Social-Engineer.Org : Security Through Education

It seems that every month we are tweeting, blogging or writing in our newsletter something about the amazing world of social media. Something just came across our desks that will really blow your mind. All about how smart phones are a cyber stalking dream tool.

What if I told you that there was a way to create a profile on you that could reveal
• Where you live
• Who else lives there
• Your commuting patterns
• Where you go for lunch each day
• Who you go to lunch with

And all I need you to do is use a social media site or two and post a picture or two here or there?

Most phones when used for taking pictures will embed certain data in the meta-tag. Meta data is often used by software to help process the picture and open it correctly. Yet there is so much space this is also often used to store the photographer’s name, date and other juicy bits of info about the picture.

One of the juiciest bits is geo-location. Yes the age of the smart phone has opened up this flaw and allows a person to see the exact location of an individual when that picture was taking. Smart phones actual embed the longitude and latitude of the location in the meta data of the picture.

Then when the user (you) posts it to twitter, facebook, and the world begins to awe at your photographic prowess malicious social engineers are finding out the location seeing if you are near home, near a good spot to be abducted, profiling you for id theft or home invasion… pick your poison and although I sound sarcastic, this is very serious.

(more…)

Each year companies lose millions in security breaches. As these breaches wreak havoc on companies and people we feel that high quality Information Security Awareness is probably one of the most important remedies. The whole social-engineer framework is geared toward our thought that the human element is the weakest link in the chain, and the Social Engineering CTF at Defcon 18 really drove that point home.

Offensive Security and Social-Engineer.Org have joined forces to launch a new era in security awareness programs.  This course is different than everything on the market today. It is a one day, managerial security awareness training program, geared to expose the threats of modern day attackers.
(more…)

Defcon is over and after the long treks home we take some time to review the past few days and there is so much to say it seems like I have to write a book to get it all out. Most of it can be summed up by saying, “Security Through Education.”

The Social-Engineer.Org CTF took off with a bang that I think was heard around the world. We have counted just a tad under 100 articles that have been printed about the CTF in magazines, newspapers and media journals around the globe. Companies, people and governments are very curious about the results of the contest and the report that is soon coming.
(more…)

Social-Engineer.Org started the idea for this years CTF without really knowing how much fear it would build into people and organizations.  From the beginning we have published our goals, rules and ideas to help squelch the fears of those who think our intent is malicious.

While it is true that social engineering will involve some deception as well as obtaining information about these companies, the information the contestants are trying to obtain is innocuous, NON-FINANCIAL and NON-PERSONAL.  At no time will we allow a contestant to make a call that will compromise a company or person’s financial, banking information or identity.

Despite all of our efforts to notify the public that we are not out for malicious gain it seems like this message is not getting through to many in the security industry.  For example, we have come across an email sent out by a large security firm to all their nationwide customers warning them about the CTF.

This email is posted below:
(more…)

We are extremely excited about the Social-Engineer.org CTF at Defcon 18. However, in the excitement some have expressed concern that contestants might act improperly or that government, companies or individuals might be adversely impacted. We want to put these concerns to rest. Our jobs at Social-Engineer.Org are to ensure the security of our clients, and our reputation is built on that promise.

The purpose of the contest is to (1) raise awareness on the threat of social engineering, and (2) challenge contestants to come up with creative, legal ways of obtaining information from companies. The contest is structured to be good, clean fun. Our goal is to show how much information companies may inadvertently divulge to individuals making regular, legal inquiries using normal channels of communication. The type of information we will be asking for will be things like the number of restrooms in the building, and the sort of candy that sells out from the vending machines first.
(more…)