Social-Engineer.Org : Security Through Education

Acting on an anonymous tip, WSBTV’s Ross Cavitt discovered a dumpster full of sensitive medical documents outside an office complex in Hiram, Georgia. Hiram, a city in Paulding County, Georgia, is home to 2,332 people and located northwest of Atlanta. Cavitt’s anonymous source indicated that the documents had been in the dumpster all weekend and were not shredded, incinerated, or obfuscated in any way.

Sitting in the dumpster, freely available for anyone to intercept, were the sensitive medical documents of untold amounts of people. These documents included Social Security Numbers, addresses, dates of birth, bank account information, and personal health information. Basically, everything a criminal would need to impersonate an individual, steal an identity, launch a spear phishing attack, steal money, or even do physical harm.
(more…)

Secarma recently discovered article about an API tool called “The Beat” from Rutgers University seemed to be one of the more interesting uses of social media information. The Beat links geo information embedded within Instagram images to Google Streetview. This is then made searchable using tags from Instagram. APIs and information gathering was covered in the Social Engineer Podcast 039.

On the surface, it seems to be a fantastic tool. A user can search tags for a concert that they attended and find other people who were also there and take a look at their pictures – as the Social Engineer Podcast doesn’t really focus on “how to find girls for free,” this could be one further use of “The Beat!”

However, as we discussed the security implications of this tool in the offices here at the office, we decided to search for more unusual items. It was when we identified that, searching more generic terms, we uncovered the darker side to the API.

(more…)

David Kennedy from Trusted Sec had the privilege of going on CNN today to discuss China’s hacking attacks against the US Government and corporations. He did a superb job and really came off intelligent and well spoken.

But we can’t pass up the opportunity to use a piece like this to look deep into human nature and see if the face tells us something else.

(more…)

First off, after the last portion, I can hear the cries of “B.S.” from my desk all the way down here in San Antonio. Never fear doubters, I kept everything.. Check stubs, awards, bank statements, and even customer character statements for a situation that you will hear more about in this part of the series. Enjoy this second to last installment of the story.

As I worked on being everyone’s trusted bartender, people would have long conversations with me on various topics, mostly what was on the news at the time.  These initial conversations always led to ‘off topic’ conversations, which led to other ‘off topic’ conversations, and so on. I remember one conversation, specifically, where I was commenting about a better way to keep track of undercover officers/spies that wouldn’t get them ‘popped’ as would be the case if they were caught wearing a wire.  I was told that the military/spy agencies had the ability to turn your phone on and then, turn on your phone’s built-in microphone/camera. The phones could record all this audio and video without your knowledge.  At the time, it was illegal to conduct this activity Stateside, although, according to what I have read on “Stellar Wind”, it seems these spy agencies are still doing this anyways.

It is a well known fact that this type of ‘hack’ is possible currently, but when I first heard about it, it was seven or eight years ago.  I was horrified and I will admit that my paranoia was really kicking in about this time. (Hell, when I first found out about the N.S.A. coming into my bar, I almost quit and was even more scared).   “I wasn’t stateside; I was fair game. These a-holes had put me at risk just by coming into the bar”, so my paranoia screamed, but then nothing happened. I wasn’t busted, and again, I became use to the pressure. In the back of my mind though, I was always keeping my eyes and ears open for anything that would tip off my status or help me keep a step ahead of the law. I was also in shock that I was able to find out such sensitive information while the guys were just blowing off steam while waiting for traffic to die down.  This example is just one of many I was able to ferret out without even trying and nowhere near the most sensitive information I gathered either.

(more…)

Ahhh, the Holidays are here. For most of us, this means gathering with family and friends. Endless hours of conversing together, eating together, and playing games together. Don’t look at these opportunities as simply maintaining status quo, or doing your requisite duty, but look at these events as a social engineer’s playground. You’re stuck there, you had might as well make the best of it, right? Like we did last year, we wanted to give you some ideas of fun little games you can play while surrounded by the ones you love, or maybe just like.

Reciprocation Games

These games make use of one of the principles of influence, reciprocation. The ‘foot-in-the-door technique’ is a technique where you get your target to be compliant or to say “yes” to small mundane tasks with the explicit intent of getting them to say “yes” to larger requests. The psychology behind this is that by getting them to say “yes” to something increases the chances they’ll say “yes” to future requests, so start out small and work your way up.

(more…)