Do you have adblock enabled?
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(InformationWeek)   Human error and negligence may soon surpass malicious attacks as the leading cause of data breaches   (informationweek.com ) divider line
    More: Interesting, data breach, negligence, mistakes  
•       •       •

680 clicks; posted to Geek » on 05 Jun 2013 at 6:49 PM (3 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



37 Comments     (+0 »)
 
View Voting Results: Smartest and Funniest
 
2013-06-05 04:26:44 PM  
When I clicked, it asked me if I wanted to download a new program to speed up my PC.

Should I have not done that?
 
2013-06-05 04:27:26 PM  
Hasn't simple social engineering always been a more reliable means of gaining access to protected data?
 
2013-06-05 06:19:29 PM  
"soon"

heh
 
2013-06-05 06:44:07 PM  

kronicfeld: Hasn't simple social engineering always been a more reliable means of gaining access to protected data?


imgs.xkcd.com
 
2013-06-05 06:55:35 PM  
...This hasn't always been the case?

Hackers aren't necessarily all that skilled, they're just persistent and waiting for a system where someone has made a mistake.  I have always been under the impression that there were far more doors left unlocked and opened than broken down with a hammer.
 
2013-06-05 07:08:07 PM  

kronicfeld: Hasn't simple social engineering always been a more reliable means of gaining access to protected data?


It depends. It's hard to do social engineering from way over in China.
 
2013-06-05 07:14:26 PM  
I think "system glitches," if honestly described, would put stupidity in first place by a wide margin.
 
2013-06-05 07:29:15 PM  
Jesus, I'm tired of shiatty research standards in the IT industry.

Can you imagine a 227 sample survey(not evidence)-based "study" about "cancer risk" being presented as credible?

I work in the IT industry, and sometimes I feel like I'm surrounded by scientologists.
 
2013-06-05 07:35:27 PM  

Babwa Wawa: I work in the IT industry, and sometimes I feel like I'm surrounded by scientologists.


If you work for Earthlink, I have some bad news for you.
 
2013-06-05 08:26:29 PM  
Cybernetic: It depends. It's hard to do social engineering from way over in China.

Send an executable file that says "free boobies" and I guarantee you that at least one id10t will open it.

// trojans basically rely on social engineering (to a degree) by tricking someone to install something.
 
2013-06-05 08:46:27 PM  
You mean we have to update our computer's OS more than once every year?
 
2013-06-05 09:30:21 PM  

Babwa Wawa: Jesus, I'm tired of shiatty research standards in the IT industry.

Can you imagine a 227 sample survey(not evidence)-based "study" about "cancer risk" being presented as credible?

I work in the IT industry, and sometimes I feel like I'm surrounded by scientologists.


This.  All IT industry research rests upon the I Ching.

Google Glass is barely a real thing.  The iWatch isn't a real thing.  Put them together and wearable tech is going to grow faster than the PC and mobile industries did.  And that BS is from "reputable" sources like Mary Meeker and Credit Suisse!
 
2013-06-05 09:54:50 PM  
Hanlon's Razor.
Always.
 
2013-06-05 10:02:14 PM  

lordargent: Cybernetic: It depends. It's hard to do social engineering from way over in China.

Send an executable file that says "free boobies" and I guarantee you that at least one id10t will open it.

// trojans basically rely on social engineering (to a degree) by tricking someone to install something.


I guess you're right; I tend to assume that social engineering techniques require at least some physical proximity to the target or its employees.

One of my favorite social engineering stories involves a pen-tester who would scatter a few trojan-infected USB drives in the parking lot of the client company early in the morning. Someone shows up for work, sees a USB drive on the ground, takes it in to the office, and (human nature being what it is) they would usually have full access to the client's network before lunch.

There was another one that involved posing as an electrician with a work order to install an "electricity usage monitor" that was really a disguised wireless access point. He stuck it to the wall, plugged it in to an outlet, ran a cable to a nearby ethernet jack (for "remote monitoring") and was out of there in less than 15 minutes with access to the network. IIRC, the client was a bank, and the security folks were NOT amused.
 
2013-06-05 10:16:12 PM  

Cybernetic: There was another one that involved posing as an electrician with a work order to install an "electricity usage monitor" that was really a disguised wireless access point. He stuck it to the wall, plugged it in to an outlet, ran a cable to a nearby ethernet jack (for "remote monitoring") and was out of there in less than 15 minutes with access to the network. IIRC, the client was a bank, and the security folks were NOT amused.


That's great, actually. It's why banks & other places need to do pen tests, and take all that shiat seriously. No matter how awesome you think your security is, someone will do something to fark it up.
 
2013-06-05 10:39:56 PM  
Ponemon's studies are garbage. The Verizon report is far superior and was also just released.

//published author on data security
///svp, sales for data loss prevention software company
////YES YOU SHOULD HAVE A CISO AND GIVE YOUR SECURITY DEPARTMENT A BUDGET
 
2013-06-05 10:43:26 PM  

legion_of_doo: Cybernetic: There was another one that involved posing as an electrician with a work order to install an "electricity usage monitor" that was really a disguised wireless access point. He stuck it to the wall, plugged it in to an outlet, ran a cable to a nearby ethernet jack (for "remote monitoring") and was out of there in less than 15 minutes with access to the network. IIRC, the client was a bank, and the security folks were NOT amused.

That's great, actually. It's why banks & other places need to do pen tests, and take all that shiat seriously. No matter how awesome you think your security is, someone will do something to fark it up.


Best part?

The employee isn't paid enough to care.

I had a claims adjudicator point out to me that she processes $1.6 million daily and is paid $14/hour - so who's going to be hurting worse if she gets fired for clicking a popup?

/she got fired
//then immediately got a job making $18/hr for a competitor
///took us over three months to replace her
 
2013-06-05 10:45:46 PM  

MrJesus: Ponemon's studies are garbage. The Verizon report is far superior and was also just released.


Got a link?
 
2013-06-05 10:52:45 PM  
Cybernetic: One of my favorite social engineering stories involves a pen-tester who would scatter a few trojan-infected USB drives in the parking lot of the client company early in the morning. Someone shows up for work, sees a USB drive on the ground, takes it in to the office, and (human nature being what it is) they would usually have full access to the client's network before lunch.

1) Acquire a list of names/addresses

2) Send a bunch of them free USB drives that they "won" in a contest.
 
2013-06-05 10:59:02 PM  
I read the headline as "negligees", but I believe that works also.
 
2013-06-05 11:00:04 PM  
Cybernetic: One of my favorite social engineering stories involves a pen-tester who would scatter a few trojan-infected USB drives in the parking lot of the client company early in the morning. Someone shows up for work, sees a USB drive on the ground, takes it in to the office, and (human nature being what it is) they would usually have full access to the client's network before lunch.

Even better, you can use one of those cheap shiatty ass USB drives that misreport their size (IE, it's a 500 MB drive but it says it's 10GB)

Who doesn't like a free 10GB USB Drive?
 
2013-06-05 11:03:16 PM  

Cybernetic: MrJesus: Ponemon's studies are garbage. The Verizon report is far superior and was also just released.

Got a link?


Sure do:

http://www.verizonenterprise.com/DBIR/2013/

I have a spreadsheet of the important takeaways I can paste here if you'd like (our CPO did a whole writeup for me).
 
2013-06-05 11:04:36 PM  

lordargent: Cybernetic: One of my favorite social engineering stories involves a pen-tester who would scatter a few trojan-infected USB drives in the parking lot of the client company early in the morning. Someone shows up for work, sees a USB drive on the ground, takes it in to the office, and (human nature being what it is) they would usually have full access to the client's network before lunch.

1) Acquire a list of names/addresses

2) Send a bunch of them free USB drives that they "won" in a contest.


This old trick could be adapted to the new iPhone charger injection hack pretty quickly.
 
2013-06-05 11:15:03 PM  
MrJesus: This old trick could be adapted to the new iPhone charger injection hack pretty quickly.

Or even other ports

"Here's your free dock connector adapter courtesy of Apple".

// Print some BS on a shiny sheet of paper about how "we here at apple understand your frustration" etc etc.
 
2013-06-05 11:31:31 PM  

MrJesus: Cybernetic: MrJesus: Ponemon's studies are garbage. The Verizon report is far superior and was also just released.

Got a link?

Sure do:

http://www.verizonenterprise.com/DBIR/2013/

I have a spreadsheet of the important takeaways I can paste here if you'd like (our CPO did a whole writeup for me).


Sure. God only knows when I'll have time to read the entire Verizon report.
 
2013-06-05 11:33:08 PM  
Can someone help me out?

My favorite story of this type involves a competition.  The competitor has something like 2 weeks to research a company.  After that time, they get put into a room with a phone and a computer with speakers projecting everything from the room out to a live audience.  The competitor has to then get a certain number of "flags" from the company (unrelated pieces of information that could be put together for an attack such as custodian's maintenance schedule along with information about their database encryption vendor) as fast as they can.  The story ends with a guy yelling "The flag, the flag!!!" in a French accent.
 
2013-06-05 11:35:41 PM  
Cybernetic: Sure. God only knows when I'll have time to read the entire Verizon report.

It's 62 pages, I'll just send it to my work kindle.
 
2013-06-05 11:47:21 PM  
Good work, team! It was a tough challenge, and a lot of people thought we couldn't do it. But I never doubted for a minute that our stupidity outweighed our maliciousness. WOOOOOO HUMANITY!
 
2013-06-05 11:47:40 PM  
i.imgur.com
 
2013-06-06 12:31:57 AM  
Explaining Social Engineering to a group of users must be really interesting.
 
2013-06-06 12:47:35 AM  

Cybernetic: MrJesus: Cybernetic: MrJesus: Ponemon's studies are garbage. The Verizon report is far superior and was also just released.

Got a link?

Sure do:

http://www.verizonenterprise.com/DBIR/2013/

I have a spreadsheet of the important takeaways I can paste here if you'd like (our CPO did a whole writeup for me).

Sure. God only knows when I'll have time to read the entire Verizon report.


Sorry, there was hockey..

Two-thirds of breaches involved data stored or "at rest" on assets like databases and file servers. The other one-third was being processed when compromised.

Table 1: Targeted Assets: ATM, POS controller, POS terminal, Database, Desktop, Laptop/desktop, File server, Mail server, Directory server, Web application

Table 1: Desired Data: Payment cards, Credentials, Bank account info, Internal organization data, trade secrets, system info, Personal info.


Fig 36: Variety of compromised Data

Payment (61%)

Credentials (31%)

Internal (24%)

Secrets (20%)

System (20%)

Personal (10%)

Unknown (6%)

Bank (6%)

Classified (<1%)

Medical (<1%)

Copyrighted (1%)
Other (<1%)


92% [of breaches are] perpetrated by outsiders.
The two big reasons for the dominance of external actors are their numerical advantage and greater attack scalability. An organization will always have more outsiders than insiders, and the Internet connects criminals to a virtually limitless host of potential victims.

[Of all studied breaches], 69% [were] discovered by external parties, [and] 69% took months or more to discover. (See Fig. 41)

Who are the victims? 37% of breaches affected financial organizations. 24% of breaches occurred in retail environments and restaurants. 20% of network intrusions involved manufacturing, transportation, and utilities. 20% of network intrusions hit information and professional services firms.  38% of breaches impacted larger organizations.

Fig 21: 63% of malware attacks export data. 55% of malware attacks capture stored data.
 
2013-06-06 03:07:19 AM  

kronicfeld: Hasn't simple social engineering always been a more reliable means of gaining access to protected data?


Done in 2.

/Free Kevin... for asking an operator for a password
 
2013-06-06 03:28:00 AM  

Duh!

 
2013-06-06 05:51:24 AM  
Human error and negligence may soon surpass malicious attacks as the leading cause of data breachesbreeches.

/pet peeve
 
2013-06-06 06:18:16 AM  
...and people still occasionally suggest that BYOD is a reasonable thing to consider allowing, with a straight face.
 
2013-06-06 09:36:38 AM  
I seriously doubt that people are going to say we got pawned like newbies and had top-secret data stolenbecause "we didn't use an actual password or security phrase, but used "PASSWORD" as the password" or "our employees don't follow simple rules on information security like using anti-virus."  It's admitting that they're incompetent or their employees are idiots.
Most times, top secret information get stolen because most people choose crappy passwords, don't use anti-virus, and fail to follow simple rules on information security.  They know better or should know better, but don't do anything at all.  And when they get cracked, it's "I didn't know!"
 
2013-06-06 10:11:56 AM  

Cybernetic: kronicfeld: Hasn't simple social engineering always been a more reliable means of gaining access to protected data?

It depends. It's hard to do social engineering from way over in China.


But Nigeria is close enough.  Last I checked there are more English speakers in China than people in Nigeria.  So, no, not so hard.  The majority of APT attacks come from China, so your statement is completely false.

Social engineering is not hard to do from anywhere, except beyond LEO.  And that's only hard because of the difficultly of getting out of earth's gravity well, not because the social engineering would be hard.
 
Displayed 37 of 37 comments

View Voting Results: Smartest and Funniest

This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter






In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report