What if I told you that there was a way to create a profile on you that could reveal
• Where you live
• Who else lives there
• Your commuting patterns
• Where you go for lunch each day
• Who you go to lunch with

And all I need you to do is use a social media site or two and post a picture or two here or there?

Most phones when used for taking pictures will embed certain data in the meta-tag. Meta data is often used by software to help process the picture and open it correctly. Yet there is so much space this is also often used to store the photographer’s name, date and other juicy bits of info about the picture.

One of the juiciest bits is geo-location. Yes the age of the smart phone has opened up this flaw and allows a person to see the exact location of an individual when that picture was taking. Smart phones actual embed the longitude and latitude of the location in the meta data of the picture.

Then when the user (you) posts it to twitter, facebook, and the world begins to awe at your photographic prowess malicious social engineers are finding out the location seeing if you are near home, near a good spot to be abducted, profiling you for id theft or home invasion… pick your poison and although I sound sarcastic, this is very serious.

This is a stalkers dream, enter the age of digital stalking. And a brand new website http://icanstalku.com/

The folks at http://icanstalku.com/ scrap the Twitter feeds for people posting pictures, locate if it has metadata, scrap out the location and data and post it there for all to see. YIKES.

What Can You Do?
Well for one, stop sharing photos of your kids, your wife, yourself, your sandwiches, your clothing, your car, your new tattoo, your whatever with the whole universe. Stop showing the world every time something funny, dumb or weird happens.

But if you are one of those people that must do this, then disable geolocation information in your smart phone. For example in your iPhones it is under Settings > General > Location Services from there you can tell it what apps can access location data.

In your BlackBerry – Go into picture-taking mode (via HomeScreen, click icon “Camera”), press the Menu button and choose “Options”. Set the “Geotagging” setting to be “Disabled”. Finally, save the updated settings.

In Android go to the camera > Settings > GPS and make sure the check box is off.

That’s all you need to do, stop showing everyone where you are in the world. This is not a light matter, when a criminal knows where you are they can more easily plan an attack. Security Through Education. Understand how the bad guys think and what methods they use and you can combat against it.

Till next time, stay safe.

Offensive Security and Social-Engineer.Org have joined forces to launch a new era in security awareness programs.  This course is different than everything on the market today. It is a one day, managerial security awareness training program, geared to expose the threats of modern day attackers.

This course is very unique in the as it is highly informative and entertaining, leaving attendees both engaged and committed to their personal and corporate security. Our goal is to change the way people think, making them own a personal security policy that carries over from their personal life to their professional life.  Join us as we launch the New Era of Security Awareness Training.

For more information about the course, as well as free Security Awareness posters, visit our new Information Security Awareness website.

The Social-Engineer.Org CTF took off with a bang that I think was heard around the world. We have counted just a tad under 100 articles that have been printed about the CTF in magazines, newspapers and media journals around the globe. Companies, people and governments are very curious about the results of the contest and the report that is soon coming.

To recap some of the highlights:

• We had about 15-17 contestants that stuck with it, out of the 45 that signed up.  Many had to quit the competition due to pressure from their companies, some even being threatened with being fired if they competed.
• Every company that was called and had a real human answer besides ONE failed.  The only reason the one did not fail is because at the time the call was placed there was no one on staff to help.
• The pretexts used ranged from being a very technical person who needed help to a user that had zero technical skill at all.  All where successful.
• The data collected will be very useful as companies see that the risk is real and the information was easily obtained.
• In the end, we learned a lot and had a great time.

We held two press conferences while at Defcon as there were some 30 news reporters that wanted coverage on the event.  We worked hard to make sure that none of the target companies or their employees where named next to flags they fell for.  This was to keep the targets and their employees from feeling victimized.

Many of the reports where excellent truly representing what the CTF was all about.  All the press, all the attention and all the good information obtained surely made for an exciting weekend at Defcon.

The end results will be put into the Social-Engineer.Org report that will be posted hopefully in 3-4 weeks.  The Defcon weekend really blew us away.

From the first day we didn’t know what to expect when it came to the contestants as well as the room and the audience.  We were given a smaller room, but as we set it up it looked huge to us.  Just a short time after starting, we were amazed to see the room filling up.  By mid-day there was standing room only.  Not only where we shocked, but humbled to see how many stuck out through out the day.

Then on Saturday it was even fuller. The room was packed all day long, even a line forming outside before we arrived. On Sunday, the same thing but the podcast went great.  We will be editing that and getting it online soon.

After a short break we went to the closing ceremonies.  Never before have we seen so many people packed into a room. They had such overflow they had to set up an auxiliary room.

In the end, the Defcon staff told us they wanted to do something that hasn’t been done in 18 years of Defcon history – Give a first year contest a coveted black badge.  The black badge which gives the holder free access to Defcon for life, as well as the honor and prestige of winning one of the few that are given away, is usually only given to popular contests once they are around for 2 or 3 or more years.  Defcon does this to ensure the contest will have longevity and not give it away to contests that will disappear quickly.

There was a catch though; Defcon didn’t want to break the rules without seeing what the audience thought.  The end result was that they were going to ask the audience if they thought social-engineer.org and the CTF deserved one to be given away to its winner.  After our introductions, Pyr0 asked the audience what they thought.  The response was truly an amazing and humbling experience.  Horns where blown, people clapped, screamed, hooted, hollered, stomped their feet and yelled in support.  After about 20-30 seconds of that from both rooms, the Defcon staff said, “You have your answer” and for Defcon, as well as Social-Engineer.Org history was made.

Handing the black badge to the winner was a joyful experience because he was as shocked as we were.  Our top two winners where amazing in skill and really showed what can be accomplished through social engineering.  Congrats to Scott and Wayne and thanks to Defcon, Offensive Security and CWC for their support. Thank you again to the EFF for the constant advisement, and thank you to the FBI for not judging without all the facts and treating social-engineer.org and the CTF event with such respect.

This is not the end however, but rather just the beginning. With the live recording of the one-year anniversary of the social-engineer.org podcast, the ever growing framework, a much talked about newsletter, and the forthcoming report detailing the analysis of the CTF, we have our hands full.

Thank you everyone for playing a part, supporting us, and the constant words of encouragement.  There will be plenty more news as we get closer to releasing the report.

Thank you for standing with us. And just keep thinking, “Security Through Education.”

While it is true that social engineering will involve some deception as well as obtaining information about these companies, the information the contestants are trying to obtain is innocuous, NON-FINANCIAL and NON-PERSONAL.  At no time will we allow a contestant to make a call that will compromise a company or person’s financial, banking information or identity.

Despite all of our efforts to notify the public that we are not out for malicious gain it seems like this message is not getting through to many in the security industry.  For example, we have come across an email sent out by a large security firm to all their nationwide customers warning them about the CTF.

This email is posted below:

——–

Subject: Warning Regarding DEF CON 18 Social Engineering Contest

As you may know, DEF CON is the world’s longest running and largest underground hacking conference with the 2010 event scheduled in Las Vegas from July 30 – August 1. The 2010 conference may include a nationwide Social Engineering contest sponsored by a group called social-engineer.org.  This contest that could possibly affect your organization anytime between now and the end of the conference; although due to recent publicity and subsequent security concerns directed to the contest sponsor, it is unclear whether or not the contest will actually occur. The official rules are posted at http://www.social-engineer.org/blog/defcon-social-engineering-contest/

The contest targets an unknown list of “victim” organizations submitted by contest participants and while there are associated “rules” posted for this contest, we can assume some participants may not heed the direction.  Therefore, we suggest DDI clients plan for any attack possible.

With that in mind, DDI suggest you consider the following:

• All personnel associated with your organization should be aware of anyone attempting to solicit ANY personal information at all.  This could include, userID’s, passwords, account information, name, address, social security number, information on your organizational IT systems or networks, or anything that is not freely available on the Internet.  For example, many organizations provide executive names on the external web site.  So an attacker could say, “Mr. CEO_Name is expecting my call; he asked me to call and ask for him”.  In another example, the attacker will ask the victim to logoff their computer to perform some maintenance, and then ask for the victim’s userID and password to “test” the fix.

• Be aware of anyone calling and asking for help with a virus, malware, or a network issue.  This is a great way to develop rapport with the victim (asking someone for help appeals to the innate desire to help others).

• Beware that the caller will appear confident and friendly. They will provide as little information as possible (This is Phil from IT Security, as an example). They will smile and laugh on the phone, they may be a bit forceful, but most of the time they will attempt to appeal to the desire to help or ask for help/assistance.

• They may use veiled phrases such “we do not want to miss payroll”, “we cannot afford another outage”, “the auditors are waiting for the information”, or something along those lines, which would cause an employee to offer assistance.

• Callers can imitate anyone they think might solicit information. Examples are an auditor, law enforcement, IT Security, a contractor or vendor, or anyone who might have a valid reason to be associated with your organization.

Please remember that you are dealing with skilled manipulators.  They will be friendly, professional and polished.  We strongly suggest you remind your staff NEVER to give any personal or proprietary information to anyone via the telephone. EVER!

Regards,

Digital Defense

——

We would once again like to reiterate that the CTF will not breach the lines of legality.  We have a professional team of ethical security specialists who are vigilant about maintaining a professional and legal environment during the CTF.  Our goal has been and always will be “Security Through Eduction.”

We are extremely excited about the Social-Engineer.org CTF at Defcon 18. However, in the excitement some have expressed concern that contestants might act improperly or that government, companies or individuals might be adversely impacted. We want to put these concerns to rest. Our jobs at Social-Engineer.Org are to ensure the security of our clients, and our reputation is built on that promise.

The purpose of the contest is to (1) raise awareness on the threat of social engineering, and (2) challenge contestants to come up with creative, legal ways of obtaining information from companies. The contest is structured to be good, clean fun. Our goal is to show how much information companies may inadvertently divulge to individuals making regular, legal inquiries using normal channels of communication. The type of information we will be asking for will be things like the number of restrooms in the building, and the sort of candy that sells out from the vending machines first.

We have been working with attorneys at the Electronic Frontier Foundation to ensure that the rules make clear to contestants that their game play must be lawful:

• Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
• Contestants may not attempt to falsify or falsify employment records;
• The list of target organizations will not include any financial, government, educational, or health care organizations;
• Contestants must keep it clean, for example, use of any pornography is banned.

These are just a subset of the rules that we have reviewed with the EFF to ensure participants keep this contest above board. Contestants that do not follow the rules will be disqualified.

We hope our CTF will raise awareness and provide information that shows companies what they need to educate their workers about malicious social engineering attacks. Malicious social engineers never hold contests, never do press releases and never warn the world they will be calling, and they also never have rules. To some extent, we feel that our goal has been advanced already by this discussion, and we hope that with the information we will gather during the CTF we will be able to assist many companies to becoming more secure. Since the beginning, www.social-engineer.org has been all about “Security Through Education” and this CTF is an extension of that.

If there are any questions or concerns please feel free to contact us directly. We would be happy to discuss this specific social engineering contest, or social engineering threats in general with you and your organization. We are here to help the community, please let us know how we can help you.

If you would like to discuss this please contact Chris Hadnagy at defcon@social-engineer.org

The How Strong Is Your Schmooze contest is on it’s way.  The targets have been chosen, the dossier’s have been sent and the social engineering talent has bloomed.  The team at social-engineer.org wanted to give a few updates to the CTF.

1)   There has been a lot of “fear” in the market about our contest.  In one way this is great as it is raising awareness about social engineering.  We have been sent anonymous reports about banks, credit agencies and other organization pasting posters warning of the threats of malicious social engineers.  One report we received told us that many of these organizations even mention social-engineer.org by name and warn of attempts.

2)  Defcon was kind enough to give us a room for the CTF event.  Things worked out to get us into a great spot to host the CTF.  We have the room for Friday, Saturday and Sunday.

On Friday and Saturday we will be listening in as the contestants make their calls.  We are all excited to see what they come up with.

Then on Sunday we have a special event scheduled.  At 10:00am we will be hosting a live podcast.  Well, what we are calling a “Zombie” podcast.  It will be live with community support and all of you there, but not broadcasted live.

The topic for this podcast will be all about Social Engineering, Neuro-Linguistic Hacking, Microexpressions and Body Language usage in social engineering.  What we want is for the community to submit questions or other items you want to discuss.  Submit your questions to defcon@social-engineer.org.

During the podcast mING will be fielding the questions and getting people lined up for the mic.  Make sure you get there early.

After the podcast we will be hosting a public peer review.  We will discuss some of the things we learned from the CTF as well as some of the great attacks used.

3)   The room we have been given is awesome, but it is not huge.  We are limited to about 80 people, and that will be tight.  If you want to get in for the CTF, if you want in for the Podcast and if you want if for the peer review – GET THERE EARLY.  We will be packed solid, so make sure you get there to get your spot.

We will not be able to record any of the days (except the podcast) or broadcast any of the days over icecast or anything.  If you want to hear what is going to be going on, get there early.

If you can’t get in, make sure to tell Defcon about it so next year we get a bigger room.

The contestants have been hard at work now for a week and we are looking forward to seeing the results.  till the next update, we will talk soon.

    Free Pizza - Real or Myth?

Most of us have probably done this:

You are hungry, so you call your local pizza place, realize you have no cash, so you tell the guy on the phone you need to pay with your credit card.

You read off the numbers tell him to put a few dollars on there for tip then chill a couple beers and wait.

This is what Brent did too.  He called his local Dominoes and ordered a pizza… here is his story:

“The other day I had a pizza delivered to my home using my Visa. When the pizza arrived, however, the driver refused to give it to me unless I either gave him my social security number or let him write down my driver’s license number. I refused because of identity-theft and general privacy concerns. I offered to show him my driver’s license and the Visa card I’d used to order the pizza, but he said he had to write down one or the other number.

When I called the local Domino’s about this, I was told that drivers are now required to get the information because, she said, people have been ordering pizzas with stolen credit cards. Why showing that my license and Visa matched wasn’t sufficient, she couldn’t say.”

Fortunately, this guy knew well enough to forgo the hunger pangs and not give out his social security number.  There is a good lesson there, I am not personally sure if Dominoes Corporate says this is their policy or not, but what I do know is that this is definitely a dangerous policy.

Anytime someone asks for our social security number to complete a purchase we should be leery.  At most a company may require a drivers license or some other ID to prove you are who you say you are, but considering you can go online and buy almost anything with any credit card it seems odd that a pizza guy would want a social security number.

The lesson:  Stay Educated, be cautious, think ahead and never give out person details too easily.

The awareness that has been raised is just amazing. There has been many stories written and podcasts discussing the contest and what the rules are. People are wondering and very curious about what it will entail. There has been numerous alerts issued from various agencies about the contest. I will post one of them below.

We are very happy with all the awareness this is raising for social engineering threats. At the end of the contest we are going to release a detailed report that will help all who are interested see what attacks worked.

Our Contest registration is full 100% and there is even a small overflow list. We are excited to see how the contest progresses and we wish all the contestants good luck. We are giving points for this things that you probably never even thought of gathering during normal social engineering gigs.

Stay tuned for more information.

As promised here is one of those warnings below:

Advisory ID: 2010-06-016
Date/Time Reported (GMT): 6/7/2010 8:14 PM
Title: DEFCON Social Engineering Capture The Flag Contest

Risk: 2
Audience: Analysts
Core Members
Premier Members
Standard Members

Type of Threat: Social Engineering

Summary: Hacker Conference DEFCON is hosting a Capture The Flag (CTF) contest that aims to test participants’ social engineering skills. The contest’s specific ground rules state that participants must legally socially engineer their way into a target company, and they are not allowed to get credit card numbers, social security numbers, passwords, involve porn, or
make the target feel “at risk.” Participants cannot use government agencies, law enforcement, or legal entities as a ruse to get inside, nor can they contact relatives of the targeted firm’s employees.
DEFCON 18 will take place July 30th – August 1, 2010 at the Riviera Hotel & Casino in Las Vegas, Nevada. Financial institutions should be aware of this upcoming contest, and should brief their personnel, especially call centers and legal departments regarding this event.

Business Impact: Social Engineering

Severity: 1 – Informational (Normal)

Urgency: 1 – Information Only

Credibility: 3 – Single Source

Description:
The CTF Rules
<our rules where posted here>

Recommendations: Financial Institutions are recommended to proactively brief their personnel, especially call centers and legal departments regarding this event.

Legal reminders for Financial Institutions: Any attempt to solicit information about an FI customer/client is considered an attempt at unauthorized access to customer information under

GLBA and Bank Secrecy Act provisions and may require submission of a Suspicious Activity Report.

Regulatory guidance: http://www.ffiec.gov/ffiecinfobase/resources/retail/frb-sr-01-11-identity_theft_pretext_calling.pdf
http://www.fdic.gov/news/news/financial/1998/fil9898.html

In New York State criminal impersonation is a misdemeanor: S 190.25 Criminal impersonation in the second degree: A person is guilty of criminal impersonation in the second degree when he:
1. Impersonates another and does an act in such assumed character with intent to obtain a benefit or to injure or defraud another; or
2. Pretends to be a representative of some person or organization and does an act in such pretended capacity with intent to obtain a benefit or to injure or defraud another; or
3. (a) Pretends to be a public servant, or wears or displays without authority any uniform, badge, insignia or facsimile thereof by which such public servant is lawfully distinguished, or falsely expresses by his words or actions that he is a public servant or is acting with approval or authority of a public agency or department; and (b) so acts with intent to induce another to submit to such pretended official authority, to solicit funds or to otherwise cause another to act in reliance upon that pretense.

Criminal impersonation in the second degree is a class A misdemeanor.

Source(s): http://www.social-engineer.org/blog/DEFCON-social-engineering-contest/
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=225400253

Malicious Social Engineers May Use This

When the stories never cease to amaze you and you think you have seen it all, there comes a story that just seems to defy all logic.  Enters our present story.

Prosecutors in New Jersey USA says that Jonathan Prime, a 20-year old man convinced a 13 and 14 year old boy to send him pictures of their genitals.  How?

The two young men where frequent players of the game Call of Duty: World at War on MS Live.  It seems that Jonathan was able to convince the two young boys that it was a condition of the clan he was starting.

This wasn’t a lone incident, he did this to many children.  Many who rejected him but he was able to convince at least four of them by grooming them, getting them to comply and even getting one to call him and have phone sex.

Despite the inherent WTH factor here.  How could these kids fall for this?  How could they believe that this really was a term of the contract?

Those questions are above our scope of our site.  What we will cover is what could parents do to keep safe?  How is it possible to keep your children safe without having to unplug the television and disconnect the Internet?

There are certain things that can be done, but the reason many fall short is these steps don’t involve a plug in or device to keep you safe, but there are two steps that can keep your family safe.

1. Communication:  Nothing can beat just sitting your kids down and talking with them.  Telling them what is going on in the world and how malicious people think.  Telling them what signs to look for and being involved in their lives.  This can keep them safe.
2. If kids are going to play online, consider muting all the other players. It is normally possible to only talk to people that are known friends, instead of random strangers. Gaming can be a social event, but best to keep it social to those you know. Parents can use gaming as a chance to do something with their kids. If parents sit down and play games with the kids, they will better understand the potential issues that could be encountered. This will put them in a better situation to provide guidance to the kids in a manner that is truly helpful.
3. Education:  Right along with communication, teach your kids about the world and what is going on.  If they are aware of the malicious attacks and how these people think they can be aware of their tactics.  This doesn’t mean you need to tell them all the gory details but keeping them aware can go a long way in a good protection plan.

We always strive to learn something from the attacks we analyze, but truly in this one there are no redeeming qualities.  All we can say, it is one of those attacks that is pure evil and malicious and there is not much to learn except, keep your kids safe.

Its 10:pm Do you know where your children are?

In the 1980′s before Social Engineers were using the Internet to Trap Children

Join Social-Engineer.Org and Offensive Security in the Official Social Engineering CTF hosted at Defcon 18.

We are inviting those of you who think you can use ethical social engineering skills to stretch your limits as a social engineer. A unique blend of information gathering, planning and attack vector execution will challenge the very core of every participant. This will be a different SE challenge as our focus is not on who can “get” the target the worst, but a true display of SE talents. Each participant will be given a target company and there will be point system. Full rules coming on the registration page.

– Your choice between an Offensive Security Wifu Course or a 16GB iPad, Winners Plaque and a spot on the Social-Engineer.org Podcast

- Offensive Security Wifu Course and 2nd Place Winners Plaque

Registration will begin on June 3rd so stay tuned and be the first in line to sign up for this exciting new contest.