Tag Archives: Social Engineering

Blended Attacks and “The Tiger Team”

The following caught my eye during a review of the Cisco 2007 Annual Security Report, on page 16:

Blended Attacks Targeting Both Physical and IT Domains
In 2007, criminals demonstrated their evolving ingenuity by employing blended attacks to obtain sensitive information and evade detection. The most significant example of this trend was a string of attacks on Stop & Shop supermarkets in Rhode Island. Attackers broke into and vandalized supermarkets, leading police to believe the events were largely petty crimes. But during the break-ins, attackers tampered with the stores’ card readers to collect credit card information.

Of course, upon reading this there was a stream of attack ideas that occurred to me such as using a break-in as a cover for things like installing WIFI access to networks, card skimmers, key loggers, etc. Shortly after reading the Cisco report, I ran into a post on Black Bag (a physical security blog) about a TV show called Tiger Team. The TV show is about a team of penetration testers who (in addition to being very impressed with themselves) test complex physical security systems. I reviewed the first two episodes (which I have to confess I enjoyed), which are available via streaming video.

Interestingly, in the first two episodes (which is all I have watched so far…) the team always used a blended attack. There is a social engineering and digital attack as a prelude to the actual ‘theft’ in both episodes.

I think few people will face attackers of this sophistication, but the series is interesting nonetheless.

Cheers, Erik

Get Rich Quick at FakeChecks.Org – N O T

While I was checking the weather via the internet last night, I saw a banner ad for FakeChecks.org (click here), which turns out to be an anti-check fraud website sponsored by the National Consumers League . Check fraud has been around almost as long as checks themselves (I am sure it took a week or two for someone to try to steal cash using the newly invented check… 😉 ), but the anonymity and long distance communications capabilities provided by the Internet are reviving old scams and creating new ones.

A key component in a lot of fraud and scams is Social Engineering of one kind or another. Social Engineering is also a a huge threat to Information Security controls of all kinds. The tool to combat it is user awareness. I applaud FakeChecks.org for their efforts.

Cheers, Erik