a pleasant (paranoid) london afternoon

Didn't see these guys, though

Finding myself in London on a Saturday afternoon, I decided to take a walk into espionage history.

London Walks’ Spies and Spycatchers Walk is a interesting, educational and entertaining way to spend a Saturday afternoon.  The tour, which takes about 2 hours, includes a number of espionage landmarks, most of which are connected with the “Cambridge Five” case, in which the uppermost levels of British and American intelligence were penetrated by the Soviets (remember them?).   The tour also includes the Itsu Sushi shop where the Russian secret services used Polonium to poison ex-KGB/FSB officer Alexander Litvinenko in 2006.  We did not stop for a snack.  We also stopped at a number of buildings with espionage related pasts, including the location where the invasions of North Africa and Normandy were planned during World War II.  The tour ends up with a lesson on spy to spy communications and a look at at dead drops.

While being in the actual locations where secret history happened is pretty neat, the real draw for this tour is the green carnation wearing guide, Alan.  He really knows his material and is a wonderful story teller.

The tour starts at Piccadilly Circus on Saturday afternoons at 2:30 PM and costs a very reasonable 8 pounds.  London Walks offers a plethora of themed tours and day trips – I was so impressed with this one that I plan on doing another one (or maybe 2) today.

a pleasant (paranoid) london afternoon

why hack when you can just ask?

The good folks at www.social-engineer.org have recently released a report detailing the results of the social engineering “Capture the Flag” contest held this past summer at the Defcon 19 security conference. This report is a must read for security professionals.  (You have to register to download the report, but this is one of the rare times that it is worth giving up some personal info to gain access to a pdf)

The CTF contestants were given the task of collecting as many pieces of information (“flags”) as they could from one of 14 targeted companies, across multiple industry sectors. In phase one of the contest, contestants were given 2 weeks to conduct open source research on their quarry using the web, social media, Google and the like. Phase two of the contest took place at Defcon, where contestants made phone calls to their targets and tried to “social engineer” ( bamboozle) unsuspecting employees into revealing information which could help an attacker plot her nefarious strategy.

If you are responsible for security at your organization, you really need to read the full report; it is chock full of great information which you can use to enhance the critical human element of your security programs.

Here are a few tidbits which stood out for me:

In all cases where the attacker asked an employee to visit a URL, the employee ended up doing so, even if they were resistant at first. The attacker could use this behavior in a number of ways. First, they would be able to query the system to determine what versions of software are installed to inform later attacks. They could direct the employee to a “drive by download” site which attempts to exploit vulnerabilities to install malware on the system. They could get an idea of what type of web filtering was in place – if the company did not block access to social media sites, these might be used to leverage later attacks. And if the attacker was smart and persuasive, she could get the employee to download and run software on their system.

Much of the information sought by the attackers could be gathered without contacting the target company.   Information which was freely available on the web, or mistakenly made available through defects in policy or system configuration was a treasure trove for contestants. Here are some of the prizes found during the open source research phase:

  • Employee personal blogs with corporate information posted to them
  • Employee resumes which listed technical or organizational information of use than attacker
  • Photographs which depicted employee badge designs, names of vendors, access control and CCTV systems in use, other technology in use, or layouts of facilities, amongst others.
  • Some organizations even had employee lists, with titles, email addresses and phone numbers available on the web – these are pure gold for the Social Engineer.

None of the organizations seemed to have provided employees with a script for dealing with callers asking strange questions.   In the absence of instructions, many employees fell back on their customer service training and innate desire to “help” and played in to the hands of the attacker.   A simple “let me get my manager on the line” script could have stopped many of these attacks.

There is a lot more great information in this report… Read it and share it with your external facing employees today.

Are you still reading my blathering? Get reading!

why hack when you can just ask?