Social-Engineer.Org : Security Through Education

Yes, it has been a long time since we had a social engineering poll.  But we are ready to release the results of one of most successful so far, as well as start a new poll.

Endearment vs Authority

This poll as based on two different stories.  The first showed how the principle of endearment and how it may be used by a malicious social engineer.

The second story involved a social engineer employing the authority principle.  By simply carrying a clipboard and acting in charge could a social engineer manipulate people into giving up valuable data?

These two scenarios where presented with a third option that neither of them would work.  How did the results turn out?

(more…)

After returning from Defcon 19 and another successful Social Engineering Capture the Flag competition, the team at Social-Engineer.org decided it was time to add a few staff members to help grow the business and to help promote Social Engineering. We put a call out for interns and the response was overwhelming. Literally hundreds of people responded to the call with resumes and letters asking to be part of the team.

The first choice was easy. Enter Dan aka “miNG”, a long time slave, errand boy, Defcon gimp, and information gatherer for Social-Engineer.org. Dan has been helping Social-Engineer.org for over three years now. When asked what he loved about Social Engineering, Dan cited the power and flexibility of the craft along with it’s everyday practical uses. His help to the organization has been invaluable and to recognize that, Social-Engineer.org would like to officially welcome Dan to the team! Dan will continue his duties as a slave and will assist in information gathering, as well as keeping order on the IRC channel and various other duties to be announced.

(more…)

When HP made their announcement last week followed by the announcement that there would be a massive reduction in their pricing for their tablets every tablet junkie on earth was clicking their refresh button at amazing speeds. While most tablet junkies started to get excited, so did the social engineers.

Where there is need and desire there are scammers – and this is no different.

Let me start off by saying that HP is offering their tablets at $99 USD.  That is not a scam, but check out this URL that looks innocuous enough on the http://www.hewlett-packard.org.uk site.

(more…)

As Defcon came rolling around we knew that this year would be different.  Being the second year of the SE CTF as well as the first ever Defcon Kids event with a special Social Engineering CTF for Kids, we knew this year would be special.

We wanted to take a minute to recap some of the events and lessons learned from Defcon 19 and talk about our plans for next year.

Defcon 19′s new venue really was a few dozen steps above the Riv.  Our room set up and everything went ultra smooth.  Pyr0, Grifter and the crew did an amazing job with the organization as well as the layout of the events.  These guys know how to make stuff happen, and it did.  When we got to the room we had no walls, or chairs or tables and with in an hour we were set up.  Really an amazing job.  The fact that our feet didn’t stick to the floor when we walked down the hallway or bathrooms was an added bonus.

The room that they gave us this year was easily 5-10 times bigger than last year.  Our first concern was of course keeping it interesting enough to keep the room packed.  The first day we had to announce that our premier target for the CTF couldn’t participate this year, so Kevin Mitnick and Chris who planned on making that call couldn’t do it.  Kevin came in and did a nice 30-40 speech on SE and answered some Q&A.  It was an excellent speech and good way to kick off the event.

(more…)

We love reporters, we really do.  We have a great relationship with many reporters from all over the globe.  We understand that sensational titles and stories are what sells.  With that in mind we wanted to take a minute to address some of the false conclusions that are being made based on some of the data coming out of this year’s Social Engineering Capture the Flag contest.

As part of the contest, we make a point to never embarrass a company due to the results of the contest. There are a number of quotes that are being attributed to Chris that are inaccurate, as we would never name one company or another as doing the “worst” as part of the competition.  During our press conferences at Defcon we were asked about this and we declined answering for this very reason.

Additionally, we caution anyone from declaring that one company is more or less secure than another based only on the calls. The structure of the contest is such that one contestant calls one company for a limited period of time. There are far too many variables in that arrangement to say that any single company did worse than another.  (i.e. the skill of the caller, the person they get on the phone, the pretext used, etc)

At this point, the only conclusion that we can confidentially make is that the state of defense against social engineering attacks in corporate America is very poor. All companies contacted did poorly, even against amateur social engineers. Our goals are to educate and help companies, as we have said numerous times on our podcast, newsletters and new site we launched www.social-engineer.com.  We do not do that by embarrassing or humiliating the same companies we want to help.

If a member of the press or any company has questions at all please contact us at logan@social-engineer.org