Sunday, November 24, 2019

Social Engineering is a Trick

What in the World is Social Engineering?

In the way a magician uses timing and diversion to fool an audience, a cyber attacker can apply social engineering tactics to trick you into sharing sensitive data. Within the cyber security world, it is regarded as the art of human manipulation.

The objectives of these criminals are to fool you in doing the following-

  • opening an infected email attachment
  • sharing passwords
  • allowing a stranger into a physically secure area
  • sending sensitive information
Technology alone can't stop these computer criminals from using various methods such as phone calls, text messages, emails, social media access, and physical presence from getting their hands on information they should not have access to. 

Examples of Techniques

Suppose you get an important message from your bank. You are informed your bank account had expired and your account will be locked. You get a unique phone number to call in and update your account. 

You make contact and have to endure an automated system series of personal questions to prove your identity. 

In reality, this is not your bank. There is no genuine concern in determining who you say you are. 

This is an automated attack by cyber criminals seeking to record and steal information such as-
  • Birth date
  • Credit Card or Banking information
  • Home Address
  • Phone Number
As I mentioned before, their goals is to steal your identity and financial information. 

Such attacks can also be a more complex for the gullible.....

Advanced Social Engineering Attacks

How would you react if you received an email apparently from your boss? It is short and urgent. It informs you law enforcement is conducting a secret investigation of the workplace and some people may have to go to prison. 

This email further states you will receive a phone call from your employer's legal team in a short time and you must answer any questions they ask. 

Then you get a call from a cyber attacker pretending to be a lawyer!

In such instances the caller's objective is to trick you into giving up as much information about yourself as possible. They will create a sense or urgency, often through fear, intimidation, a crisis, or a crucial deadline. They may use confusing or technical terms to trick you into providing sensitive information. 

What You Can Do

Spot these attacks before they happen. 

In the above scenario, wouldn't it be odd if an email message from your employer or manager appears odd, call and contact them directly about the message. It's possible that his or her account was hacked. 

There other things that can look out suspicious.
  1. The content of the email contains irregular grammar and spelling errors
  2. Tone of the message is questionable
  3. Hover cursor over any questionable link to display link's real origin.
  4. If you are on the phone with a highly questionable person, just hang up.
  5. Direct these  matters to the help desk or computer informational team

Many years ago, when I was a Court Security Officer, I was having lunch with my superiors when I received a call from a Cyber Attacker warning me of an impending arrest warrant for me for failure to make my car payments (the caller didn't know I worked for the Sheriff Office). 

At the time, I knew I had no existing car payments and the County Sheriff and other deputies were sitting near by eating, laughing, and talking sports. 

I had fun with this caller as I pleaded for him to spare my life. I asked him if he could loan me the money to pay it and I would have my contractual killer friend deliver the money to him personally. My laughing frustrated this man to the point he hung up on me (I know I could've been more professional).

Make no mistake, your identity can be shared with a cyber attacker without your role in any of it. Take a look at this scenario that will blow your mind. This involves a customer service representative 
sharing information about an account that could happen to anyone.

This takes no more than 30 seconds so brace yourself.

Quite diabolic isn't that?

As I studied this scene, the representative missed some cues-

  1. Where was the husband and why didn't she request to talk to him directly?
  2. Mom has an infant and an older daughter whom she is attempting to add to the account to make changes if needed? Talk about a disparity in age. How old is the older daughter mom? You trust her with what?? lol
  3. How is it possible mom and dad don't remember the email they used to sign up for the account? 
  4. Initially, dad did not have mom on the account in the first place. What's up with that? Sorry, how do I know you two are not legally separated or something?
  5. Mom claims she can't receive the text because she is talking on the phone with the operator. Really???

By fooling this customer representative, the fake mom was able to do the following-

  • Add herself to the account with a fake name and fake social security number
  • Set up her own personal access to the victim's account
  • Convince the support person to change the password, thus locking the real account holder out of his own account. 
Social engineering is a diabolic trick and we must spot them before it happens. We can check our account activity on a regular basis while at the same time, taking initiatives not to disclose any personal data to those who should not have access to. 

Technology alone cannot keep us safe and secure. We all have a responsibility in ensuring we are taking extra caution in our daily lives. We are the top defense against cyber attackers. 

If you found this information helpful and useful, please susbcribe to my blog at the top. Every week I will be sharing the latest tips, news, and/or events in our cyber world.

Be safe and secure my friends!

Scattering the Seeds of Knowledge,

Ken Harris

Sunday, November 17, 2019

Internal Tools for Cyber Security Defenses


We must equip ourselves with the internal tools we already have in enhancing our defense. Cyber Attackers know the importance of utilizing social media to increase their chances of deceiving the unsuspecting. 

Like a contractor hired by a business to study the market for potential buyers, computer criminals spends a great deal of time phishing for those who are gullible. 

What we say or post about ourselves on social media is like them stumbling upon a treasure chest. 

Don't assume for a second this apply to just the elderly. It can happen to any group, especially college  students. Their targets varies just as much as their methods. 

For example, just over 2-years ago in Chicopee, police uncovered 30 fictitious instagram, twitter, and facebook accounts by someone or some group posing to be local lottery winner Mavis Wanczyk. It's right here

At this time, Wanczyk was the winner of the $758 million power ball pot. 

Fake postings by Wanczyk went up on so social media platforms promising people money if they opted to follow him and/or respond to private messages. Some tactics also included liking and sharing posts for a monetary prize. 

But in order to receive it, they request for your banking information....

Sadly, victims fall for this social engineering all the time. As I said in the previous post, cyber attackers are determine to trick you into rendering them information they should not have access to. 

The fact of the matter is, if it's too good to be true, then it's farthest from the truth. 

In attacks such as this one in where college students were targeted with promises by scammers to offset books and tuition expenses, imagine a fisherman on a boat at sea. The fisherman is hoping the fish falls for his bait. He is trying to catch as many fish as he possibly can. 

We must be aware of this in our way of thinking and not fall for this. The human mind naturally has wants and needs. Cyber criminals are using our instinctive passions against us. 

Don't share your banking information with anyone on social media or even emails! It's not worth the risk.


Coming in January 2020!

I find using puppets along with my blogging to share useful news and tips regarding cyber security awareness a fun and constructive way to connect with an audience (I certainly hope so).

Having worked as a stage actor in many productions, along with creative writing, and membership with Puppeteers of America, it was inevitable that I would blend all my passions into a short web series to cater to a mature audience (yes, adults).

Frankly, who wants to be bored with scribblings on how to be safe and secure from the never-ending threats by cyber attackers? I really think combining elements of education and entertainment an appealing idea.

Surely, there's room for improvement with the way I shoot video and next time, not only will I have the puppets better positioned, but also I will always use wide screen footage. Also, thanks my wife's suggestion, I am removing the dining portrait in the background. It doesn't fit with the audio video show theme.

"Cyber Brats" is show that will be no longer than 5 or 6 minutes in length. It takes place inside a fictionalized radio station.

Here are the cast of degenerate characters-

Host Cyber Sly

Cyber Sly is an ex con who served 5-years in prison for breaching the security operating system of a bank, stealing customers account data, and single handily causing the institution to crumble to the ground. His cooperation with the District Attorney and Feds in exchange for a lighter prison sentence resulted in the convictions of over 20 cyber attackers across the country. Many of his former friends would love to see him dead and there are existing contracts out on his life. One failed hit in prison almost cost him his life when his tongue was mistakenly severed instead of his throat (more on that later). Sly has turned his life around and strives to do the right thing. 

Co host Monkey Midas

Monkey Midas is a fromer business owner who saw his regional ice cream chain collapse. This episode caused him to be a  bitter man. This man hates all cyber attackers and he vents at Cyber Sly regularly. Midas is ignorant of cyber security precuations and this leads to his bickering with Sly.

Mr. Seal Deal
Mr. Seal Deal is the wealthy owner of Shadow World Radio Station and the creator of "Cyber Brats". He likes when Cyber Sly and Monkey Midas debate openly and feels this makes for good ratings. This guy is all about money and he is cheap. 

Last known picture of fugitive Rocco the Raccoon

This SOB is the most wanted cyber thief in America. He had defrauded banks, retailers, celebrities, massive corporations, and is believed to be involved in many other scams. Rocco, Sly's former friend, likes to taunt authorities and sometimes like to contact the radio station to boast of his latest scam.

The structure of this blog will be set up with serious tips, videos, and latest news and events covering cyber security awareness. Afterwords the short video will follow. As a member of Puppeteers of America and with an interest in helping others, I am thrilled!

We can have all the best and latest antivirus kits for our devices and computers. But that alone can't safeguard our information. We must use the internal tools we already have to build our cyber security defenses.

If you find this blog interesting or helpful, please subscribe and share with your friends and family!

Scattering the Seeds of Knowledge,

Ken Harris

Sunday, November 10, 2019

"Cyber Attackers Impact" by Ken Harris

Can the average person fathom the magnitude of daily tactics by a cyber attacker? Do you know? Are you prepared in event a scammer tricks you into giving up personal or private information they should not have access to?

After some encouragement from friends, along with my natural desire to help others, each week, I will be sharing what I know about cyber security fraud from my experience in law enforcement, ongoing trainings, latest news happenings around the world, and interviews with experts and readers with a desire to share their feedback or suggestions.

With all that's been happening in the world, I hope this platform will be a source to help you safeguard sensitive data.

It's important to know that these cyber criminals are plotting on a regular basis to deceive unsuspecting victims in a variety ways. They typically rush you into making regrettable errors such as-

  • Opening an infected email attachment
  • Sharing passwords
  • Providing them restricted information they SHOULD NOT have access to
Being proactive against these types of attacks are not difficult. You have to understand, the best antivirus software won't stop all cyber security attacks. All of us have the responsibility to be mindful of the basic tools to protect ourselves, our families, and the organizations that employs us. 

Beware of this type of Courier

This past October in Massachusetts, the North Brookfield Police Department issued a warning to residents of a new type of scam involving delivery of wine and flowers. The article is right below.

To sum it up, a floral delivery person arrived at a couple's North Brookfield home with a package containing flowers and a wine. This couple were not expecting this gift and had no idea who sent it. 

The driver claimed not knowing the identity of the sender and indicated a greeting card was sent separately but appeared to be in transit. Baffled husband and wife paid a $3.50 delivery fee by credit card to ensure the items were delivery to a person over 21 years of age. Supposedly, this was for the courier company's record keeping along with a signature. 

So, the couple computed the requested financial information on a mobile card machine and the driver provided them a delivery receipt. 

Within the next few days, this couple discovered $4,000 dollars withdrawn from their banking account. Withdrawals of this money occurred from different ATM machines. 

While law enforcement in this case described this as a new type of swindle, apparently it has been happening for years. For example, check out this similar story from 2014-

So, evidently this new type of scam have been happening for a number of years. However; I am sure cyber thieves are constantly brain storming new methods of deceit against unsuspecting victims. 

Nevertheless, this is just one of many fraudulent schemes exercised by cyber attackers all over the world. Their impact is obvious in the daily news and victims who are brave to share their experiences on social media. 

We as indvividuals must be the steel barrier against these type of scams. 

If you like what I'm trying to do, please subscribe to this blog and share it with your friends.

As a former Special Police Officer, Court Security Officer, and Corrections Officer, I got a few nuggets of wisdom to pass on to all who want to keep themselves safe and secure from cyber predators. We're all in this together. 

Ken Harris
Contributing Writer

Article highlighting conference

  My latest article in the Point of View Community Magazine highlights my experience performing and speaking at the 13th Annual Florida Pros...