Why Infosec Pros are Embracing Social Engineering

In This Issue:

  • It's getting less okay for your phone to track you
  • Infosec mind games
  • Matrix: a monopoly-killer?
  • Non-Hollywood sequels

It's Getting Less OK for Your Phone to Track You

This is partly due to the GDPR, which rules that privacy invasion can result in a financial penalty: La Liga fined €250,000 after Android app spied on football fans. While the GDPR doesn't (quite) apply to everyone, many enterprises are future-proofing themselves through compliance anyway. This is the Brussels Effect in action.
 
There is also a growing user awareness of privacy issues, fed by recent articles like this one: A day in the life of your smartphone... tracking you. Or this New York Times article, which (while older) was both comprehensive and influential: Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret. The past year’s worth of headlines about the misuse of data collected by social media apps has also had an effect.
 
At least one tech giant is betting that privacy is now a selling feature (we're not counting Facebook): iOS 13 will map the apps that are tracking you. It will be interesting to see if anyone else follows suit.

Countermeasure:

Organizations—especially large ones—have a great deal of power to influence vendors. If your organization doesn't have a privacy policy regarding IT purchases, now is the time to look into one. As the pendulum shifts toward recognizing the importance of privacy around the world, organizations that haven’t paid any attention to this issue risk being left behind by privacy legislation, and stuck facing rapid transitions to IT products and services that actually focus on user privacy.

Read More >

Infosec Mind Games

Cognitive Bias Can Hamper Security Decisions. It would be lovely if humans made decisions by considering evidence and using logic. Anyone who works in IT can tell you that this is not what usually happens. Humans are emotional, and this affects decisions and behavior. This can be a significant obstacle if you’re trying to get people to adopt a reasonable security policy.
 
From the article above: 'Security pros cannot "cure" biases, says Cunningham, just as they can't cure people making mistakes. "What we can do is become better acquainted with the types of decisions, or decision points that are frequently and predictably impacted by bias," she explains.'
 
Here’s another recent application of psychology to infosec: SHB 2019 – Liveblog. This liveblog features short summaries of the various presentations at Harvard University's 12th workshop on Security and Human Behavior.

Countermeasure:

Learn what you can about how people think, how they make decisions, and how they put those decisions into action—or fail to do so. The articles referenced here are a good start, and there’s more information in our resource of the week, below. Security is at least as much about persuasion, manipulation, and mind games as it is about firewalls and security information and event management (SIEM) applications. Embrace social engineering.

Read More >

Matrix.org: a Monopoly Killer?

Introducing Matrix 1.0 and the Matrix.org Foundation. This is a young but potentially game-changing piece of technology. As described in the FAQ, "Matrix is an open standard for interoperable, decentralised, real-time communication over IP."
 
Sounds about as exciting as an interminable conference call, right? But here's the plain English version: "Matrix’s initial goal is to fix the problem of fragmented IP communications: letting users message and call each other without having to care what app the other user is on - making it as easy as sending an email."
 
This could transform business communications. Imagine not needing to use (for example) Skype to call someone else's Skype account. In The Countermeasure offices, at least, there would be great rejoicing.
 
Matrix.org could also have a significant effect on the security and privacy landscape. If communications providers no longer had a guaranteed captive audience, they would also have less leeway for collecting massive amounts of user data, creepily tracking users, and practicing sloppy security.
 

Countermeasure:

Matrix.org isn't a threat; it's an opportunity. When your communications infrastructure comes due for a refresh, ask pointed questions of your vendor about their support for this standard. Competition is good.

Read More >

Non-Hollywood Sequels

BlueKeep III: Return of the… Apathy?
 
The Countermeasure —and the rest of the infosec world—is still talking about BlueKeep, because more than a million people still haven't patched it, despite its apocalyptic level of severity. BlueKeep – everyone agrees, you should patch PCs running legacy versions of Windows.
 
Why aren't people doing this? The vulnerability is severe and widespread, and researchers have already found at least one way to exploit it. If you only do one thing this month to dramatically improve your security, patching this flaw should be that thing.
 
This report suggests people may be dragging their feet because they’ve become desensitized to repeated "stern warnings" and scare tactics: Avast Business report may help explain why users are resisting Microsoft’s BlueKeep patch. Or, to translate that into a pop culture reference: maybe after the umpteenth time someone got disemboweled, castrated, tortured, or burned to death, you stopped noticing how violent Game of Thrones was.
 
To avoid the BlueKeep warning being shrugged off, the report recommends "explaining the issue patiently, noting the user’s ability to make a difference, and creating greater awareness and shared responsibility" as alternatives to the usual this time it's serious messaging.

Losing Face(s)
 
More information is available about that Perceptics breach we mentioned last week: Feds lose control of thousands of traveler photos in data breach. We've already talked about this story in the context of how to report a breach (or how not to.) This incident should also serve as a reminder to secure your supply chain: Suppliers Spotlighted After Breach of Border Agency Subcontractor. Your awesome security won't help you if a third-party contractor loses your sensitive data.
 
Something else to take away from this story is how attitudes to privacy are shifting. Breaches like this are only adding to people's growing uneasiness with facial recognition technology. Large organizations are starting to take notice: You're responsible for getting permission from subjects if you want to use Windows Photos' facial recog feature.
 

Countermeasure:

BlueKeep Sequel: PATCH. WINDOWS. NOW!!!

Losing Face(s) Sequel: If you currently use facial recognition, you may want to do a risk/reward analysis, because people increasingly see the use of this tech as creepy and intrusive. Whether you use facial recognition or not, think about the security (or lack thereof) of your suppliers and contractors. Does anyone outside your organization handle your sensitive data? If so, what measures are they taking to protect it?
 

Read More >

Thread of the Week

Airbags are basically a small bomb with a bag to catch the explosion. When the car is scrapped, the bomb has to be deactivated. So airbag ECUs accept a command over the diagnostic connector to end-of-life detonate it.
 
(You can see where I'm going with this, can't you?) – Ken Tindell (@kentindell)
 
Hint: Cars are IoT devices. There, now you have fodder for nightmares, or your unwritten thriller novel. You're welcome.

Resource of the Week

Psychology and Security Resource Page. If you want to develop Jedi mind tricks to convince people that cybersecurity matters, this might be a place to start.

Infosec Humor

Netcat sliding through a hole in the firewall... – Jake Williams (@MalwareJake)
 
(you have to see the picture)
 
So what is netcat? "netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. …Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor." – Wikipedia
 
Hmmm. Maybe if you run out of warfare analogies for cybersecurity, you could try doing user education with kitten pictures?

Quick Links

Get Your Copy.