Tag Archives: social engineering

Defensive Security Podcast Episode 108

Defensive Security Podcast Episode 106

Defensive Security Podcast Episode 41

New trojan looking for SAP installations, possibly a harbinger of things to come; Turns out Adobe used symmetric encryption to store the 130M passwords that were stolen; A dicey list of suggestions on how not to be the guy that gets your company owned; The results of the 2013 social engineering capture the flag are not pretty; Some security researchers completely compromise a government agency with a fake Facebook profile of an attractive lady; and all sorts of craziness about #badbios.

Subscribe in iTunes | Podcast RSS Feed | Twitter Email

http://www.infoworld.com/d/security/new-malware-variant-suggests-cybercriminals-targeting-sap-users-230014
http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/
http://qz.com/120946/the-complete-guide-to-not-being-that-idiot-who-got-the-company-hacked/
http://www.darkreading.com/vulnerability/social-engineers-pwn-the-human-network-i/240163379
http://www.zdnet.com/government-agency-compromised-by-fake-facebook-hottie-7000022700/
BadBIOS intro: http://blog.erratasec.com/2013/10/badbios-features-explained.html
BadBIOS rebuttal: http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

Abusing JavaScript for Social Engineering Fun!

There is a really interesting blog post by @ossij called “Hacking the a tag in 100 characters“.

I suspect the nefarious utility of this is going to be pretty extensive. We often tell our constituents in security awareness training to look at the address of a link before clicking on it. This strategy certainly has the ability to undermine that guidance, particularly if this JavaScript works in HTML emails. And I expect that it will work in HTML emails. One more reason that viewing email in plain text is a good idea.

I can envision some new crafty targeted watering hole attacks with this method. Rather than including a noisy iframe that gets presented to everyone, links on the page are redirected to a malicious site after clicking, but only for the intended victim – the page looks and works normally for everyone else.

Stay safe,

Jerry