Winn Writes & Wrants

A cop comes to your house. “We need you downtown, now.” And you’re expected to drop everything… even though you have no legal obligation to do so. Authority says to comply.
“Yes, you can afford this mortgage… and we can always refinance in a couple of years…” Expert authority speaks and too damned many people listened. (Someone – a lot of someones need to go to jail for that one.)

Too many people are conditioned to react to authority by cowering to demands, even if they border on or exceed the ridiculous.
“RESPOND TO THIS EMAIL OR YOUR PAYPAL ACCOUNT WILL BE CLOSED.”

“IF YOU DON’T ANSWER THIS RIGHT AWAY YOUR BANK ACCOUNT WILL BE SEIZED.”

The sheep or lemming mentality – whatever you call it, is responsible for the astounding findings that 23% of corporate workers will fall to spear phishing attacks. So, I, as the bad guy, target “YourBank.Com” with 20,000 workers. Statistically, 4,600 of them will fall for my scam.

They might provide personal data; they might respond to the e-mail or click through to the hostile web site.

Worse, they will <Click> on some unknown “REPLY URGENTLY” link and download and install a hunk of nasty software that becomes the beachhead for a massive data breach.

The Intrepidus Group’s study showed a few things quite clearly:

• Intimidation and authority in e-mails work. 23% positive response is insanely unacceptable.
• Current corporate user training is not effective.
• Companies are not practicing penetration studies against people; just technology. Stupid, stupid, stupid.
• People are sheep, and we give them incredible access to information and technology when they are not skilled enough to use it.

What to do?
I’ve done social (human) penetration testing in many forms. I have also gotten my clients to agree to fire at least 10% of the people who fail. Extreme? Yes. Effective? You bet.

I am a phisher and scammer.
I had put up a couple of my laptops for sale on my local Craigs List. Sold ‘em that PM.

I soon received a couple of “I want to buy” from a couple of guys in Nigeria. They offered more than I asked to include shipping to Sub-Saharan Africa. They wanted my PayPal account which is fine, cause it’s just an e-mail address.

Then I get these emails from  ‘PayPal’ to an address I do not use with PayPal itself, about “It’s paid” “Ship Now” and so I am having gobs of fun winding these ***holes up. They are threatening legal action from PayPal, and acting all tough. The cool part is that I am able to document it all. I’ll post it when I get through this game and you can distribute it to your users, and family nubes to help buy them a clue.

This is fun!

I really like being un-PC. It is a self protection mechanism, and besides after 25 years of security and infowar, I have a right to be somewhat paranoid.
Cisco says there are 4 classic user mistakes. I beg to differ. They say:

• Tailgating or letting people in to offices or past security ID card checks is rampant. Screw polite. “Yo, dude. I am paranoid. I’m gonna shut the door in your face and you can use your own badge to get it.” (OK, that’s after a few drinks, or when I am losing a football bet, but point made. Be polite if you have to.
• Wireless access points being installed by users. I mean, WTF, mate? C’mon already. This occurs because companies don’t offer a DMZ or a safe route to the Internet for visitors. Simple answer: Install your own wireless network, provide employees with the WPA code and be done with it. Anyone who sets up a wireless network without security or IT approval should be forced to eat nothing but beets and rutabaga for a month.
• Sharing private company data with unauthorized people is the result of poor training… and I daresay, the feeble minded HR-wonks and legal types who are afraid to actually enforce policy. Fire ‘em. Prosecute them.
• Mishandling corp data… like putting in on a USB stick or mobile PDA.

My list is a lot longer. Have you seen the irresponsible passwords allowed to pass muster in many companies? How about letting Microsoft documents to leave a company in native format, not sanitized? Adobe was made for a reason.
I could go on… and I am sure Cisco and I would agree on a lot more problems… I just hated seeing it limited to four.