What struck me as interesting about this story that made me rush over here to type this up at the worst time to release a blog post on earth was the way that these attacks are being “made new”.

Heck, most intelligent IT Admins won’t click on the link to “See Britney Naked” or “Adjust your Bank of America Account” because they know it is phishing.

But comes in the “new and improved shiny phishing”. These social engineers have done their homework. They have the names of IT Admins, they have the names and details of current projects and other information that makes the emails very believable. But it doesn’t stop there, this is the part that will make you stand up and pay attention. They are not asking for a link to be clicked or a file to be run or a website to be visited…. they are merely asking for the admin to change some configurations to their servers. These changes would allow their mail servers to be used for spamming, or open up some other vulnerability in their servers.

Take a look at one such email:
———————————
Dear Valued Customer,

We are pleased to announce the go-live date for a new Data Center, scheduled to go live on April 19, 2010.
Please update your firewall rules to allow SMTP traffic on port 25 from the following IP address ranges:xxx.xxx.xxx.xxx/xx (xxx.xxx.xxx.xxx – xxx.xxx.xxx.xxx)xx.xxx.xxx.xx/xx (xx.xxx.xxx.xx – xx.xxx.xxx.xxx)

If you have settings on your e-mail server which control the IPs which are allowed to connect for e-mail relay please confirm that those settings are updated as well.

We will be able to test and verify connections one week prior to April 19, 2010. Additionally, we will be proactively running connection tests prior to the launch on behalf of all customers, and contacting you directly if we are unable to connect to any of your domains from ALL specified IP addresses for that domain.

Prior to the launch of the new IP addresses, we recommend that you set up and configure the Deferral Notification alerting feature for your domains using the Deferral Notification option on the Domain properties page in the Admin Center. The Deferral Notification alert feature sends a message to you when a customized threshold has been met or exceeded for deferred e-mail in your domain. After the new IP addresses are launched, this feature will help to ensure that e-mail sent to your domains is not deferred because of unsuccessful connection attempts to your network, and that you alerted in the event that e-mail is being deferred beyond your acceptable limits. For more information on how to set up the Deferral Notification alert feature, see the Admin Center Guide in the Resource Center.

Please refer to the Configuration subtab of the Administration Center for a complete list of IPs which should be allowed to connect to your environment at any time.
———————

An unsuspecting admin would and they ARE falling for this wreaking havoc on networks all over.

Until next time….

A few notable articles that popped up:

First there was an article about details on how it was done, what software was used and even proof that they knew a lot more than they admitting to know.  You can see that article on the Stryde Hax Blog.  It is long but worth the read.

Don’t stop there folks, another school in the Bronx NY, USA the admin was bragging how he “monitors” the children and even demonstrated it on PBS television.

I guess from a security standpoint sure I would love to be able to flip a switch and watch what my target is doing. It would make my job easier as a social engineer.  Yet when I read these stories I wonder how difficult it must be to be a kid in this day and age.  The pressure by society, peers, schools, etc but then to top it off people can just spy on you and you have no rights?

Then we see that it is not just us sec guys that have a problem with this.  I guess the FBI has opened an investigation into the event.  I just may have to pick up one of those t-shirts

Till next time

Hey I got kids and if this happened I just might have to put on the boxing gloves.

Basically the gist of the story is that a school in Philadelphia USA issues laptops to their students.  One day Little Blake Robbins goes to school and is slapped with a “improper behavior in his home” disciplinary action.

Of course the first question is, WTH?  After some questioning what is found is that these laptops have web-cams on them and those web-cams where set so the admins can turn them on remotely at will.

Allegations are being launched against the school that they used these cameras to spy on students and their families, a massive breach in privacy.

If you are like me, we do a lot of things with the laptop in the room.  From personal conversations, arguments, dinner, getting dressed, heck I have even heard some stories about people taking the laptop into the bathroom with them (JUST HEARD STORIES PEOPLE).

So how far is too far?  I can understand the schools having monitoring software on the computers, I can understand filtering sites, heck I can even grasp having very strict rules on usage (although I might help my kids get around some of those silly blocks) but this, this is just too far.

I can only imagine those pervs sitting in their admin office and spying on the 16 year old teenage girls while sitting in their bedrooms at night.  This story just screamed out to me. As a social engineer I would love to be able to do this to my clients and get all their passwords and just walk in and say, “All your base are belong to us“, that is where the smile came from.

Yet on children?  our children?

Another question is who is responsible for our children’s behavior?  Is it the schools?  When they leave the school grounds, do the teachers still have a say in what is said or done?  Do we want to take the parents out of the equation?

From a social engineering point of view, how much information is too much information?  From a SE angle there is no such thing as TOO much information.  As a person, if you want to protect from this you need to seriously consider what it is that you release to the public.  Pictures of our family, kids, names, addresses and such personal information can lead to a serious hack on you and your family.  Take that to the next step, use this information from a business perspective now and what you have is a path to own your business too.  This is a scary story as it makes us reflect on the way information is released and the amount of it we allow out into the world.

This opens up a whole another topic.  Keep tuned because we will be posting some serious stories in the near future.

For a full story online check out:  http://www.boingboing.net/2010/02/17/school-used-student.html or

http://newsolio.com/students-spied-on-via-laptop-computers-by-lower-merion-school-district-in-philadelphia-claim,5537

While we were there, Shawn Moyer and Tom Eston were kind enough to drop by the podcast where we spoke to them about putting information that has been gathered on targets to use. It was a great podcast and we really appreciate Shawn and Tom’s expertise on the topic. Be sure to check it out, we think you will find it is one of our best.

Also wanted to make sure everyone was aware the newest newsletter has been posted online, so if you did not see it yet be sure to take a look. And consider signing up if you have not already done so.

Thanks again and we look forward to seeing you all soon at Defcon.

Take a look at a special leaked video we found. It is not too clear but you’ll get the picture.

Maltego 3 Leaked

Enjoy

I got into work one Saturday morning and was immediately called out to a home invasion. It was summer and I really didn’t want to be working as it was very nice out, but duty calls. It was 8:30 in the morning when I arrived at the victim’s house. The house was a multi-level home – not very big, but not very small. It was a fairly nice, quiet neighborhood and the house sat near the top end of a cul-de-sac.

When I got there, two male deputies and a female sergeant had spoken with the victim already. They relayed his story and I had a look around. The house wasn’t torn apart, but a few items were in disarray. There was a good amount of blood on the wall of the stairs leading up to a bathroom and the bedrooms. Only a few items were missing: a TV, the computer including monitor, keyboard, and mouse, and the victim’s wallet. There were other valuable items that weren’t taken.

After looking around, I started asking the victim a few questions. He was about 45 years old and had a pretty good black eye and some other bumps and bruises. Normally, when I would ask someone to tell me their story, I would ask them to start at the beginning. I don’t want to determine the beginning for them. Here is his story, starting from his beginning.

“I dropped my wife off at the airport on Thursday afternoon since she went to visit some family. I came home and hung out for a while. I went to bed that night, but didn’t go to work on Friday. I’ve had horrible back problems and I’m on muscle relaxants and pain killers. And yeah, I like to drink a little bit, so I had a couple of drinks too. Somewhere between 8 and 8:30pm last night, a guy and a girl I’ve never seen before open my front door and walk in. I start to yell at them and the man hits me in the face. They made me go upstairs in the bathroom and he tied me up. They kept yelling at me and the guy hit me a few more times. They took some stuff and then they left. I didn’t see what they were driving and the whole incident is a little hazy. I don’t really remember too much of it.”

So there is his story. Looking at the entirety of the situation, things didn’t make sense to me. There were seven red flags that popped up in my mind…

Red flag 1: The victim didn’t report the crime until 12 hours later. If someone had broken into your house and beat you up, wouldn’t you call the police right away?

Red Flag 2: Wife just left to go out of town. Interesting…nothing happens when she’s around, but she leaves and all hell breaks loose? This was also important as it was the beginning of his story. Normally an event like this would begin with the intruders entering the house.

Red Flag 3: Time and Location. The house was on a cul-de-sac. It was at the top of a circle and had other houses facing it. It was 8pm on a summer day which meant that it was still pretty light out. If anyone arrived at the house and went in, surely there was a chance they would be seen. The house was not randomly chosen.

Red Flag 4: Items stolen. I had never seen anyone steal a keyboard and mouse along with the computer tower. The fact that other valuable items were not taken was also an issue.

Red Flag 5: Intoxication. The victim had been taking pills and was drinking.

Red Flag 6: Front Door was unlocked. This may not be a red flag to everyone, but the victim didn’t go to work and had a car in the garage. Suspects generally aren’t that lucky to find unlocked doors.

Red Flag 7: The presence of the female sergeant was distracting for him. Whenever she walked into view, he would turn his head away and begin to mumble. He didn’t want her to hear his story.

Any one of these items aren’t a huge issue on their own, but put them together and you have the perfect storm of BS. Several things pointed to the story being incomplete, so to get to the truth I had to ask questions and draw out more information. I couldn’t just call him a liar (since he was a victim after all) and I used leading questions to get to him to finally admit. I decided to focus on the computer being taken and asked him questions about it. It turned out that the key question was asking him what types of things he does on the computer. He slowly admitted he looked at online porn which led to him admitting he had “ordered” prostitutes in the past. Getting the rest of the story was easy.

Here’s what really happened: The victim thought he would have a little fun since his wife was gone. He went online, found an adult website, and contacted an escort. She showed up, they had their fun, and she left. Half an hour later the two suspects showed up and beat and robbed the victim. He was scared, embarrassed, and didn’t want to get into trouble with either the police or his wife. The escort called her associates and told them about an easy “mark” who was too drunk to stop them. They took the computer since this was how the victim originally found the escort.

Now, is this the complete truth? I doubt it, but it makes a lot more sense than the original story.

There were a lot of little things that went into making a determination on the truth. I made a few assumptions and inferences before the victim ever opened his mouth. The questioning wasn’t as important as the initial information that lead to the right questions to ask. The surrounding environment and location were almost more important than what the victim actually said. Without the initial information, his story wouldn’t have seemed quite so out of place.
—-

Thanks Matt and we look forward to the next story.

It brings to light some very interesting facts…. malicious social engineers are looking at what is “bothering” people and then offering information and/or solutions if “you just click here.”  Everything from money help for the economic woes people are experiencing right down to cures for the H1N1 Virus.  It makes a further valid point, that the users are the ones who are to blame.  We take a less strict stance here at social-engineer.org.  We feel that too many people are in fear and having life problems they WANT a solution.  Due to that, they click… they browse… they download.  Why?  Because maybe, just maybe, there is a solution at the other end of that link.

This brings us to our main story for today.  Even though this is an older story is an “oldie but goodie…” It was archived on our site from www.wired.com.

AOL, yes AOL again.  A social engineer called AOL’s tech support and some how convinced the support rep to accept an EXECUTABLE file then… wait for it… wait for it… YES, execute the file.  When the file was executed it connected the support users computer to an IRC Channel and allowed the hacker to issue commands.

Those commands allowed the hacker to gain access to Merlin, AOL’s internal Database, as well as over 35 million accounts.

Another attacker called in pretending to be a user who just had mouth surgery and only had the screen name.  When he mumbled the user info over and over, the rep finally got frustrated and gave him the information he needed.  After a few calls he was able to obtain a full user account with password change.

This article truly shows major weaknesses in the way call centers operate and reveals weaknesses that will and DID bring major companies to their knees.

We are scouring the Internet for more stories.  Keep sending in your links and we hope you enjoy reading.

On another note… did you see this great little thing Google has done?  Go to www.google.com and just hit “I’m feeling lucky” with nothing in the search box and see what happens.

Its a countdown.. we will let you figure out what it is for.

Till next time.

The truth is… it doesn’t have much to do with social engineering at all, but it is so darn interesting we had to write about.  Plus we have a special surprise for all our readers.

So here is the basic gist…  Iraqi hackers with a cheap satellite dish and a $26 piece of software called SkyGrabber were able to intercept the US Governments video feeds of the Predator Drones.  This allowed them to know the location evading being detected as well as knowing the whereabouts of the drones.

How did they do this?

Enter the SkyGrabber

SkyGrabber is a very interesting piece of technology.  Much like a BitTorrent Client it allows you to connect your computer directly to your satellite dish then it “grabs” the data in the area being beamed to and from satellite dishes in your range.  It grabs the pictures, movies, files… video feeds and recompiles them on yoru local machine giving you not just access, but a fully usable copy of those files, locally.

The creator of SkyGrabber says:

SkyGrabber works by grabbing all the responses to the requests that comes from the satellite. The satellite transmits data to all users in one stream. The data packets are accepted by all who are in the satellite coverage area. In fact, you can set up your satellite dish on this satellite and we’ll receive the data, which is produced by other users.

But how do we get the files that other users are downloading? The program intercepts data of other users, assemble in files and saves files in your hard drive.

Here is a video showing SkyGrabber working.

Probably due to the massive press the SkyGrabber site is flaky and up and down.  We were able to obtain a trial of the software which you can download to see it work.  It is an amazing piece of software.

Again, we know this doesn’t have much to do with social engineering… but it DOES have a lot to do with security.  How is it that $10’s of millions or billions of dollars in technology can be thwarted by $26 pieces of software?  A nations secrets being streamed over a signal that can be recompiled and then used in a matter of minutes?

I don’t pretend to have the answers.  I am just fascinated by the story… fascinated that this technology and this industry never ceases to amaze me.  I am sure there will be some more news on this as time passes and if anything new pops up we will try to keep you informed.  For now… realize… there really is no spoon.

It also was printed in INSECURE Magazine as an added bonus.  The Article looks beautiful and is a nice read in either location.  Take a look on page 67 of the Nov Issue

Do you have questions you want answered from a social engineer, about social engineering or learning how to become a social engineer?  Send them in and we might just use yours for the next column.

Thanks