfully everyone returned safely home, at least according to Hoekstra’s last tweet:

Headed home!Situation in Iraq improves significantly.Afghanistan poses challenges!Lots of stuff to talk about when I get home Monday late pm

Even with the best policies and practices in place, everything hinges on the end user. Their understanding of each action that takes place and their role in the ultimate security/privacy of the whole is paramount to the success of the mission.

Password hacking with chocolate: Are women more susceptible to social engineering?

jbrook — Thu, 24 Apr 2008 10:00:01 +0000

The Mitnick attack. The 10 attack. Social Engineering. Each of these emphasize how readily people part with valuable information to someone posing as an IT staffer, a very attractive member of the opposite sex, or someone friendly. You may now add candy bars and women…

No matter how you slice it, the weakest point in any security program ends up being the end user. User training seems to work with frequency of message, but without hearing the importance of security it seems quickly forgotten.

That is of course, unless the message starts at the top with a strong corporate policy, well understood consequences, and swift consistent enforcement. During my security training (I believe my CISSP), the instructor shared an example of a large, Canadian company with a zero-tolerance policy toward password disclosure. A Sr. V.P. within the company did just that with his secretary. During an audit, the IT staff discovered the VP logged in while on travel in 2 separate places, checking email. The VP was immediately terminated, the secretary put on probation.

This information trickery is the same idea as pre-texting in the privacy world . A caller (typically) phones a target under some false pretext, such as a survey or sweepstakes winnings. After ‘verifying’ enough publicly available information, such as name, street address, phone number, additional information is provided incorrectly or incompletely, typically date of birth, mother’s maiden name, bank where winnings may be deposited or social security number to report the winnings to the IRS.

Once armed with this information, the assailant calls in to the bank after ‘losing’ their checkbook, or simply requesting a change of address. From there, enough information is in in hand to (hopefully only) clear out the checking account, or continue with a complete identity theft. Banks and retail merchants are recognizing this trend and are putting further and further measures in place to protect their customers.

Security is one of the five domains integral to the Certified Information Privacy Professional (CIPP) and for good reason. The chocolate and the sweepstakes winner are the same problem, and mitigated through the same policy and training. Now if we could just convince the user populous – if it seems to good to be true – it probably is.