Fireball - Spicey, Hot Cinnamon eLiquid

VapeSafe Fireball eLiquid.

Fireball eLiquid creates a new definition for cinnamon eJuice. Imagine the simmering, hot goodness of a cinnamon asteroid burning through space only to be captured by lab techs at VapeSafe and distilled into a bottle of Fireball eLiquid. If you like the flavor of spicey hot cinnamon candy and you enjoy the sensation of heavy vapor pouring out of your electronic cigarette, then you are in luck. We created Fireball just for you.

Fireball eLiquid by VapeSafe brings the spice back into spicey. As with all of the VapeSafe eLiquids, our mixtures are designed to produce nice, heavy vapors and the most succulent flavors.

Try Fireball eLiquid today!

Technology Information:

Social Engineering

By: James Banicar

The goal of my paper will be to explore the topic of Social Engineering in all its facets.  But what really is social engineering?  Is it a term that can be applied in any field other than Information Technology?  Your Dictionary references Webster’s Dictionary, which defines social engineering as thus (Your Dictionary, 2006):

A deceptive process in which crackers “engineer” or design a social situation to trick others into allowing them access to an otherwise closed network, or into believing a reality that does not exist.

However, in a much broader sense, social engineering can indeed take place outside of a technical field or applied to describe a non-I.T. related situation, because in reality, the act essentially involves deceiving another individual into divulging information that should be kept secret.  The following definition better describes social engineering in this light (Social engineering (security), 2009):

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.

The goal of this paper aims to explore these many situations that others might not classify as an social engineering act to steal information, and in addition to that goal, explore similar objectives throughout: to create a conversation about social engineering by generating awareness, discuss the many different kinds of social engineering methods, cite examples of real world social engineering events & the people responsible, and finally, cover a list of best practices to avoid social engineering attacks.

So now that we have established a “working definition” by which to base the foundation of this discussion on social engineering, the next logical step would be to mention a few of the well-known techniques employed in social engineering acts (Granger, 2001). 

A very widely recognized form of social engineering occurs over the phone, which gives all the anonymity in the world a person with malicious intent could ask for.  Those that are particularly vulnerable to this type of threat are help desks, customer service reps, and of course, the common victim: the innocent individual minding their own business at home, on the comfort of their couch.  But just because most of these attacks are known to occur over the phone, does not mean that you are safe when actually using the phone yourself.  What do I mean by this?  IT’s known as shoulder surfing (Dwyer, 2008), or when someone else gleans your PIN number or ATM number by simply stand ing over your shoulder at either a large airport or phone booth. 

Another great example of why social engineering isn’t just something to worry about at the workplace is how often thieves thrive on another technique known as Dumpster Diving, which involves hackers or anyone with malicious intent attaining information such as: calendars showing when employees might be out of town, policy manuals detailing how internal systems are protected, or even hard drives that can be restored & vital information discovered (Berg, 1995).

But my favorite form of social engineering has to be the form described as Quid Pro Quo.  (Wikipedia, 2009) Imagine, if you will, that the “attacker” attempts to randomly ring up someone claiming to be returning their technical support call; eventually, said attacker will find someone who is grateful to have been called back, who will have no problem following whatever instructions the attack doles out… which will most likely be either a series of malicious commands or the giving up of valuable information (such as a credit card number or name and password).

While there are certainly many more techniques that could be discussed, I would like to focus the next section on elaborating on the techniques described above with specific, real world scenarios of social engineering taking place.  A very fascinating example of an attacker making the victim believe that he is of a higher authority is described by McAfee Avert Labs and SANS analyst Lennny Zeltser (Kumar, 2009):

Apparently, yellow fliers were placed on vehicles in a parking lot, and the fliers claimed that the vehicles were in violation of parking regulations. The fliers further stated that the owner could visit a certain website to get more information and pictures about the offense.

Now you can imagine the result of this very clever form of social engineering: said victim sees the fliers and once they reach home, attempt to visit the designated website – only to be told to download a toolbar or some other form of disguised malware, which in turn infects their PC with even more malware. 

Kevin Mitnick, who was once one of the most wanted hackers in the U.S. in the late twentieth century, wrote a book entitled The Art of Deception (Mitnick, Amazon, 2009).  In his book, he describes several examples of social engineering, and in one he describes how someone could wait for a snow storm to occur, and then calling the network center posing as a… you guessed it, snowed-in employee.  In other similar examples, Mitnick gives a smaller example of how someone could get a police officer to divulge when he might be out of town, and by scheduling a court date at that specific time; get out of the speeding ticket (Mitnick, Social Engineering Books, 2006).   

A few of these examples of social engineering are really quite startling.  How can one hope to avoid falling into these tricks when many of them are so clever?  There are a few “best practices” that can be taught which will help falling into the social engineering traps.  Some may be ideal for teaching fellow employees and others might just be applicable to the individual, helping him or her to live a more secure life in regards to their important information’s safety. 

Some of the best techniques to teach employees, as identified by US-CERT (United States Computer Emergency Readiness Team), are as follows (McDowell, 2004): 

• Be suspicious of any phone calls, visits, or email messages from individuals asking about employee or internal information.  Always ask any individual claiming to be of a legitimate organization to verify their claims; this is especially true if they could use your position as a gateway to attain privileged information (for example, you work at a help desk). 
• Almost never reveal sensitive information over the internet.  Never.  Before doing anything with any amount of sensitive information, consult a higher authority or person with full knowledge of your company’s security policy.
• Always shred any company documents before discarding them.  Even the slightest bit of information can give an attacker inside knowledge as to who works at the company, their operating hours, or phone numbers.

Richard Steinnon of the website CIO Update decries what is often touted as the “best defense against social engineering:” training.  He stipulates that if you determine a mandatory training in order to sharpen peoples’ awareness is needed in order to avoid social engineering attacks… then you already have a hole in your defenses.  Ultimately, the very best defense against a good social engineering attack is: enforce policy (Stiennon, 2009).

In conclusion, I have covered a wide ranging of topics all of which involve a discussion centered on Social Engineering.  What began as an initial exploration into the definition of Social Engineering, the discussion then progressed into examples of the varying types of social techniques that attackers employ to trick others into divulging sensitive information. 

Many common examples of real world attacks were also covered and how devastating their implications can be to the victims; corporations or individuals are not safe against any sort of Social Engineering attack.  Chief among those who used to be considered the most dangerous of all, Kevin Mitnick, wrote a book describing in detail how wide-ranging Social Engineering attacks can be. 

And finally, I briefly covered some “best practices” to avoid such social attacks from occurring to you or future employees.  While it may seem obviously to a technically inclined individual, everyone can be a victim of these kinds of attacks when not following the most basic of policies.  Being intelligence with information essentially keeping it to yourself.  But rest assured that there are those out there who are constantly inventing new and dangerous ways in which to trick innocent people into giving away important information.  And it’s only with constant diligence and a re-affirmation to confidentiality can we hope to avoid the trap known as Social Engineering.

About the Author

 

Works Cited:

Berg, A. (1995, November 11). Social Engineering. Retrieved April 19, 2009, from Packet Storm Security : http://www.packetstormsecurity.org/docs/social-engineering/soc_eng2.html

Dwyer, J. (2008, January 12). Picking Pockets? Nah, Surfing Shoulders. Retrieved April 19, 2009, from New York Times: http://www.nytimes.com/2008/01/12/nyregion/12about.html

*Granger, S. (2001, December 18). A True Story. Retrieved April 19, 2009, from Security Focus: http://www.securityfocus.com/infocus/1527*

Kumar, L. (2009, February 4). Real World Social Engineering. Retrieved April 19, 2009, from McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/index.php/2009/02/04/real-world-social-engineering-to-spread-malware-online/

*Major, S. D. (2009). Social Engineering: Hacking the Wetware! Information Security Journal: A Global Perspective , 40-46. *

McDowell, M. (2004). Tips. Retrieved April 19, 2009, from US-CERT.GOV: http://www.us-cert.gov/cas/tips/ST04-014.html

Mitnick, K. (2009). Amazon. Retrieved April 19, 2009, from Amazon: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124

Mitnick, K. (2006). Social Engineering Books. Retrieved April 19, 2009, from Social Engineering: http://www.social-engineering.eu/books/artofdeception/

Social engineering (security). (2009, April 16). Retrieved April 19, 2009, from Wikipedia: http://en.wikipedia.org/wiki/Social_engineering_(security)

Stiennon, R. (2009, October 19). The Best Defense Against Social Engineering. Retrieved April 19, 2009, from CIO Update: http://www.cioupdate.com/trends/article.php/3638951/The-Best-Defense-Against-Social-Engineering

Wikipedia. (2009, April 16). Retrieved April 19, 2009, from http://en.wikipedia.org/wiki/Social_engineering_(security)

Your Dictionary. (2006). Retrieved April 19, 2009, from http://www.yourdictionary.com/hacker/social-engineering

Social Technology

 

Suggested Products

• Avatar (Two-Disc Blu-ray/DVD Combo) [Blu-ray]
• Up (Single Disc Widescreen)
• The Blind Side
• Harry Potter and the Half-Blood Prince (Widescreen Edition)
• Avatar
• Iron Man 2 (Three-Disc Blu-ray/DVD Combo + Digital Copy)
• The Hangover (R-Rated Single-Disc Edition)
• The Proposal (Single Disc Widescreen)
• Up (Mandarin Chinese Edition)
• Wall-E (Single-Disc Edition)