SE

Search for:


Archive for the ‘General Social Engineer Blog’ Category

DEFCON 18 Social-Engineer CTF Contest Findings Report Summary

Wednesday, September 15th, 2010

The Full Report Is available for download from Social-Engineer.Org Here

Social engineering is a real and dangerous threat to Corporate America. In the simplest of terms, social engineering is manipulating a target to take an action that may or may not be in their best interest. As companies devote more resources to technical security, technical attacks become more expensive. Social engineering is a popular alternative for cyber criminals interested in operating on the cheap. After all, these attackers seek the same high return on investment as business owners.

This real-world threat has been clearly evidenced by a CTF contest recently held at Defcon 18 in Las Vegas. Defcon is one of the world’s largest and longest running annual hacker conventions, focused entirely on the sharing of practical insights into defensive and offensive security. Companies targeted in this year’s CTF contest included BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, Symantec, Phillip Morris, Walmart, Mcafee and Ford. A report on the findings of this contest, to be published September 15th, 2010, revealed some interesting (even alarming) information.

One of the most alarming findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company. Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies. For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.

Sensitive information (e.g., financial, strategic, etc.) was off limits for the CTF, but fair game ‘flags’ included employee schedules, browser versions, and anti-virus software used. Contestants were also encouraged to fool targets into opening a fake url as a way of demonstrating a very common attack technique. Based on findings from this contest, the average entry-level and call center employee did not appear to have adequate security training. Due to this fact, they typically did not sense any danger in being as helpful as possible in sharing information that they perceived to be trivial. With the right information, social engineers can pretend to be an insider, essentially gaining the trust of key gatekeepers within any organization, which ultimately leads to the compromise of sensitive information.
(more…)

Posted in General Social Engineer Blog | 12 Comments »

Social Engineering – Fact versus Fiction

Tuesday, July 27th, 2010

Social-Engineer.Org started the idea for this years CTF without really knowing how much fear it would build into people and organizations.  From the beginning we have published our goals, rules and ideas to help squelch the fears of those who think our intent is malicious.

While it is true that social engineering will involve some deception as well as obtaining information about these companies, the information the contestants are trying to obtain is innocuous, NON-FINANCIAL and NON-PERSONAL.  At no time will we allow a contestant to make a call that will compromise a company or person’s financial, banking information or identity.

Despite all of our efforts to notify the public that we are not out for malicious gain it seems like this message is not getting through to many in the security industry.  For example, we have come across an email sent out by a large security firm to all their nationwide customers warning them about the CTF.

This email is posted below:
(more…)

Posted in General Social Engineer Blog | 1 Comment »

Defcon 18 Social Engineer CTF Update

Tuesday, July 13th, 2010

contest 2 Defcon 18 Social Engineer CTF Update

The How Strong Is Your Schmooze contest is on it’s way.  The targets have been chosen, the dossier’s have been sent and the social engineering talent has bloomed.  The team at social-engineer.org wanted to give a few updates to the CTF.

1)   There has been a lot of “fear” in the market about our contest.  In one way this is great as it is raising awareness about social engineering.  We have been sent anonymous reports about banks, credit agencies and other organization pasting posters warning of the threats of malicious social engineers.  One report we received told us that many of these organizations even mention social-engineer.org by name and warn of attempts.

(more…)

Posted in General Social Engineer Blog, Social Engineering | 1 Comment »

Social Engineering being used by Child Predators

Monday, June 7th, 2010

I can remember as a child the PSA’s (see below for an example) about keeping your kids safe from predators. Times surely have changed in the recent years.  There are plenty of laws that are supposed to keep our kids safe.  Yet it seems that those who desire to hurt our children are coming up with more and more malicious ways using social engineering to lure children into the dark corners of their depravity.

button abuse cycle Social Engineering being used by Child Predators

Malicious Social Engineers May Use This

When the stories never cease to amaze you and you think you have seen it all, there comes a story that just seems to defy all logic.  Enters our present story.

Prosecutors in New Jersey USA says that Jonathan Prime, a 20-year old man convinced a 13 and 14 year old boy to send him pictures of their genitals.  How?

The two young men where frequent players of the game Call of Duty: World at War on MS Live.  It seems that Jonathan was able to convince the two young boys that it was a condition of the clan he was starting.

This wasn’t a lone incident, he did this to many children.  Many who rejected him but he was able to convince at least four of them by grooming them, getting them to comply and even getting one to call him and have phone sex.

Despite the inherent WTH factor here.  How could these kids fall for this?  How could they believe that this really was a term of the contract?

Those questions are above our scope of our site.  What we will cover is what could parents do to keep safe?  How is it possible to keep your children safe without having to unplug the television and disconnect the Internet?

There are certain things that can be done, but the reason many fall short is these steps don’t involve a plug in or device to keep you safe, but there are two steps that can keep your family safe.

  1. Communication:  Nothing can beat just sitting your kids down and talking with them.  Telling them what is going on in the world and how malicious people think.  Telling them what signs to look for and being involved in their lives.  This can keep them safe.
  2. If kids are going to play online, consider muting all the other players. It is normally possible to only talk to people that are known friends, instead of random strangers. Gaming can be a social event, but best to keep it social to those you know. Parents can use gaming as a chance to do something with their kids. If parents sit down and play games with the kids, they will better understand the potential issues that could be encountered. This will put them in a better situation to provide guidance to the kids in a manner that is truly helpful.
  3. Education:  Right along with communication, teach your kids about the world and what is going on.  If they are aware of the malicious attacks and how these people think they can be aware of their tactics.  This doesn’t mean you need to tell them all the gory details but keeping them aware can go a long way in a good protection plan.

We always strive to learn something from the attacks we analyze, but truly in this one there are no redeeming qualities.  All we can say, it is one of those attacks that is pure evil and malicious and there is not much to learn except, keep your kids safe.

Its 10:pm Do you know where your children are?

In the 1980′s before Social Engineers were using the Internet to Trap Children

Posted in General Social Engineer Blog, Interesting SE Articles | 2 Comments »

iPads and Social Engineering – Is it “Magical”?

Monday, April 5th, 2010

Today the iPad was delivered to hundreds of thousands of expecting users.  Along with that, the Internet is a buzz with iPad news, iPad Apps, iPad reviews and iPad Social Engineering…

Soon as Apple launched the news that the iPad was going public Apple related spam increased by 30%.  While most of these are spam, many are luring people who desire an iPad to sites that “promise” to put you at the front of the list to receive one of the new magical devices.  Another warning was revolving around the 22% increase in credit card fraud over the last year.  Many spam and phishing offers are tempting people to enter personal information to be “notified” of new iPad shipments.  Many of these sites are designed to gather information then use it to commit identity theft or credit card fraud.

“In addition to being a new, hot-ticket item, the iPad is a U.S. electronic device, and in foreign countries, American electronics—especially those manufactured by Apple—fetch up to $1,200 more than they do domestically, offering thieves the opportunity to pad out, so to speak, their already fat pockets.”, so says one security researcher.

The other concerns that some have about the iPad are due to some of the built in flaws of the iPad.  One of the largest complaints you will hear about the iPad is how it can’t multi-task.  Two processes can’t run at the same time.  Couple that with the ability for the iPad to use iPage, an application that will allow the porting of Word Docs and PDF documents, and some are concerned that vulnerabilities can be used to exploit the iPad.  Without being able to run a background process the iPad cannot use AV software or other software to help protect itself.

I am not too sure about that concern, but I have seen a lot more emails promising help in obtaining a new iPad and I can vouch that it is presenting a large threat base to unsuspecting users.

So is this an “anti-iPad” post?  No, not at all.  It is just another case of where malicious phishers and social engineers are using something that is hot to trap people into giving up way too much information.  If you are seeking where to find an iPad, stick to the Apple Store or their online shop.  Remember if a deal sounds too good to be true it probably is.  While searching for the new Apple “magical” device don’t get caught falling for the magic tricks of malicious social engineers.

Posted in General Social Engineer Blog | 1 Comment »

« Older Entries



SE Polls

SE CTF

Brad Smith