SE

Search for:


Archive for December, 2009

Social Engineering in the news

Monday, December 21st, 2009

Lately there has been a lot of news reports about the increase in social engineering attacks against companies.  Just take a look at this article we archived from ThreatPost.com entitled, “Attackers and Phishers Still Winning the War.”

It brings to light some very interesting facts…. malicious social engineers are looking at what is “bothering” people and then offering information and/or solutions if “you just click here.”  Everything from money help for the economic woes people are experiencing right down to cures for the H1N1 Virus.  It makes a further valid point, that the users are the ones who are to blame.  We take a less strict stance here at social-engineer.org.  We feel that too many people are in fear and having life problems they WANT a solution.  Due to that, they click… they browse… they download.  Why?  Because maybe, just maybe, there is a solution at the other end of that link.

This brings us to our main story for today.  Even though this is an older story is an “oldie but goodie…” It was archived on our site from www.wired.com.

AOL, yes AOL again.  A social engineer called AOL’s tech support and some how convinced the support rep to accept an EXECUTABLE file then… wait for it… wait for it… YES, execute the file.  When the file was executed it connected the support users computer to an IRC Channel and allowed the hacker to issue commands.

Those commands allowed the hacker to gain access to Merlin, AOL’s internal Database, as well as over 35 million accounts.

Another attacker called in pretending to be a user who just had mouth surgery and only had the screen name.  When he mumbled the user info over and over, the rep finally got frustrated and gave him the information he needed.  After a few calls he was able to obtain a full user account with password change.

This article truly shows major weaknesses in the way call centers operate and reveals weaknesses that will and DID bring major companies to their knees.

We are scouring the Internet for more stories.  Keep sending in your links and we hope you enjoy reading.

On another note… did you see this great little thing Google has done?  Go to www.google.com and just hit “I’m feeling lucky” with nothing in the search box and see what happens.

Its a countdown.. we will let you figure out what it is for.

Till next time.

Posted in Interesting SE Articles | No Comments »

Iraqi insurgents hack US Predator drones with $26 software‎

Friday, December 18th, 2009

The first thing that happened when I mentioned this blog post was a few people saying, “This doesn’t have much to do with social engineering so why they heck do you want to blog about it?”

The truth is… it doesn’t have much to do with social engineering at all, but it is so darn interesting we had to write about.  Plus we have a special surprise for all our readers.

So here is the basic gist…  Iraqi hackers with a cheap satellite dish and a $26 piece of software called SkyGrabber were able to intercept the US Governments video feeds of the Predator Drones.  This allowed them to know the location evading being detected as well as knowing the whereabouts of the drones.

How did they do this?

Enter the SkyGrabber

SkyGrabber is a very interesting piece of technology.  Much like a BitTorrent Client it allows you to connect your computer directly to your satellite dish then it “grabs” the data in the area being beamed to and from satellite dishes in your range.  It grabs the pictures, movies, files… video feeds and recompiles them on yoru local machine giving you not just access, but a fully usable copy of those files, locally.

The creator of SkyGrabber says:

SkyGrabber works by grabbing all the responses to the requests that comes from the satellite. The satellite transmits data to all users in one stream. The data packets are accepted by all who are in the satellite coverage area. In fact, you can set up your satellite dish on this satellite and we’ll receive the data, which is produced by other users.

But how do we get the files that other users are downloading? The program intercepts data of other users, assemble in files and saves files in your hard drive.

Here is a video showing SkyGrabber working.

Probably due to the massive press the SkyGrabber site is flaky and up and down.  We were able to obtain a trial of the software which you can download to see it work.  It is an amazing piece of software.

Again, we know this doesn’t have much to do with social engineering… but it DOES have a lot to do with security.  How is it that $10′s of millions or billions of dollars in technology can be thwarted by $26 pieces of software?  A nations secrets being streamed over a signal that can be recompiled and then used in a matter of minutes?

I don’t pretend to have the answers.  I am just fascinated by the story… fascinated that this technology and this industry never ceases to amaze me.  I am sure there will be some more news on this as time passes and if anything new pops up we will try to keep you informed.  For now… realize… there really is no spoon.

Posted in General Social Engineer Blog | No Comments »

Ask The Social Engineer

Thursday, December 3rd, 2009

Another interesting piece of news.  We were asked to write a column for net-security.org.  It was a “Ask the Social Engineer” type of column and we just heard it was very popular.  With thousands of hits on the article we are going to write more.

It also was printed in INSECURE Magazine as an added bonus.  The Article looks beautiful and is a nice read in either location.  Take a look on page 67 of the Nov Issue

Do you have questions you want answered from a social engineer, about social engineering or learning how to become a social engineer?  Send them in and we might just use yours for the next column.

Thanks

Posted in Interesting SE Articles | No Comments »

“Interesting Times”, Cyberpunks and the World of Social Engineering

Thursday, December 3rd, 2009

Recently we were approached by a very interesting magazine called Interesting Times to write a column for them.  Since I never heard of them I ask for some description on what they do and how they do it…

Here is what I got:

Interesting Times is a self-help magazine for extreme people, helping you survive and thrive in the cyberpunk future of today. Headquartered in Sweden, the magazine provides a unique perspective on the current age of possibility, where every new happening holds the potential for both disaster and groundbreaking success.

The magazine aims to implement total world domination using a shock & awe toolbox of positive thinking, power armor and pornstar girlfriends, edifying the reader with an eclectic mix of interesting subjects including lifestyle design, preparations for the post-apocalypse, and the pursuit of superhuman fitness through batmanesque bodyhacking. Building better bad-asses is our main objective and we aim to please.

Interesting enough to make me do a Vulcan eye brow raise….  Well we did it… and I gotta say the magazine looks sharp.  Our article is on page 34 and then a nice add on page 44.

Anyhow check out the mag and download a copy at the Interesting Time Website we are in Issue #2 page 34.  ENJOY and as always – we want your feedback!

Thanks.

If you like the magazine sign up for our newsletter which is being released this coming Monday.

Posted in Interesting SE Articles | No Comments »

Liar, Liar your hands are on fire….?

Tuesday, December 1st, 2009

Probably one of the hottest topics for social engineers is how to detect who is lying and how to improve your ability to fool your targets. Today we picked two articles to discuss about this topic briefly.

The first is archived in the social engineer archives.  It is a very interesting read on a new study that has been done that might point to the link between the way a person draws and event and the truthfulness of that event.   In some amazing statistics the “sketching the agent” result was able to identify 80% of the truth tellers and 87% of the liars – results superior to most traditional interview techniques.

How does it work?  The determined that the way a person remembers events is linked to the “angle” they draw the event in.  People who where there, truth tellers, will draw with a shoulder camera angle.  Where as liars leave out lots of detail and even leave themselves out of the picture.

What does this have to do with social engineering?

Well by itself, not much.  We haven’t done too many engagements where we can ask the target to draw us a picture. So how can we use this information?

Our second article… well it’s actually a video.  It is a nicely done video that outlines 9 parts to detecting a lie.  What we found interesting is how closely these were linked to some of the research on the drawing research.  Take a look:

Step 1: Watch their hands

Studies have shown that the majority of people have a “tell” when they lie.  Excess face touching or nose scratching can be a good indicator of a lie.

Step 2: Follow their eyes

Blinking – another thought is that a person who blinks a lot can be lying.  Now, we don’t prescribe to this thought 100%.  Some people do not have great eye contact by nature, so this point isn’t always a given 100%.  Yet, mixed together with some of the others it can point to a lie.

Step 3: Note their words

Note their words. A liar will skip contractions—saying “I did not” instead of “I didn’t”—and avoid pronouns, using someone’s full name instead of “he” or “she.”

Step 4: Check their smile

A true smile versus a fake smile.  A fake smile is just with the mouth.  A real smile is uses the eyes, the cheeks, the whole face.  A person who is smiling fake can also be an indication of falseness elsewhere.

Step 5: Note their posture

Notice their posture. Liars tend to keep their body posture closed (by folding their arms, for example). Again, we don’t prescribe to this 100% but it may be an indication of a lie when mixed with others.

Step 6: Pause before responding

Pause momentarily before responding; if the silence makes them uncomfortable, they may be lying.  of course is some one is naturally slow, don’t count that.  But if it looks like the person is pausing and thinking about the answers to natural questions or stories it can be a good indication.

Step 7: Note the details

Pay attention to details. If they provide more information than necessary, that’s a bad sign. People tend to be overly specific when they’re making something up.

Step 8: Change the subject

Change the subject. Is the conversation just over or are they trying to change it quickly?  Pay attention and see if this indicates untruthfulness.   Better yet you can try and change the subject.  Did they seem relieved?  Might be an indication.

With all these steps there is a lot of “might be’s”… well mix this with reading facial expressions and you might be able to start detecting liars more readily.

We would say one key to starting off with this, is to not try and view everyone as guilty before being proven innocent.  Pay attention to the details though and you will be amazed at what you see.

Check out the video:


How To Detect a Lie on Howcast

Stayed tuned for more articles coming soon.

Thanks to rAWjAW for submitting these articles to us.

Posted in Interesting SE Articles | No Comments »




SE Polls

SE CTF

Brad Smith