This document discusses how media portrayals and lack of understanding of technology can negatively impact security. It begins with an introduction of the speaker and overview of what will be covered. It then distinguishes between training, which provides guidelines, and education, which explains why. The document argues that widespread misunderstanding of technology makes users easy targets for scammers and can generate fear. It provides examples of media stories that spread incomplete or misleading information. The document suggests this leads to overreaction by lawmakers and focus on enterprise security rather than helping home users. It concludes by offering suggestions for improving understanding, like sharing knowledge more widely and using common language.
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
The weakest link in the security chain is often between the keyboard and the chair. People are a problem. We have a natural instinct as humans to trust someone's word. Although various technical means have been developed to cope with security threats, human factors have been comparatively neglected.
Once you put a human in a security chain, you have a weakness. That problem should be addressed by security practitioners, not every member of an organization. Very few would disagree that social engineering is the the most common and least challenging way to compromise an organization, but most accept the notion that there isn't much they can do about it. False!
This talk will focus on the psychological, technical, and physical involvement of social engineering, and also look at how we can remove the human element of the human problem. We will explore what organizations are doing wrong, also the processes and technical controls that can be put in place to achieve a strong social engineering defense.
We'll template a solution that can be customized. What will really help? What is the truth? What if we don't want to surrender our organization to social engineers?
Presentation by Haroon Meer at IDC in 2006.
The presentation begins with a discussion on google hacking. There is a brief discussion on Kernel-rootkits. The presentation ends with a discussion
on web application hacking.
Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
The weakest link in the security chain is often between the keyboard and the chair. People are a problem. We have a natural instinct as humans to trust someone's word. Although various technical means have been developed to cope with security threats, human factors have been comparatively neglected.
Once you put a human in a security chain, you have a weakness. That problem should be addressed by security practitioners, not every member of an organization. Very few would disagree that social engineering is the the most common and least challenging way to compromise an organization, but most accept the notion that there isn't much they can do about it. False!
This talk will focus on the psychological, technical, and physical involvement of social engineering, and also look at how we can remove the human element of the human problem. We will explore what organizations are doing wrong, also the processes and technical controls that can be put in place to achieve a strong social engineering defense.
We'll template a solution that can be customized. What will really help? What is the truth? What if we don't want to surrender our organization to social engineers?
Presentation by Haroon Meer at IDC in 2006.
The presentation begins with a discussion on google hacking. There is a brief discussion on Kernel-rootkits. The presentation ends with a discussion
on web application hacking.
Companies are generally very good at protecting themselves against external attacks, but only rarely do they guard themselves against internal attacks. By using what’s known as ‘Social Engineering’, hackers exploit unsuspecting people who in good faith open up their doors to unwanted strangers.
Social engineering, or SE, is the art of manipulating people into performing actions or so they give up confidential information. Social Engineering can mean different things to different people.
Social Engineering - Human aspects of grey and black competitive intelligence. What is social engineering? How it is used in the context of competitive intelligence and industrial espionage? How to recognize HUMINT / social engineering attacks? Which governments are known to use it?
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.
An introductory session about Social Engineering presented at ICT Nuggets Forum - Khartoum, organized by Duko team. We talked about what is social engineering? terms related to it? and how attacks can bee carried. We also told a lot of stories about successful social engineering attacks and how much damage they did. Finally we talked about how to protect yourself and your company social engineering attacks.
Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
One of today's most challenging security issues is social engineering defense. Despite evidence proving the impact of a social engineering attack, we often see inadequate incident response plans in place. In this talk, we will share our experiences about what organizations are doing when (or, more commonly, if) they detect an attack, steps to strengthen the social engineering defensive strategy, and what best practices to enforce for the strongest possible security posture.
Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM systems, etc.
All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks.
People is normally “the weak link in the chain”.
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
Social engineering is not just a supporting process to obtain system access; it could be the main attack. Organizations that focus only on a narrow definition of social engineering as an attack vector to obtain system access will fail to create awareness of all other possible social engineering attack methods.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
TUBITAK National Research Institute of Electronics and Cryptology (UEKAE) Department of Information Systems Security makes social engineering attacks to Turkish public agencies within the frame of “Information Security Tests” [19]. This paper will make an analysis of the social engineering tests that have been carried out in several Turkish public agencies. The tests include phone calling to sample employees by the social engineer and trying to seize employees’ sensitive information by exploiting their good faith. The aim of this research is to figure that the employees in Turkish public agencies have a lack of information security awareness and they compromise the information security principles which should be necessarily applied for any public agencies. Social engineering, both with its low cost and ability to take advantage of low technology, has taken its place in the information security literature as a very effective form of attack [8].
Presentation of Social Engineering - The Art of Human Hackingmsaksida
Nowadays if you want to hack a corporation or damage a personal "enemy" fast, Social Engineering techniques work every time and more often than not it works the first time. Within the presentation you will be able to learn what social engineering is, types of social engineering and related threats.
Presentation to young people at Highland Youth Voice Conference 2009. The slideshow included discussion break outs and the video clip of Joe can be found here..we also had guests from Sardinia.
http://www.digizen.org/cyberbullying/film.aspx
Social Engineering - Human aspects of grey and black competitive intelligence. What is social engineering? How it is used in the context of competitive intelligence and industrial espionage? How to recognize HUMINT / social engineering attacks? Which governments are known to use it?
Social Engineering - Strategy, Tactics, & Case StudiesPraetorian
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Praetorian's goal is to help our clients understand minimize their overall security exposure and liability. Through our services, your organization can obtain an accurate, independent security assessment.
An introductory session about Social Engineering presented at ICT Nuggets Forum - Khartoum, organized by Duko team. We talked about what is social engineering? terms related to it? and how attacks can bee carried. We also told a lot of stories about successful social engineering attacks and how much damage they did. Finally we talked about how to protect yourself and your company social engineering attacks.
Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
One of today's most challenging security issues is social engineering defense. Despite evidence proving the impact of a social engineering attack, we often see inadequate incident response plans in place. In this talk, we will share our experiences about what organizations are doing when (or, more commonly, if) they detect an attack, steps to strengthen the social engineering defensive strategy, and what best practices to enforce for the strongest possible security posture.
Currently, market has a wide range of systems, products and services focused on computer security services: Antivirus, Antispyware, Firewalls, IPS, WAF, SIEM systems, etc.
All these measures are indispensable and have become a priority for any company or organization towards ensuring its assets, but social engineering plays with the advantage that you can use techniques that violate own vulnerabilities inherent in human beings and, as is well known, for this there is no patch or upgrade that provides effective protection against such attacks.
People is normally “the weak link in the chain”.
Social Engineering - Human aspects of industrial and economic espionageMarin Ivezic
Social engineering is not just a supporting process to obtain system access; it could be the main attack. Organizations that focus only on a narrow definition of social engineering as an attack vector to obtain system access will fail to create awareness of all other possible social engineering attack methods.
Major security intrustions from businesses large and small, private and government, indicate that the Internet is far less secure than most realize. After reading this, you may want to reconsider how secure your private data and information really is.
USER AWARENESS MEASUREMENT THROUGH SOCIAL ENGINEERING ijmvsc
TUBITAK National Research Institute of Electronics and Cryptology (UEKAE) Department of Information Systems Security makes social engineering attacks to Turkish public agencies within the frame of “Information Security Tests” [19]. This paper will make an analysis of the social engineering tests that have been carried out in several Turkish public agencies. The tests include phone calling to sample employees by the social engineer and trying to seize employees’ sensitive information by exploiting their good faith. The aim of this research is to figure that the employees in Turkish public agencies have a lack of information security awareness and they compromise the information security principles which should be necessarily applied for any public agencies. Social engineering, both with its low cost and ability to take advantage of low technology, has taken its place in the information security literature as a very effective form of attack [8].
Presentation of Social Engineering - The Art of Human Hackingmsaksida
Nowadays if you want to hack a corporation or damage a personal "enemy" fast, Social Engineering techniques work every time and more often than not it works the first time. Within the presentation you will be able to learn what social engineering is, types of social engineering and related threats.
Presentation to young people at Highland Youth Voice Conference 2009. The slideshow included discussion break outs and the video clip of Joe can be found here..we also had guests from Sardinia.
http://www.digizen.org/cyberbullying/film.aspx
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Scott Wright
This keynote was presented by Scott Wright on June 19, 2009 to the Ottawa Centre for Research and Innovation. It provides a quick view of some of the major risks from using Social Networking Tools, and some tips for how to reduce those risks through security awareness.
The presentation I created for students to make them aware and how to be more precautious to deal with day to day cyberattacks under Teach for India Volunteers.
Ethical Hacker
Hacking Essay
Ethical Issues In The Workplace Essay
Ethical Hacking From Legal Perspective
Ethical Hacking
Ethical Hacking
Essay on Ethical Computer Hacking
Ethical Hacking
The Pros And Cons Of Hacking
Ethical Hacking Essay
An Introduction To IT Security And Privacy for Librarians and LibrariesBlake Carver
An hour long presentation I gave for LYRASIS. It introduces many topics in security and privacy on the internet and computers and any other type of device with an ip address. IOT Internet of things, browsers, portable devices and more.
Since Kevin Mitnick coined the phrase in 2002, the cybersecurity industry has been awash with the phrase 'the human factor is the weakest link’. From vendors to researchers, engineers, hackers, and journalists, we are all fond of blaming the ‘dumb users’. In this talk I argue that when we say that the ‘human being is the weakest link in cybersecurity’, not only are we telling a lie, we are inevitably setting ourselves up for a fall.
Social Engineering CSO Survival Guide, designing leading edge 21st Century Business Models go to www.esgjrconsultinginc.com to learn more about Software/Network Engineering Solutions.
Delves into the untapped potential of reverse psychology in overturning social engineering tactics. It highlights the effectiveness of using reverse psychology as a proactive defense mechanism to thwart attempts at manipulation and deception. Click this link.
Everything Attorneys Need to Know About Web Based TechnologyAmy Larrimore
Presented in original form for CLE credits with accompanying handouts, this presentation covers everything attorneys need to understand in order to work and practice in the world of web based technology. I cover where the risks are, and aren't and how a "digital" practice is different from what you've always known. The risks are in a different place and the practice of contract law is flipped on it's head. The IT Department and the business unit can't help you to the level you're relying upon them and you might be doing a disservice by not helping them to the level that you can. The presentation includes references to case law, statutes, applicable regulations and other useful goodies.
2. A Bit About Me…
Christopher Maddalena
@cmaddalena
» B.S. in Information Security and Intelligence from FSU
» 10 years in IT
» ~8 of that managing helpdesk-type services
2
3. What’s on Deck
» How the users understand technology
» How this is influenced by the media and our daily lives
» How this impacts the users and the security field
» A look at a few recent examples of this impact
3
4. Training vs. Education
These are different
Training: Intended to raise awareness and provide guidelines/advice
Education: Just like training, but it takes longer because it explains WHY
4
5. Why is this Relevant?
“Computers, and computing, are broken.”
-Quinn Norton
Everything is Broken
5
6. Ease of Use & Motivation
6
It’s the touchscreens, constant connectivity, and social media
7. The Downside
7
A lack of understanding…
» Makes them easy targets for scammers
» May recklessly expose their PII
» Puts them at risk when a device is lost
» Has the potential to generate fear
8. Counter-programming
8
Snowden Used Low-Cost Tool to Best N.S.A.
A Q&A with the hackers who say they helped break into Sony’s network
Entertainment & News
Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)
9. Warped Touchstones & Facts
» Touchstones should…
» Aid in communication
» Carry meaning
» Complete a picture
» Counter-programming that is…
» Aiding in miscommunication
» Spreading fear
» Offering an incomplete picture
9
Malware is always red, so you can find it
10. But It’s Not Just The Media
10
Thanks for the FUD, Spotify
11. What’s a Hack, Anyway?
11
Someone hired
for routine
work
“Going
Prostitute,” a
lame nag,
cabbies
Insults - A hack;
hackney
A prankster
and/or tinkerer
Hack, a brief history
12. If it’s on a patch…
12
“If the word is on a patch on somebody’s shoulder,
we’ve probably lost.”
-Alex Stamos, Yahoo! CISO
13. We’ve thought like this for a while…
“What word describes someone who breaks into
computers? Old style software wizards are proud to be
called hackers, and resent the scofflaws who have
appropriated the word…
13
“We’ll always find a few dodos poking around our data.
I’m worried about how hackers poison the trust that’s
built our networks… a few morons can spoil everything.”
—Clifford Stoll, Cuckoo’s Egg
16. Righteous Hacks
16
Sony Motion Pictures, an actual breach
CSMonitor gives additional publicity to LS
Sony Online Entertainment, a DDoS
Sony Online Entertainment, a DDoS
Vox gives additional publicity to LS
18. Cause and Effect
Users become afraid of “hackers” and those like them without understanding infosec
Lawmakers are put under pressure to crush “hacking
Elected officials want to appear to be doing something
The media and corporate training focuses on enterprise security...
Users don’t recognize this affects them at home
21. Oh Snap!
21
“… Snapchatters were victimized by their use of third-
party apps to send and receive Snaps, a practice that we
expressly prohibit in our Terms of Use precisely because
they compromise our users’ security…”
—From Snapchat’s official statement
23. Hiding in Plain Sight
» Central Virginia’s encounter with “self-production”
» An incredible misunderstanding of technology
» The headlines went a different direction:
Teen ‘Sexting’ Ring Discovered on Instagram
Police Bust Virginia Sexting Ring Involving 100 Teens
Police Uncover Teen Sexting Ring
23
24. F- is for Felony
Idaho teen paid a DDoS-for-hire service to DDoS his school to avoid taking a test
Will probably be expelled
Facing felony charges
But at least he was targeting the school with just a DDoS
24
‘Swatting’ incident puts Clinton Twp. school on lockdown
Video Game ‘SWATter’ Faces Five Years in Prison
25. What To Do?
When you find some good information, share it!
» That’s what the bad guys do
» Share videos and articles, your own knowledge, and/or ideas
Release the knowledge from the echo-chamber
» Collaborate with others to create learning opportunities
» Branch out — Go to developer conferences, speak to other departments
» Talk to other departments, coworkers, and your peers
Use language to gain an advantage, find common ground
» Pay attention to the language of the users, like “cyber”
» Be mindful of jargon — Don’t oversimplify, but don’t water it down
25
For those of you who don’t know me, my name is Chris Maddalena
You can find me on Twitter and IRC as @cmaddalena
I hold a B.S. in Information Security and Intelligence from FSU
I have 10 years in IT
For most of that, I’ve been involved with help desk/tech support for clients, customers, and coworkers
When you do that sort of work, you get a good idea how the general public understands technology
And that’s what I want to discuss:
How their understanding is different than ours
How it is influenced by the media they consume,
and how that impacts the security field and our laws.
We’ll discuss some recent real world examples near the end.
Users receive training from multiple sources: their employer, social interactions, the media
Training hopes to raise awareness, but it lacks a key ingredient: WHY, WHY any of it is important and WHY it’s relevant to them
Education goes a step farther and explains WHY
We have something interfering with the ability for trainees to learn and become educated, the media they consume that warps their touchstones and leads to a hazy picture.
We’ll come back to that
Why is it relevant?
Our topic affects everyone, especially younger generations, teenagers who are just getting into technology
To quote Quinn Norton, technology is broken
Everything we’ve built was built upon fundamental tech that in many cases is being stretched well beyond what it was initially designed for. Think of email.
We need to teach with that in mind, use it as a jumping off point. It’s crucial to understanding security.
If users remain uneducated, we’ll see worse and worse repercussions
Look at Metasploit licensing, CFAA, Wassenaar
It’ll get worse
Broken or not, we’re seeing wonderful new stuff becoming available to consumers
Easy to use technology and the motivation to use it
Douglas Engelbert called touchscreen point and grunt interfaces, but they’ve enabled users who struggled to use a PC to get out there and use the internet
Phones and tablets have opened up the internet like never before to people who used to have trouble doing much with a PC
Users live in less of a bubble, they feel comfortable enough to explore
The downside of this awesome change is the users don’t understand what they’re using. Devices are little black boxes of magic.
A lack of understanding makes the less savvy users easy marks
Phishing, malware, drive-by-downloads
Passwords are being created with touchscreens, small devices, and gamepads in mind
They don’t understand, so they’re reckless or they learn to fear tech
Misunderstood technology can be dangerous because it can lead to costly mistakes, but technology that is feared is terrible for everyone
It leads to blind, uneducated decisions and ideas
Something has to plant the seeds that grow into the fears, though
I call it counter-programming
It’s our education vs. the counter-programming, corporate training and friendly advice competing with whatever they read on Facebook and see on CSI:Cyber
Of course people know CSI isn’t REAL, but it creates a grey area
This leads to warped touchstones and facts, like I mentioned earlier
Our touchstones, like the word “hack,” should aid in communication. Touchstones do this by giving us a picture with just a word or phrase. They’re weighty; they carry meaning.
If I ask you, “Did you see that hack on the news?” You know I’m not trying to insult a news anchor. Your mind immediately jumps to our definition of “hack”.
The media, in all its forms, is taking our keywords and warping their meanings, but we’re stubbornly using them as if they still mean what we think they mean when we talk to users. This renders them largely ineffective when speaking to regular users.
We are using words to which the users are assigning a different meaning or idea. To them, Hackers are always bad people who should be stopped.
But lets take a moment to acknowledge there’s a lot more of this out there NOT produced by the media and TV networks
Lets take a closer look at the evolution of one of our most used words…
This is an abbreviated version of how one of our favorite touchstones has changed over the centuries
Words change with time… with use.
Once a word is introduced into our everyday lexicon, it starts to change.
There’s been a tug-of-war over the word ever since 84
Early 13c
1300—Worker or horse for hire
1500—Prostitute
1700—Taxis
1800—First recorded use of hack as an insult, e.g. hack writer
1960—MIT students say they remember it used to refer to pranks
1976—Someone who enjoys programming for its own sake
1984—One who gains unauthorized access to computer records
Lets consider everyone’s favorite keyword to hate, “cyber.”
We need keywords to be consistent if they are to work for communication
Funny enough, cyber is pretty stable, if perhaps overused and a bit too flexible in its meaning
Hack and cyber are words that mean something different to different groups
The InfoSec community embraces hacker as a word that has flavour and history
It’s positive
We refer to the riff raff as "hackers," but we say it knowing they aren’t “one of us.” They’re miscreants, criminals, or unskilled skiddies.
The community rejects cyber, more or less
With the media, it’s all flipped the other way.
The media uses hack as an all-purpose word for "attack that used a network and a PC"
It’s usually used negatively, and the hackers are bad guys who who assisted with the attack
The media LOVES cyber
[Reference the slide]
We’ve thought like this for a long time
Consider these excerpts from the Cuckoo’s Egg by Clifford Stoll, circa 1989
So what is a hack today?
What we would call an "attack" is reported as a "hack" by the media
Hack has become a scary word that encompasses everything from…
DDoS, website defacement, and Twitter vandalism to large scale security breaches involving exfil
These are all events that are being reported as if they are on the same level as the big security breaches
WE know CENTCOM was NOT hacked; Twitter was, and even that’s a stretch.
Is knowing or guessing a password for a Twitter account really something we want to see reported as “hack”?
Attacks and vandalism are conflated with security breaches
When Sony Pictures Entertainment was compromised, that was a truly damaging security breach/failure
When Sony Online Entertainment and Microsoft were DDoSed, that was a service outage
Taking advantage of a problem in the internet's architecture vs. bypassing security measures
Ridiculous headlines are nothing new, but it’s killing our gains in user education
Look at these headlines: the first is a story about Sony Motion Pictures being hacked by Korea, or whatever, but the rest use the same language and refer to the DDoS
What I want to stress is it’s one thing for an editor to generate a click-bait headline, it’s another for the article to be full of bad information
Still, FUD articles aren’t new, but not many of them affect the reader on a personal level like bad info about security does.
But the journalists aren’t even educated well enough to see that. They’re end users, too.
Recently, journalist I respect moved to a writing for a website known for headlines like this. When asked if he was being forced to write outrageous headlines, he defended it saying they strive to reveal the “emotional truth” of the article. That was profoundly disappointing to me because, in my mind, we want to avoid presenting emotional gut-reactions as the first thing a reader sees
Reference screenshot
The problem isn’t just sensationalist headlines. In fact, it’s kind of bad the articles exist AT ALL.
The media attention paid to groups like Lizard Squad worsens the confusion around the “hacks” and makes the groups appear legitimate
WaPo and BBC interviews with LS were the worst
This WaPo journalist was fooled and then presented this terrible interview
Statements like "[Sony] made a deal with a large DDoS protection company, Prolexic, after apparently deciding they stood no chance against us.”
Meanwhile, they aren't taken seriously by those who understand what they really did (e.g. Skiddie Squad, Loser Squad, etc.)
This doesn't matter while the average person is seeing them taken seriously by established institutions they understand and recognize
Lawmakers and politicians are under pressure to defend against "hacks"
This leads to things like politicians proposing harsher and broader anti-hacking laws, changes to the CFAA, etc.
Media representation of young adults as a scourge of corporations (and the winners in the fight) makes the situation seem dire
This scares/angers people
They want to see "the hackers" pay for their vandalism and mischief, but...
These hackers seem so elusive and numerous
It's unnerving to think kids with laptops are "beating" corporations and security professionals
Users are in danger at home, too. People still expect viruses from the 90’s—massive pop-ups and crazy problems. They don’t realize they might become part of a botnet, R.A.Ts might be used to spy on them, PII might be stolen
They think AV is a silver bullet… “Impossible, Norton is on here, so I’m good.”
Malware has evolved
Users assume they’re safe if they avoid porn and think their AV will protect them
They'll know if anything gets past it because their PC will be slow and they’ll see odd behavior, like pop-ups.
Now we have CryptoLocker 1, 2, and others
Users don’t even have to do anything unusual to get infected.
One competitor, CrytpoWall, was recently discovered to be using a online ad network to infect via drive-by-downloads and a Flash vulnerability. Users were infected just by being unlucky enough to visit The Huffington Post while the malicious ad was in rotation and before Adobe released an update.
Now TeslaCrypt and others are innovating.
This is the future
Designed with a working barcode, logo, and a color scheme. It offers one free file to prove you’re screwed.
TeslaCrypt is branching out. It’s a business that wants better ROI.
Targeting gamers by encrypting WoW, Steam, saves, etc. and seeking Dropbox folders, connected devices, shares, and other media
This is less of a technology issue than it is a public health issue
The users don’t get that malware has changed and can spread like a disease.
Black Box Services
Another hazard is users not understanding the internet and the services they use. Users aren’t wired to think like us. They’ll trust an appealing idea if it addresses a problem for them, like Snapchat.
Unfortunately, this lack of understanding allowed the Snappening to happen. The release of affected users of 90,000 photos and 9,000 videos stored using the third-party service SNAPSAVED.com.
Snapchat’s response was pretty cold. The blame was on the users.
The Demos
I mention Snapchat because this graphic is part of Snapchat’s pitch to advertisers, and relevant to the next example
Snapchat is being used overwhelmingly by 13-17 year old kids, 50%. Another 31% are just 18-24.
Regardless of what’s being sent, what Snapchat offers, self-destructing MMS messages, can’t really be delivered. So the media isn’t safe.
What these kids are sending using Snapchat is not safe, regardless of what they choose to send, and many of them don’t know any better
Close Encounters with Self-Production
I said Snapchat was relevant, and this is why.
The facts…
An Instagram account was found by accident
It showcased pictures featuring over 100 teenagers between the ages of 15 and 17. The police described them as ranging from inappropriate to crazy, “they really got us.”
Student interviews suggested a couple of boys created the accounts to stash and collect all of the nude pictures they were receiving from girls at the school.
The account was to be shared, so it was left public with some special hashtags
If you submitted a photo, you got the hashtag. The kids completely underestimated the internet and had no comprehension of what they were really doing: distributing child pornography.
This was Virginia’s encounter with “self-production” — children created child pornography featuring themselves and then distributing it online.
When asked, the kids said 60-80% of the school participated. A recent study of multiple high schools in E. Texas found 28% of sophomores and juniors. If we assume some kids lied, we might be able to call that a third.
There were consequences, bullying and trauma, but fortunately no one was charged
That’s both good and bad. NO ONE was charged for anything.
But it could have been bad. In 2008, an Ohio girl committed suicide when her nude photo was circulated, and the photo was only passed around between a small group.
These teenagers are out most vulnerable group. It’s very easy for them to make a terrible mistake online.
F if for Felony
Another of the law colliding with a new fad
Idaho teen DDoSes school and now faces felony charges
But he’s just one of the many teens being caught after this sort of behavior
Other are SWATting and engaging in more reckless behavior
The best thing we can do is share what we know. We have a wealth of knowledge that has been documented in personal blog posts and conference recordings. Bookmark your favorites and share them when you see an opportunity.
Many great minds are out there trying to educate, but...
It's tough to explain the details in an article or news segment, so we see very specific warnings
News orgs have an agenda and a message they want to spread
Avoid generalizing and try to educate, when you can.
That’s where sending videos and articles can be invaluable
That’s the first step of this next part: releasing what we know from the echo-chamber.
While we often complain about developers and their lack of concern for security, that’s a terrible generalization.
Talk to a developer of their company’s security group
The people you see at cons are not the people that represent security to most. There are whole dev conferences of really smart people we may never work with.
We can talk to them at their conferences and teach them about security from our side
I hear those talks are packed
Finally, pay attention to word choice and decide when it makes sense to change you language for the audience.
We can use “cyber” for good, when it might help get a point across