Archive for July 6th, 2016

Social Engineering – Hackers use of Four emotional tactics

Both technological and human defensives are necessary in preserving computer security. A company can have a level of security like Fort Knox, but if the user still clicks and opens the door, the bad guys may steal all the gold. This excellent article by Network World shares baiting tactics employed that cause users to compromise security.  I would also add “Curiosity” as a 5th common attack theme, where false news articles are used to get users to click on an infected item.

While technological know-how certainly plays a large role in enabling attackers to hack any given system, corporation or individual, what often is overlooked is that some tricks of the trade, like social engineering, are also psychological games. That means that protecting and defending against these kinds of attacks is, in turn, part mental as well.

It’s important for IT professionals to understand the ways in which social engineers take advantage of human emotion in order to carry out their attacks. Let’s examine the four human emotions and behaviors hackers most commonly exploit as part of a social engineering campaign, the distinct campaign characteristics for each manipulated emotion, and some key considerations for better positioning your employees and your organization against falling prey to these types of attacks in the future.

1. Fear — Defined as an unpleasant emotion caused by the belief that someone or something is dangerous, likely to cause pain or a threat.  As one of our most powerful motivators, fear is arguably the most commonly manipulated emotion when it comes to social engineering campaigns. These attacks can come in the form of a phony email that your online bank account has been compromised.  It forces users to act quickly to avoid or rectify a dangerous or painful situation.

2. Obedience — Defined as complying with an order, request or law or submission to another’s authority. Social engineering scams that prey on obedience are often disguised as an email, instant message or even a phone call or voicemail from a person or group of superior authority, such as law enforcement or an executive at one’s company.

3. Greed — Defined as an intense and selfish desire for something, especially wealth or power. In the case of greed-exploitative campaigns, these routinely offer a reward – usually monetary – for performing a specific action.

4. Helpfulness — Defined as a willingness to help other people. These campaigns are often targeted at customer support or customer service departments, as attackers are betting these employees’ propensity to lend a hand and keep people happy will encourage them to divulge or accept more information than they should.

It’s not only important that IT and security leaders understand hackers’ evolving tactics, but that they also continuously adjust policies and share their knowledge by educating their colleagues and training them to be vigilant against nefarious activity. For example, employees need to be taught to take a step back when they receive, say, a suspicious email or instant message and consider the emotion the vehicle for an attack is eliciting and how that might help indicate foul play. While it may be obvious to you as an IT professional that an unexpected email that provokes an urgent emotional or behavioral response – such as fear, obedience, greed or helpfulness – is an automatic red flag, the average employee likely does not.

Windows 10 – Anniversary Update 1607 in-depth review by ZDNET

On August 2, 2016, this ZDNET article shares what to anticipate from WIN10 Anniversary update

The unconventional evolution of Windows 10 continues with the upcoming release of the Anniversary Update, version 1607. It’s not just a service pack. Microsoft wants you to think of Windows 10 as a service, where new features arrive as they’re ready, and where regular updates are themselves a feature.

On July 29, Windows 10 celebrates the first anniversary of its release. Four days later, on August 2, a new upgrade will begin rolling out to the 350 million or so devices already running Windows 10.  The Anniversary Update is, technically, version 1607, and it is far more than a service pack. In this post and the accompanying gallery, I offer a preview of what you can expect from this major update, based on near-final preview releases.

1. Upgrading — A bigger change is the way that Windows 10 version 1607 handles those monthly cumulative updates. This release still offers no way to defer those updates automatically (short of using Windows Update for Business Group Policy settings), but you can at least define an Active Hours period of up to 12 hours per day during which you normally use the PC.

2. Control panel migration – Since the release of Windows 8 nearly four years ago, Microsoft has been methodically moving user controls from the old Control Panel to the new Settings app. With version 1607, that work takes a major step forward. Several major groups of options, including networking, have now moved almost entirely to the new Settings app, and the new iconography, replacing the generic gear icons used in previous versions, adds to the sense that this version of Settings is a major update.

3. Cortana — with the changes in version 1607 I find myself calling on her services more often, as a calculator, a translator, a bringer of sports scores and search results, and a package tracker. This is definitely not Siri, but it’s also not exactly Google Now. Microsoft has created something unique with Cortana.  And if you don’t like the idea of an intelligent personal assistant sitting on the Start menu, you can just say no. Cortana is still an opt-in feature, one that can be completely disabled (so that it works as a search box only) and even hidden from the taskbar completely.

4. Edge Browser — The new default browser for Windows 10, Microsoft Edge has been playing catch-up ever since. The big news for version 1607, of course, is the arrival, at long last, of extensions. After a rocky start, the limited selection of preview releases seems to be working well. The LastPass password manager, which was the number-one request from many of my correspondents, does its job as expected, and the two Adblock extensions have the same strengths and weaknesses as on other platforms.  In current builds, Edge has been fast and smooth. In fact, it appears that Microsoft’s goal with Edge is to make a browser that is essentially a clone of Google’s Chrome.

5. Windows Ink — Microsoft has been delivering support for digital pens and the ink datatype since the dawn of the Tablet PC in 2002. Those designs never took off. Version 1607 tries to reboot that feature with the introduction of the Windows Ink platform.  With its Surface Pro and Surface Book lines, both equipped with pens as standard equipment, Microsoft remains firmly committed to the idea of the pen as a first-class input device. Whether that vision becomes a reality is still very much an open question