Menlo Technical Blog II

As the computer security industry grows and more people have sophisticated computers in the most remote places on Earth, street scams and gimmicks common place to other cities and countries are brought inside an average computer user's home and inside a corporate network.

Sophisticated programs can jump onto a home or corporate laptop and report back to their makers on user names and passwords used by people to websites like banking and brokerage accounts. More than simply logging these user names and passwords, the programs can monitor and track what is displayed by bank websites. They use not-so-sophisticated means of triggering computer users to gain access to this information; something as simple as designing an email that makes a person THINK they have to log in to a common website - like Facebook or Chase Bank - yet the link is a fake but almost indistinguishable from the official website. 

Corporate (aka Enterprise) computer users need to re-adjust their thinking to believe potentially everyone is a suspicious character, not just those outside of their 'circle of friends'. 

Human interaction has many security features taken for granted that is used each and every day. Features such as:
-the exact tone of a person's voice, 
-the precise image of a person, 
-their movements and body language, 
-the language phrasing, 
-smell of another person. 

All of these are kinds of authentication reminders that are taken for granted when interacting with people day to day.

While socializing online we are blind to these physical world security features built into our daily interactions. We use something like a "friend authentication" but accommodate for the online world restrictions. We allow for a certain flexibility when we don't have physical visual queues, like slightly strange behavior in what is written by people we know. To complicate this matter, instead of a familiar and live one-on-one interaction, many times it is one-to-many missing many of the common queues we use to socialize with a person - like personal jokes, movements and gesticulations. Many times, an email is written to more than one person, a blog post written for many to read, a Facebook wall posting to an audience, or a tumblr link or twitter post.  The familiar tone which people speak to relatives and in-laws maybe alarmingly strange to a friend. Everyone has a slightly different level of humor and communication with each of their various friends, especially in social media.

When a program is designed by a hacker, it usually tries to 'play' in that socialization realm of unfamiliar behaviors. Presenting a plea or request pretending to be a person they are not, they use a kind of 'hook' to snag people emotionally into their scam. 

Each aspect of online life and technology is leveraged differently, by different hackers. Mostly hackers are using social engineering to gain access to an important piece of your identity that gives them access to all of your personal information and family money institutions.

Hackers socially engineer through such means as:
-fake email notifications of a purchase with a confirmation link
-a fake UPS or US Post Office email that installs a fake virus that claims to be an anti-virus program
-notifications of a Facebook account update
-a free fun video game for a child or gambling site for bored person that requires a small installation of a program with hidden components that captures your keyboard use
-a link in an email or webpage to update information, that injects a program into the computer to track keyboard movements
-a .pdf file that is attached to an email, from a friend or contact who had their email or address book accessed by an rogue program 

These are ONLY SOME examples of the mechanics of a scam; to make people secure in a relationship and then use this trusted relationship within a context that makes you vulnerable.  These scams mostly are trying to hook people by relating to issues based around love, pain, politics or money - and use this hook as a means to distract while hiding their real intent.

As a information technology security firm, our goal is to secure corporate networks, help enterprises design reliable backup plans, and make everyone more aware of the types of Internet and computer attacks that threaten enterprise intellectual property.

This blog - as well as our other Menlo Technical Word Press Blog - will be used by Menlo Technology Consulting to announce products, services and current trends in Information Technology Security.