Social Engineering and Social Media Offence and Defence

This post aims to teach effective strategies to counter social attacks, including identity theft, phishing, spam, con artists, social engineering, hacking, and nation-state surveillance. Identity theft focuses on safeguarding personal information from misuse, while phishing involves identifying deceptive messages that attempt to steal sensitive data.

Managing spam is crucial to avoid potential risks associated with malicious links. Additionally, understanding how to recognize con artists helps prevent exploitation. The strategies behind social engineering remind us to be cautious of tactics that may lead us to reveal confidential information. In terms of hacking, reinforcing defenses is necessary to protect against vulnerabilities being exploited.

Furthermore, awareness of nation-state surveillance enhances our understanding of how to protect personal data and communication privacy. Mastering these defensive measures not only aids in maintaining personal safety but also helps safeguard the overall integrity of organizations.

Information Disclosure and Identity Strategies for Social Media

We’re now going to talk about how much personal information you might be revealing on the social sites that you use, in forums, and when you fill out forms, and really, any time where you’re providing information, and we’re going to look at using identity strategies to limit your exposure to your adversaries when revealing personal information. Increasingly it’s getting harder and harder to not provide information if you want to function in the modern world.

Our children simply won’t understand the concept of privacy in the same way that we do, but the clear facts are that the less information about you that is out there, the more security, privacy and anonymity you can grasp, attempting to attain. The less information out there about you, the better protected against identity theft, phishing attacks, spam, conman, social engineering, hackers, nation state surveillance, local law enforcement, basically everything. But you have to balance your personal information disclosure with your need for an identity or identities online.

Here is a scrolling list of information you should consider before revealing online or consider before giving to companies.

Personal

• Full Name
• Email address
• Home Address
• Date of Birth
• Ethnicity / Race
• Gender
• National ID numbers/
• Social Security number
• Passport number
• Visa permits number
• Driver’s license number
• Disability information
• Location information
• What you are doing when / status
• Events attended
• Status
• Sexual orientation
• Educations and employment history
• Grades
• Salary
• Job position / title
• Photos
• Anything commercially sensitive
• Political and religious leanings and affiliations
• Views on controversial issues
• History / background
• Mother maiden name
• Place of birth
• Genetic information
• Insurance details
• Medical information
• Criminal record
• Credit score / record
• Sites registered on

Interconnections

• Work details (Company name, address, colleagues)
• Family members
• Dependants
• Spouses / Partners
• Friends
• Associates

Banking / Financial

• Credit card numbers – PAN (including hashed and truncated versions)
• Sort code
• Expiration date
• Verification number
• Card security code
• Account number

Authentication Details

• Usernames / Screen names / aliases
• Email address
• Passwords (Including hashes)
• Digital identity
• Biometric data – retina, face, fingerprints, handwriting
• Security tokens
• Encryption keys
• Cookies
• Session information and tokens e.g. JSESSIONID

Mobile / Phones / Laptop

• MSISDN
• IMSI
• Mobile number
• Home phone number
• Browser
• GUID
• Operating systems
• IP address
• MAC address
• Hardware serials

The more of this personal information that is out there about you, the more of a complete picture an adversary can have of you.

Questions to consider when putting this information online or providing it to companies.

• Who can ultimately access the information? You might think it’s just your friends, or just the company, but they can forward the information on. If it’s a social site, the social site will have access to it, if it’s a company, the company will have access to it. Your adversary then may also have access to it.
• Who controls and owns the information that you are disclosing? You might find that some of the sites you use own the content you publish. Did you know that?
• Can the information ever be taken back or taken down that you’ve disclosed? The answer is probably no, because other sites and services archive the internet, so ultimately, even if it is taken down, it may be archived somewhere else. And as we know, nation states are archiving data as well.
• Will your associates mind if you share information about them with other people? What information about you are your associates passing on to other people? Do you trust the people in organizations you’re connected to? They can forward on information you have posted. Even if you post on a private forum, you should consider the information still public because you no longer have control over that information anymore.
• Are you relying on a social site or other site as a primary host for your content or information? What happens if that site disappears, if it goes down, will you lose those precious pictures?
• Are there photos of you online? Do people tag you in photos even if you don’t post pictures yourself?
• Consider the risk associated with the information you post online. Could an unfortunate post on social media affect your career, or posting your opinions get you fired?
• What are the consequences of posting, viewing or creating this sort of content online that you wish to do freely? Just re-tweeting or forwarding a message indicates your views on a topic.
• Are you comfortable that your social media presence creates a profile of you online that can be used by employees and your adversary?
• Do you want to mix colleagues with friends and family? Are you doing that now?
• Do you have distinctly private activities that you don’t want associated with your real identity?
• Do you perform activities that law enforcement agencies or nation states have laws against?
• Will the information you disclose lead to the targeting of your friends and family members by your adversaries?
• Will your children appreciate you posting photos and information about them when they get older? Does this make them more vulnerable?

I recommend this site here who do a great breakdown of the terms of use and privacy policies of companies that you use. They also have a browser plugin, so if you are interested in the social sites that you’re using, so let’s for example look in Facebook, and here we get a breakdown of what this particular social site has to say in their policies.

Decentralized Social Networks: Consider alternatives like

Diaspora

Friendica

So the breakdown here:

• Very broad copyright license on your content,
• This service tracks you on other websites,
• Facebook automatically shares your data with many other services,
• Facebook uses your data for many purposes,
• The Android app can record sound and video from your phone at anytime without your consent.

So what I do, what I suggest is that if you are using social media websites and you want to know what they’re doing with your information, this is a good site to go, check out the detail for the social sites that you.

Identity, Verification and Registration

Many online services require you to register and provide personal information, such as email addresses, home addresses, and phone numbers. It’s important to minimize the information you share and the number of places where you register. This practice helps protect you from identity theft, privacy invasion, spam, phishing, and other threats. Whenever possible, avoid creating accounts or registering altogether.

Using BugMeNot

One helpful service to consider is BugMeNot. For instance, if you want to access services on IMDB.com, you can search BugMeNot for shared accounts that allow you to use the functionalities you need without registering. There’s also a plugin available for BugMeNot that works on a variety of sites, as long as your usage is generic and not tied to any private information.

Using Fake Information When Registration is Necessary

If you must register, for example, to create an account on a forum, use fake information whenever possible—this includes name, address, age, and location, as these details are generally not verifiable. Often, email addresses are required for registration to send verification emails. In this case, you can use disposable or throwaway email accounts.

Throwaway Email Services

One well-known throwaway email service is Guerrilla Mail, which generates an email address for you. You can register with this email, and you’ll see emails here, allowing you to respond for your registration. Other similar services include:

• Guerrilla Mail
• Trash-Mail

When using these services, keep in mind that anyone who knows the unique email address can read the emails, and the hosting company can also access them. Thus, this method offers anonymity rather than security.

Creating a Separate Email Account

To maintain better security, consider setting up an email account specifically for registrations. This should be separate from the email associated with your real identity, such as using a name like register998@gmail.com for low-priority services.

Phone Verification Options

Some services require phone verification via voice or SMS. You can use websites that allow you to receive SMS messages anonymously. For example, Receive SMS Online provides public phone numbers that can receive text messages. You can choose a number to register, and you’ll see the messages that come through.

Using Burner Phones for Anonymity

If you need serious anonymity, consider purchasing a burner phone and SIM card with cash. Use this phone solely for registration, and switch it on in a public place to receive the SMS confirmation, then turn it off. Be aware that nation-states may monitor burner phones, as they are activated occasionally for brief periods.

Purchasing Verified Accounts

If you’re looking for verified email accounts or other verified accounts, you can find them on hacker forums and dark web forums. These accounts are often pre-verified and can be purchased anonymously with Bitcoin. Be sure to explore various forums for such services.

Behavioral Security Controls Against Social Threats (Phishing, Spam) Part 1

Many of the social threats we face can be mitigated with the same type of security controls. So the threats I’m referring to you here are things like identity theft, social engineering like phishing, vishing, smishing, scams and cons, as well as things like doxing and spam. In this video I’m going to talk through the security controls that protect you from these social threats. And these security controls can be split into two categories. The first we’ll cover is behavioral changes.

• urlvoid

This is changing what you do to doing something safer instead, such as not downloading and running an executable from your email. The problem with behavioral changes though is it relies on us humans and we are fallible and often forget to do the right things. The second type of control is technical security controls, such as using sandboxing on your email client or browser, and of course, we use defense in depth so that we have layers of both types of security controls to protect us.

So we will implement behavioral and technical security controls to protect us against these social threats. So let’s start with behavioral changes in order to protect ourselves from these threats.

1. If you didn’t request it – don’t click on it! The number one defense against social attacks is if you didn’t request it do not click on it. Do not respond to it and be immediately suspicious. This includes your emails, SMS’s, telephone calls, messages, things that pop up on the screen, messages within messaging apps. If you didn’t request anything, always be suspicious of it. Some of the messages you can get can be very enticing and seem legitimate, but if you didn’t request it, or you weren’t expecting it, then it should always be considered suspicious. If you have subscribed to an emailing list, then you are expecting the emails and those are fine, but if you suddenly get an email you never requested, then it should be immediately considered suspicious. So remember, if you didn’t request it, do not click on it.
2. Never download and run any file you don’t 100% trust! Next is never download and run any file you don’t 100% trust, especially not if you’ve been sent it via a link or via an attachment from an email that you did not expect. All email attachments should be considered suspicious and should be put through some technical security controls that we’ll detail later, so don’t run attachments and files that you don’t 100% trust.
3. Never enter sensitive information after following a link or popup. Never enter things like usernames and passwords or personal information after following a link or a pop up. Always, always go to the site by typing in the URL yourself into the browser. In fact, these days, companies should not be sending out links in emails asking you to log in and enter personal information. You will find that companies that understand security don’t do this anymore, they ask you to go to the site, and login without providing a link. They tell their users that they never send out links because they want to train their users not to click on links sent in emails to their site, because they know that that very same tactic is used in phishing attacks, so they want to train their users out of receiving links in emails and clicking on them to their site. So never enter usernames, passwords, or personal information after following a link. Go to the site itself, enter the URL yourself within the browser.
4. Validate the link You can attempt to validate the link. In the section on know your enemy, we talked through how links are manipulated, so you can check to see whether it conforms to any of the known attack types and link manipulation techniques. So are there any subdomains? Like we can see here, so we have a subdomain here, so we know that’s dodgy looking, and that’s the real domain. Are there any subdirectories? Here we can see some subdirectories, so we know that’s a dodgy URL. That’s the real domain. Are there any misspellings? And here we go, misspellings, that’s a dodgy domain. So it may be tricky to understand, as I’ve gone through this, which are the real domains depending on your experience. So the real domain is the one that is to the left of the high level domain, that’s the high level domain and it has no slash to the left of it. High level domains are things like dot com, dot net, dot org, and when we say that there is no slash to the left of it, this does not include the slash in the http://.
5. Minimise personal information disclosure This has already been discussed, but in reference to these particular attacks, a valid defense is minimizing your personal information disclosure. I’ve stated this in many parts of the course. You need to limit the amount of information you give out. Simply by doing this, you reduce your risk. You are less likely to be a target of these social attacks and naturally remain more private. We’ve just covered minimizing your registration and alternatives to providing information on registration. This, again, makes you more secure and less likely to be a target of these attacks. If they don’t know you exist, if your email, your phone numbers, your messenger ids aren’t available, they can’t know it in order to send attacks to you. Especially, do not post your email address, your phone number, your messenger id’s online, like say in forums, on your blog, and those sorts of things, because they will be picked up by automated scanners, and then you’ll become an automatic target of phishing attacks, scams, cons, spam, and whatever else the latest social attack is.

Behavioral Security Controls Against Social Threats (Phishing, Spam) Part 2

Whois Lookup, Domain Availability & IP Search – DomainTools

Home | ParseMail

1. Validate the sender. If it’s a friend or colleague that has sent you something with a link or attachment that you didn’t request, then use a different medium to contact them and validate that they sent it. If it’s sent from a company, like your bank or a social site, you should contact them too if it’s possible to confirm the legitimacy. If it’s from a company or a person you have no relationship with, then be immediately suspicious. Check the domain name of the email address that it has been set from. If it’s not the domain of the company, and it’s something like Hotmail or Gmail, then it’s definitely fake. Companies can afford their own domain names, they don’t need to use Yahoo, or Gmail, or Hotmail. Copy the email contents and paste it into your favorite search engine. But be careful not to click on any link. If it’s a known attack, it will be found by your search engine, if it’s an attack that’s been out for a few days. If it’s a brand new attack, it may not come up in the search engine results, but here we can see phishing scam straight away, and you will get that for many of the phishing emails that you get, because they are identified by the security companies fairly quickly. There’s often an option to view the raw email and email headers that you’ve received depending on the email client that you’ve got, so this is an option that isn’t always available within webmail, but if you do have it, say it’s in Thunderbird, or mail for OS X, then you can look at this, you can examine the content and see whether it matches what it’s claiming to be.

How to Get Email Headers

1. Validate the attachment. What you see here is a non-exhaustive list of executable file types. You should absolutely never ever run any of these, unless you are 100% sure that you trust the source. These are all programs, so have the power to do anything on your computer if you run them.
   • Executable file extensions (Very dangerous – Likely contains malware)
     • .EXE
     • .COM
     • .VB
     • .VBS
     • .VBE
     • .CMD
     • .BAT
     • .WS
     • .WSF
     • .SCR
     • .SHS
     • .PIF
     • .HTA
     • .JS
     • .JSE
     • .LNK
     • .DEB
     • .RPM
   • Document file extensions (Dangerous – Can contain macro viruses)
     • .XLS
     • .DOC
     • .PDF
   • Compression and file archives (Dangerous – Can contain executable malware files)
     • .ZIP
     • .RAR
     • .7z
     • .DMG
   • Other (Probably safe)
     • .txt
     • .gif
     • .jpg
   Finally, this type of file extension may have vulnerabilities, but it’s unlikely.
2. Avoid the obvious threats! Finally, we’ll finish off with some of the obvious stuff. It is obvious, but I’ve got to say it anyway just to cover it. If the requester asks for bank account information, credit card numbers, your mother’s maiden name, or other personal information, then obviously that is fake. They’re not going to be sending you that in an email or a message. If they send something to you saying you’ve won a prize, you have won the Nigerian lottery, or a Prince has contacted you and he wants to desperately send you money, obviously these are all fakes. Ignore. If it contains a lot of hype and exaggerations, but few facts and details about costs, our obligations, and how it actually works, that’s a sign of a scam too. If you are asked for a fee for administration processing, taxes to be paid in advance, never provide money in advance of receiving anything. This is the advanced fee scam. Technical support will never ask you for your username and password. That’s a scam. Don’t put USBs or CDs into your computer you don’t trust, especially if you’ve found them on the floor. Be suspicious of anything that seems to be too good to be true; it probably is. If you discover a scam email or link, or phishing email, or spam, forward the spam emails onto this email address here to help stop spam: spam@uce.gov. If you received a bad email that’s reportedly from a company, you can send a copy of that email to the company in order to help them prevent the attack. If you have a phishing email, you can send it to this email here, this is the anti-phishing work group, this will help fight phishing attacks: reportphishing@antiphishing.org.
3. Vishing & SMShing With vishing and phone calls, always have the caller validate their identity. Ask for their name, company name, title, and phone number to call them back. More advanced attackers will have a legitimate number to call back, so verify the company by searching the internet and doing the various checks that we’ve already gone through. Validate that their company and everything associated with it is legitimate; search online for everything that they’ve said to validate who they are and what they are claiming. When it comes to offline, to reduce the risk of being a target, buy and use a paper shredder. Anything with personal information should be shredded, don’t carry a social security card with you, and make sure you report lost or stolen checks and credit cards immediately. So these are the behavioral changes, or perhaps these are not changes for those of you who are already doing these things, that can help mitigate against social attacks like phishing, vishing, smishing, spam, scams, and cons.

Technical Security Controls Against Social Threats (Phishing, Spam, Scam & Cons)

We’ve just talked about behavioral security controls, now we’re going to move onto technical security controls, and again, many of the social threats we face can be mitigated by the same type of technical security controls. And again, the threats we’re referring to here that we can mitigate are things like identity theft, social engineering, like phishing, vishing, smishing, scams, cons, doxing, spam, those sorts of threats. In order to mitigate these sorts of threats, consider using these sorts of technical security controls.

1. Use an email provider with security controls

When you’re selecting an email provider, consider how well they protect you from spam, phishing, malware, and those sorts of things. Almost all email providers scan the email content for these types of attacks. This is a privacy concern, but is also a security control. Sometimes security and privacy aren’t compatible, and you have to choose how to deal with that. What is more important for you? Privacy or security? You have to make the risk based decision. But you can choose to have separate accounts for separate purposes. So for example, for a more private conversation, you could have a dedicated email where you use GPG which will give you the privacy that you need, which we discuss later in full detail, and for general emails, where you have less of a need for privacy, you could go for a provider that offers security by scanning the email contents. The big email providers are good with spam, phishing and malware protection, as they have lots of resources to throw at the problem, Apple, Google, Microsoft, Yahoo, etc. They are good for protecting you from phishing and malware, but they are not good for privacy. So you need to choose your provider by weighing up these options between privacy and security.

2. Use a credit monitoring service

Another control to protect you against these social threats is to use a credit monitoring service that notifies you of credit searches and applications that will help you particularly against identity theft. In the US and other locations, you can freeze credit checks. This stops anyone from being able to take out loans or credit cards in your name. This is useful if you know you don’t need any loans or credit, so you can freeze your credit. You want to monitor the accounts you care about where they provide this monitoring and alerting functionality. Enable the security notifications on your accounts where they are available. For example, when someone logs into your account, and where, and on what device, when money transfers are made, when passwords are changed and so on. You want alerts for those sorts of things. As an example, Gmail provides information like that on your devices that you log in, many banks will send you notifications when there are money transfers, or where your account reaches a certain level. You should enable those.

3. Summary of Technical Security Controls

Now the rest of the technical security controls, we’re going to discuss throughout the course in detail. You will learn more about them in their own sections. But a quick summary here of what will protect you against these social attacks:

• View as text
• Use Google Safe Browsing (For Security – turn off for privacy)
• Use Ublock origin filters list (+other browser extensions)
• Isolation and compartmentalisation
• Use a virtual machine
• Application white listing
• Application and execution controls
• Sandboxes
• Opening attachments online (Google Docs and Etherpad)
• Use Live operating system
• Using OpenPGP signatures to validate the sender
• Host files and provide links instead of attaching to email
• Use Anti-virus and endpoint protection (More on these later…)

So first is changing the email viewer to be text instead of html. Using the built-in Google Safe Browsing used in Mozilla Firefox, Apple Safari, and Google Chrome, Ublock origin for filtering, using isolation and compartmentalization, using a virtual machine to open attachments and click links. Using application and execution control, sandboxes, opening attachments online using tools like Google Docs and Etherpad, using Live operating systems to open attachments and click links, using OpenPGP signatures to validate the sender is genuine, and if you frequently send and receive files via email, changing that to hosting these files and sending links to these files instead of attachments. And you can use services like SpiderOak, Owncloud or Seafile, enabling antivirus and endpoint protection. But all of those things, we go through on the course, but they particularly do protect you against these social attacks.

For useful information on protecting you against phishing, vishing, smishing, spam, scams and cons, then have a look at this website here, this is quite good, ActionFraud. And also Scambusters.org is quite good as well.

• ActionFraud
• Scambusters

Conclusion

The post provides a comprehensive guide on strategies to counter various social attacks, such as identity theft, phishing, spam, social engineering, and nation-state surveillance. It emphasizes the importance of safeguarding personal information and being cautious about what is shared online to prevent exploitation from these threats. Effective methods include minimizing personal data disclosure, using fake information for non-essential registrations, and employing technical controls like using secure email providers and credit monitoring services. Behavioral changes, such as not clicking on unsolicited links and validating senders and attachments, are also crucial. Additionally, the text highlights the use of decentralized social networks, disposable email services, and burner phones to enhance online privacy and security. Ultimately, these strategies aim to protect personal safety and maintain the integrity of organizations by addressing both behavioral and technical aspects of social threats.