So You’re Connecting your Car to the Internet…

Friendly reminder that connecting your car to the internet comes with responsibility.

Make installing updates a priority, even though it’ll be a pain and requires going to the dealership to pickup a USB.

Also:

  • never connect your car to public WiFi
  • only use WPA2 security
  • if plugging in a USB key into the car, make sure it’s clean and virus-free
  • and you’re legally responsible for Hotspot users

 

 

Which Industry is Best at Fixing Vulnerabilities

That’s scary that Healthcare is only 43%, now that many medical machines and devices are internet-enabled. I was surprised Technology was just 50%, and last place’s 27% will surprise no one.

Speaking is Chris Wysopal, co-founder and CTO of Veracode – a premiere application security company. As in, good source.

From SecTor 2015.

 

 

Switched to the Search Engine DuckDuckGo

Because unlike Google, it doesn’t track me.

Your search history tells a lot about you.
And can be traced directly back to you.

From their site:

Other search engines save your search history. Usually your searches are saved along with the date and time of the search, some information about your computer (e.g. your IP address, User agent and often a unique identifier stored in a browser cookie), and if you are logged in, your account information (e.g. name and email address).

With only the timestamp and computer information, your searches can often be traced directly to you. With the additional account information, they are associated directly with you.

Results come from about 50 different sources such as Yahoo!, Wikipedia, Bing, and its own web crawler DuckDuckBot.

It also deletes results from content farms – low quality sites that turn out 4,000+ articles per day, designed specifically to rank well in Google.

Above is a typical results page.

\

Image results.

You can set it to be the default search engine in both Safari and Firefox. And also iOS: Settings > Safari > Search Engine > DuckDuckGo

Try it out – DuckDuckGo.com

 

 

Watch Out for On-site Impersonation Attacks

When a stranger shows up to your place of business, don’t take it at face value they are who they claim to be.

The Attack

By exploiting people’s trust, manners, and our social nature to be helpful, impersonation is an effective way to gain physical access to somewhere otherwise off-limits.

The attacker will seem genuine, probably because they’ve prepared by collecting information about your organization.

They will look the part, and it will make sense what are they asking for

Example: “Oh you’re wearing a tool belt and construction vest, it seems logical you’d like access to our mechanical room, okay I’ll take you there.”

Like when Michele posed as a singing telegram.

She donned a set of medical scrubs, got some grocery store chocolates and balloons and showed up at the target’s business.

“No, I’m not on today’s appointment list, I’m a singing telegram sent by a secret admirer of Mr. Jones.”

Then better yet, “No I don’t have my ID on me, but look, my name is written on my stethoscope.”

Michele says the security guards did the right thing by escorting her up to see Mr. Jones. In she went and sang her heart out. Everyone loved it, so they forgot about her because she was then left alone to roam the building.

Which Impersonations Work Best, Michele?

pest control, because no one wants to deal with bugs

– play to stereotypes and expectations – she’s a woman so must be the underling, and her male counterpart the boss

– a woman lowers people’s guard, take advantage of a gender bias

– exploit the automatic response to authority. Example: wear a safety vest and hard hat to direct traffic, without having to offer an explanation

The Defence

– ask lots of questions

– ask to see ID

– stop the stranger and ask a non-yes/no question like, “what can I help you find?”

– never leave a guest unattended

– don’t feel shy to be a stickler

This has been Part 2/3 in a series with Michele Fincher, Chief Influencing Agent at Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)

Meet Michele here.

Blog tag = Social Engineering (25)