00:00:00
00:00:01
We've probably all seen an email
come through our inbox that
00:00:05
seems to be from one sender,
but, in reality, it's
00:00:08
being sent by someone
completely different.
00:00:11
These types of emails are
often categorized as phishing.
00:00:14
Phishing is social engineering
with just a bit of spoofing.
00:00:18
Someone is pretending to be
someone else in the hopes
00:00:21
that they can convince
you to give up
00:00:23
your personal information.
00:00:25
Sometimes you can
check the URL that's
00:00:27
associated with a link
inside of an email message
00:00:30
to see if it's really
coming from the domain
00:00:32
that you think it
should be coming from.
00:00:34
There's usually also
something a little bit
00:00:37
off with the graphics or the
spelling and in some cases
00:00:40
the grammar that's being
used in these messages that
00:00:43
are trying to convince us
that they're really coming
00:00:46
from someone we can trust.
00:00:48
This is an image of a website
that I clicked on when
00:00:52
I received a phishing email.
00:00:54
You can see it looks very much
like the Rackspace Technology
00:00:57
webmail login page, although
you'll notice the graphics are
00:01:00
off just a little bit.
00:01:02
But everything else
on that page looks
00:01:04
as if it could be the
legitimate site for Rackspace
00:01:07
webmail login.
00:01:08
However, if we look at the
email where that was sent from,
00:01:12
you can see that it does say
that it was from Rackspace
00:01:15
Service, but it came from an
email address from icloud.com.
00:01:20
That is certainly not the
Rackspace domain name.
00:01:22
And that's not the
person we would
00:01:24
expect to be sending
us information
00:01:26
about Rackspace email.
00:01:28
You also notice the
text in this email
00:01:31
has different fonts
associated with it.
00:01:33
And the first line of this
message says, Dear User,
00:01:36
we notice your email
has not been confirmed
00:01:38
for the new upgraded service.
00:01:40
There's no period at the end or
no other type of punctuation.
00:01:44
This should certainly cause
us to look more deeply
00:01:46
into the details of this
message, and at the very least,
00:01:50
we should never click a link
inside of an email message.
00:01:55
I was able to click this
link and provide you
00:01:57
with these screenshots by
using a virtual machine that
00:02:00
was completely isolated from
all of my other systems.
00:02:03
In this particular
case, that was
00:02:05
the image that came up
when you click that link.
00:02:07
So on the top is the image
from the phishing email,
00:02:11
and on the bottom is the
legitimate Rackspace email
00:02:13
landing page.
00:02:14
You can see that they are
very similar to each other,
00:02:17
but there are some
significant differences
00:02:20
that you can make out now that
we have them side by side.
00:02:23
But if you weren't familiar
with the Rackspace login page,
00:02:26
the phishing email
is close enough
00:02:28
that it probably could
fool quite a few people.
00:02:31
This is the goal
of the attacker.
00:02:32
They want to make this page
look so similar that you
00:02:35
will be enticed to put in your
email address and your password.
00:02:38
And at that point, when
you click the login button,
00:02:41
you're actually sending
those credentials directly
00:02:44
to the attacker.
00:02:45
Another useful social
engineering technique
00:02:48
used by the attackers
is shoulder surfing.
00:02:50
We use our mobile devices
and our laptops in public
00:02:54
all the time.
00:02:55
We could be in an airport,
a restaurant, a coffee shop,
00:02:58
and anyone who can
look over our shoulder
00:03:00
could potentially
see the information
00:03:02
that's on our screen.
00:03:03
Part of the problem
with this, of course,
00:03:05
is that occasionally, we will
be reading through information
00:03:08
on our screen that could
be considered sensitive.
00:03:11
And in some cases, it
might be information
00:03:13
that our competition
would love to have.
00:03:15
Someone standing
behind you or sitting
00:03:17
at a table that's behind
you has full access
00:03:20
to view the information
that's on your screen.
00:03:23
And there have been
situations where
00:03:25
people have been able to read
the screen of a computer that's
00:03:28
in another building.
00:03:29
They would use
binoculars or a telescope
00:03:31
to be able to view
the information that's
00:03:33
on your screen, even though
they're in a completely
00:03:36
different location.
00:03:37
One of the more advanced
versions of this
00:03:40
are attackers that will put
malware on your computer
00:03:43
to enable your camera and be
able to see exactly what you're
00:03:47
doing when you're
sitting at your computer.
00:03:50
We can use a number of
different techniques
00:03:52
to try to prevent
shoulder surfing.
00:03:54
One is to make sure
that we understand
00:03:56
where we happen to be.
00:03:58
If you're in a coffee
shop, maybe your back
00:04:00
should be towards a wall.
00:04:01
If you're in a public
area, it might not
00:04:03
be the best time
to start scrolling
00:04:05
through information about
payroll or social security
00:04:08
numbers.
00:04:09
You can also get privacy
filters for your LCD screen
00:04:12
that can only display the
information on the screen
00:04:15
if you are sitting directly
in front of that device.
00:04:18
Anyone who's to the
side of the device
00:04:20
simply sees a black screen.
00:04:22
These work exceptionally well.
00:04:24
You could be on a plane right
next to somebody in coach,
00:04:27
and if they have a privacy
filter, all you see
00:04:29
is a black screen.
00:04:31
And if your computer
is near a window,
00:04:33
you might want to turn your
computer so that the monitor
00:04:35
faces away from that window.
00:04:38
Not only will this help
with the glare that's
00:04:40
coming in through that window,
it would prevent anyone
00:04:42
from being able to see
what's on your screen
00:04:45
by looking through that window.
00:04:46
You should always keep
in mind the information
00:04:49
that you happen to be
viewing on the screen
00:04:51
and where you might be
at any particular time
00:04:54
so that you're not disclosing
any sensitive information
00:04:57
to any third party.
00:04:59
A lot of the security
for physical location
00:05:02
happens at the front door.
00:05:03
If you can get through
that initial door,
00:05:06
a lot more information
will be available to you.
00:05:08
And the attackers know this.
00:05:10
They found ways to get into
buildings without having
00:05:13
any type of authorization.
00:05:15
One technique that attackers
use to get into a building
00:05:18
is tailgating.
00:05:19
Tailgating is
using someone who's
00:05:21
authorized to give you
a way into the building.
00:05:24
Maybe when somebody is walking
in, they'll hit the badge,
00:05:27
unlock the door, walk
through the door,
00:05:30
and leave the door
to close on its own.
00:05:33
While they're walking away, you
can walk up and stop the door
00:05:36
from locking again and simply
walk into the building.
00:05:39
That's a perfect
example of tailgating.
00:05:42
Another technique that's
very similar is piggybacking.
00:05:45
With piggybacking,
you have someone
00:05:47
who is authorized to
get into the building,
00:05:49
and they're letting
you in the building
00:05:51
as well with their knowledge.
00:05:53
This can be easily accomplished
by bringing in lunch
00:05:56
or carrying in boxes of donuts
and asking the person who's
00:06:00
opening the door to hold the
door so you can make it up
00:06:02
to the conference room.
00:06:04
They can see that
you're walking in.
00:06:06
They're even helping
you get into the door.
00:06:08
And in that particular case,
we call that piggybacking.
00:06:12
And as many attackers
will tell you,
00:06:13
once you're in that
front door, it's
00:06:15
very easy to walk around
the inside of that building
00:06:18
where many of those
doors are already open.
00:06:22
To prevent tailgating
and piggybacking,
00:06:24
we should always
be looking to see
00:06:26
if someone is in this building
who should not be there.
00:06:29
Most organizations
will provide visitors
00:06:31
with a visitor
badge that clearly
00:06:34
shows that they are in
the building as a visitor,
00:06:37
and they are
authorized to be there.
00:06:39
But if someone's walking
around without a badge,
00:06:41
it should be your
responsibility to ask them where
00:06:44
their badge happens to be.
00:06:45
And if they don't
have a good answer,
00:06:47
it's time to call security.
00:06:49
Some organizations also
have very strict rules
00:06:52
on badging in and having one
person walk in at a time.
00:06:56
There might even be people
lined up at the door,
00:06:59
but one person will badge
in, walk through the door,
00:07:01
and physically close the door so
that the second person can then
00:07:05
badge in.
00:07:06
Following that
process would probably
00:07:08
prevent any type of
unauthorized access.
00:07:11
You could also use an access
control vestibule or an airlock
00:07:14
that would only allow one person
in the building at a time.
00:07:18
This effectively takes the
policy of one person scanning
00:07:21
at a time and turns it into
a mechanical requirement
00:07:25
where only one person
can walk in at a time.
00:07:28
And although it may be
uncomfortable to walk up
00:07:31
to a stranger and ask them
where their badge happens to be,
00:07:34
this is something that has
happened to me many times
00:07:36
inside of a building where
I've had a badge on a jacket,
00:07:39
I've taken the
jacket off, and then
00:07:41
I've gone to get coffee
at the coffee maker.
00:07:43
And very often people from
that company will walk up to me
00:07:46
and say, hi, I
don't recognize you.
00:07:48
Do you have a visitor badge, or
can you tell me who you're with?
00:07:51
These are organizations
that have worked hard
00:07:53
to train their employees
to look for things that
00:07:55
may be out of the ordinary and
to address those so they don't
00:07:58
become a larger security issue.
00:08:01
If you look in the
back of your building,
00:08:03
I'll bet in the parking
lot there is a garbage bin.
00:08:07
Sometimes we refer to
this as a dumpster,
00:08:09
although that is a brand
name of a particular unit.
00:08:12
In other parts of
the world, these
00:08:13
have different names
such as a rubbish skip.
00:08:16
Going through your trash is a
very useful social engineering
00:08:20
technique that attackers
use all the time.
00:08:23
It's remarkable how much
sensitive information is simply
00:08:26
being thrown into the garbage
without any type of security
00:08:29
associated with it.
00:08:31
These garbage bins and dumpsters
are often open and unlocked.
00:08:35
Very often you can find
names that can then
00:08:37
be used for impersonation
or phishing over the phone,
00:08:40
and there may even be
contact information
00:08:43
that can help with
additional phishing attempts.
00:08:46
Attackers often try
to find the right time
00:08:48
to go through the garbage.
00:08:49
It may be at the
end of a quarter
00:08:51
or the end of a big project
where a lot of information
00:08:54
may be thrown out.
00:08:55
And a lot of those
details in the garbage
00:08:57
may be perfect to use
for a future attack.
00:09:00
There is a question
about legality of going
00:09:02
through someone else's garbage.
00:09:04
In the United
States, the garbage
00:09:06
is effectively
free to go through
00:09:08
as long as it's something that
has already been thrown out
00:09:11
by the original owner.
00:09:12
This is not always
the case, and there
00:09:14
may be local or
state regulations
00:09:17
that would prevent someone from
going through someone else's
00:09:19
garbage.
00:09:20
But if there are no local laws,
everything in that garbage bin
00:09:24
may be available for
anyone to stop by and take.
00:09:27
But if the bin is
on private property,
00:09:29
and there are signs that say
no trespassing or no visitors
00:09:33
allowed, then you
certainly would not
00:09:35
be able to access that
trash at that location.
00:09:39
If you're trying to understand
more about whether going
00:09:41
through this garbage may
be legal in your area,
00:09:44
then I would recommend you
contact a legal professional,
00:09:46
and see what the options might
be in your particular geography.
00:09:51
To prevent someone from
going through the garbage,
00:09:53
one of the best things you
can do is to lock it up.
00:09:56
You can put a fence
around that area,
00:09:58
you can put monitoring
cameras, and you
00:10:00
can prevent anyone from gaining
physical access to your trash.
00:10:04
You can also shred
the information
00:10:06
that you feel
might be sensitive.
00:10:08
Some organizations will
have a third party shredding
00:10:11
service come
through every month,
00:10:12
and they'll sit
in the parking lot
00:10:14
and shred all of your
sensitive information.
00:10:16
Some organizations
go one step further.
00:10:19
It's not unusual for
governments to light
00:10:21
all of their sensitive
information on fire
00:10:24
because once you
burn it, there's
00:10:25
no way anyone can gain
access to that information.
00:10:29
If you're wondering
if this is something
00:10:31
you should be
worried about, then
00:10:32
maybe you should look
through your own garbage.
00:10:34
There might be
information in there
00:10:36
that is relatively
sensitive, and you
00:10:38
may need to institute new
policies to prevent someone
00:10:40
from walking by
and simply grabbing
00:10:43
your sensitive data
right out of the trash.
00:10:46
