Well hello there – I’m your friendly neighbourhood hacker!  I can introduce myself to your information online whenever I want – probably.  I’m that cocky I’ll even show you how…

You’ve heard of a carbon footprint right?  Well my business is centred around your digital footprint.  Every time you update Facebook letting me know where you’re checking into and what you’re doing.  If your privacy settings aren’t set that really helps me out in terms accessing your information on social media.  A lot of users are kind enough to let me know where they live.  So now I know you’re not home, if I wanted to I could sell this information to those in the burglary game.  We have our own internet amongst our kind – it’s called the dark web.  You can’t Google it, but it’s there for our use to sell your data.  (Scary eh? Well for you that is, my data is all locked up – you’ll never find me.)

I only need a small amount of information to compromise a system, network or even you.  If I’m targeting you specifically I may even register something in your name or create an online alias to pose as you.  I only need a few of your friends to friend me and I’m you! (Online anyway.  Oh and I don’t actually need them to friend me – I’ll make bogus accounts for them too…) Once your information is online, you have limited control of where it goes, so I can take pretty much whatever I want from you. 

Here’s where it gets interesting.  Social Engineering is where I can use your social media activity to build up a portfolio of you and who you are.  I can then take that information to target you individually and/or the company you work for.

For example.  Here’s my to do list for today:  

  1. Identify the target – I’m identifying Carnival UK.  I want to get into their systems. 
  2. Find out as much as I can about my target.  Now it’s easier for me to gain entry to Carnival UK by identifying their employees, so I’m going to use the likes of LinkedIn, Facebook, Twitter etc. to find and identify you.  I can get your email address, job title, find out what you do etc.
  3. Gather information – using the information I find, I’ll design a hierarchy structure of who I have found and what they do at Carnival UK.  I’ll target the highest ranking person I find.  They have the most access to systems and that’s what I’m interested in.  
  4. Identify points of entry – next I’ll use e-mails for phishing or if there’s some information I can’t get online then I’ll do some vishing.  (This is where I call up and we have a great discussion where you give me all the missing information I need.  I’m real friendly too – you won’t suspect a thing!)  Let me show you just how easy it is – check out this quick U-Tube clip.
  5. Gain entry to Carnival UK systems through successful phishing emails.  This is the easy bit – all you need to do is click on my link and sign into my bogus site.  I rely on people being busy and in a hurry – so they forget to look out for simple signs like ‘is it the correct web address?  Does this look like the log in page?  Most of the time people even forget all the key messages they’ve been told about protecting themselves on line.  (Criminal isn’t it?)
  6. Pay day!  I’ll hold Carnival UK to ransom over Malware installed on their systems by the phishing emails you and your contacts clicked on Guest data – I’ll have it, Your data – I’ll have it, Carnival UK reputation severely damaged – you can’t put a price on that you know.  In fact it’s a shame you guys don’t employ your own hacker to keep you better protected.

Well – that’s quite enough out of him!  My names Jay and I’m Ian.  We’re your Carnival UK network defenders – hackers don’t like us.  We keep them out of our systems and you can too – here’s how…  

We are security professionals meaning, we focus on bolstering the cyber security of the business, we need to know how cyber criminals think, so we know what to defend from.

Social engineering is a form of attack, it’s the modern day confidence trick and we can all limit the damage. Hackers first identify the target (you) in both active and passive ways hackers and will scour the internet to find information on you, don’t let them! Prevention is better than cure and by limiting the information we share and access to it we clip the wings of the hackers ability to target us and the tools to trick us into thinking they are someone they are not!

Be careful of what you post, limit your audience and be careful of who you accept as a friend. When using social media take time to explore the security options and privacy options available to help secure your information.

Now let’s talk about how you get into your accounts, it can be your Achilles heel. Most of us use passwords to get into accounts however these are normally short and very easy to guess – there are plenty of tools in a hackers toolbox to break these! But we can make our accounts very secure by using a ‘pass phrase.’ For example “Password123” is very easy to guess but throw words together, a number and a special character for good measure then “HorseBatteryStaple123%” is suddenly longer and more secure.

The options to help protect unauthorised access to your accounts don’t stop there…If you use two factor authentication (known as 2FA) this means if a scammer has your password they still won’t be able to get into your account without the other extra verification from you (such as a code sent your mobile). Most modern network sites (like Facebook) offer 2FA, it’s worth taking a few minutes to look it up and learning how it works (email us to find out more information, we’ll be happy to help).

And what if you’re contacted at work (on the phone or email) how do you know if people are who they claim to be, do you need to be suspicious of everybody? Well, you needn’t be continually suspicious, but being mindful of who and why someone is contacting you is not a bad thing! Whether it is via email or on the phone the questions you should be asking yourself are often the same. Was I expecting to be contacted by this person and are they asking me to do something, does it feel right? Don’t be afraid to challenge someone to prove their identity and confirm what they are asking is legitimate with a trusted source (like your manager) before taking action.

Security Operations top tips:

  • Keep your device up to date with the latest software patches
  • Create secure passwords
  • Use two factor authentication
  • Install security software if possible
  • Limit the amount of information you make available on line
  • Always remain vigilant  – If in doubt call it out!  

Who can I contact for help?

If you have a security issue or concern please contact: IT.security@carnivalukgroup.com

For more information on how to protect you and your family see:  www.ncsc.gov.uk

Like Love Haha Wow Sad Angry


Leave A Reply