SE

Search for:


Archive for the ‘Interesting SE Articles’ Category

$99 HP Tablets – Social Engineering, Scams or a Real Deal?

Tuesday, August 23rd, 2011

When HP made their announcement last week followed by the announcement that there would be a massive reduction in their pricing for their tablets every tablet junkie on earth was clicking their refresh button at amazing speeds. While most tablet junkies started to get excited, so did the social engineers.

Where there is need and desire there are scammers – and this is no different.

Let me start off by saying that HP is offering their tablets at $99 USD.  That is not a scam, but check out this URL that looks innocuous enough on the http://www.hewlett-packard.org.uk site.

(more…)

Posted in Interesting SE Articles | No Comments »

Defcon Hackers Steal Data from Oracle – REALLY?

Tuesday, August 9th, 2011

We love reporters, we really do.  We have a great relationship with many reporters from all over the globe.  We understand that sensational titles and stories are what sells.  With that in mind we wanted to take a minute to address some of the false conclusions that are being made based on some of the data coming out of this year’s Social Engineering Capture the Flag contest.

As part of the contest, we make a point to never embarrass a company due to the results of the contest. There are a number of quotes that are being attributed to Chris that are inaccurate, as we would never name one company or another as doing the “worst” as part of the competition.  During our press conferences at Defcon we were asked about this and we declined answering for this very reason.

Additionally, we caution anyone from declaring that one company is more or less secure than another based only on the calls. The structure of the contest is such that one contestant calls one company for a limited period of time. There are far too many variables in that arrangement to say that any single company did worse than another.  (i.e. the skill of the caller, the person they get on the phone, the pretext used, etc)

At this point, the only conclusion that we can confidentially make is that the state of defense against social engineering attacks in corporate America is very poor. All companies contacted did poorly, even against amateur social engineers. Our goals are to educate and help companies, as we have said numerous times on our podcast, newsletters and new site we launched www.social-engineer.com.  We do not do that by embarrassing or humiliating the same companies we want to help.

If a member of the press or any company has questions at all please contact us at logan@social-engineer.org

Posted in Interesting SE Articles | No Comments »

Microexpressions – A Key to Studying Human Behavior

Tuesday, March 29th, 2011

Since the launch of my book, Social Engineering: The Art of Human Hacking, there has been a lot of people talking to me about chapter 5 all about microexpressions and non-verbal communication.

It is true that non-verbal communication is fascinating to understand and for us as social engineers, I feel it is essential. Being able to decipher human emotions can change the way you communicate. Understanding what someone is saying, or even NOT saying can make communication so much easier. Also knowing how to control your own microexpressions is a vital key to portraying the proper message to those you are communicating with or even your targets in a social engineering audit.

With that being said, I enjoy watching news clips looking for times where the non-verbals do not match what is being said. I feel this helps me better understand people and also is great practice in reading these non-verbal signals.

(more…)

Posted in Interesting SE Articles | No Comments »

Social Engineering being used by Child Predators

Monday, June 7th, 2010

I can remember as a child the PSA’s (see below for an example) about keeping your kids safe from predators. Times surely have changed in the recent years.  There are plenty of laws that are supposed to keep our kids safe.  Yet it seems that those who desire to hurt our children are coming up with more and more malicious ways using social engineering to lure children into the dark corners of their depravity.

button abuse cycle Social Engineering being used by Child Predators

Malicious Social Engineers May Use This

When the stories never cease to amaze you and you think you have seen it all, there comes a story that just seems to defy all logic.  Enters our present story.

Prosecutors in New Jersey USA says that Jonathan Prime, a 20-year old man convinced a 13 and 14 year old boy to send him pictures of their genitals.  How?

The two young men where frequent players of the game Call of Duty: World at War on MS Live.  It seems that Jonathan was able to convince the two young boys that it was a condition of the clan he was starting.

This wasn’t a lone incident, he did this to many children.  Many who rejected him but he was able to convince at least four of them by grooming them, getting them to comply and even getting one to call him and have phone sex.

Despite the inherent WTH factor here.  How could these kids fall for this?  How could they believe that this really was a term of the contract?

Those questions are above our scope of our site.  What we will cover is what could parents do to keep safe?  How is it possible to keep your children safe without having to unplug the television and disconnect the Internet?

There are certain things that can be done, but the reason many fall short is these steps don’t involve a plug in or device to keep you safe, but there are two steps that can keep your family safe.

  1. Communication:  Nothing can beat just sitting your kids down and talking with them.  Telling them what is going on in the world and how malicious people think.  Telling them what signs to look for and being involved in their lives.  This can keep them safe.
  2. If kids are going to play online, consider muting all the other players. It is normally possible to only talk to people that are known friends, instead of random strangers. Gaming can be a social event, but best to keep it social to those you know. Parents can use gaming as a chance to do something with their kids. If parents sit down and play games with the kids, they will better understand the potential issues that could be encountered. This will put them in a better situation to provide guidance to the kids in a manner that is truly helpful.
  3. Education:  Right along with communication, teach your kids about the world and what is going on.  If they are aware of the malicious attacks and how these people think they can be aware of their tactics.  This doesn’t mean you need to tell them all the gory details but keeping them aware can go a long way in a good protection plan.

We always strive to learn something from the attacks we analyze, but truly in this one there are no redeeming qualities.  All we can say, it is one of those attacks that is pure evil and malicious and there is not much to learn except, keep your kids safe.

Its 10:pm Do you know where your children are?

In the 1980′s before Social Engineers were using the Internet to Trap Children

Posted in General Social Engineer Blog, Interesting SE Articles | 2 Comments »

Social Engineering and Facebooks Privacy Rules

Thursday, May 20th, 2010

Social Engineers have a field day when it comes to any social media site that is talking about security. If you read the news at all, you have heard about Facebook’s recent barrage of security announcements and the feelings many have on their “security”.  Social Engineering attacks are on the increase in the social media world and this is a serious problem.

Many have claimed that Facebook is cavalier about security and their attitude is one of not viewing it as important. Then some major news organizations posted a private IM of the CEO of Facebook, Mark Zuckerberg and a friend.

Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask.
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Friend's Name]: What? How’d you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don’t know why.
Zuckerberg: They “trust me”

We have all joked with our friends online and said things we would not want repeated. And if all the “ammo” against Facebook stopped at this IM I would actually feel sorry for him, but the facts are that Facebooks computer privacy epic failure Social Engineering and Facebooks Privacy Rulessecurity policies continually get worse and worse and eventually will lead to many more compromises in the future.

How do we know?

Just a few hours ago a story was released that has some very damaging information regarding Facebooks security policies.

We can boil the story down in one word: Simplify.

Too many users said their increased security was too complicated, so the answer? Make the security rules more simple. Dumb them down. Make them not so hard to comply with.

Why not? Its only users personal data.

And this is only 3 days after Alert Logic found a massive flaw in their security protocols.

The purpose of this blog post is not fully to blast Facebook and their inherent lack of security but to talk about what we can learn from this.

There are 3 lessons I think we can glean from this story:
1) Anytime you put your personal information in the hands of someone else, you better trust them. Before you handed your wallet to someone you would probably have some level of trust with them. Why? Even if there was no cash or cards, you might have your license or ID in the wallet. You don’t want someone you don’t know getting your DOB, address, full name – yet when you trust someone online that you don’t really know, with this data you are asking for trouble.

2) Simplification is not always better. We are not saying that for security to work it must be complicated. Yet there has to be a level of complexity to the security protocols. If your password protocols and user education programs are so simplistic that anyone can guess it is obviously not going to be effective.

3) If you must use social media sites, research. Even with Facebook there are 3rd party apps that can help you to secure up your account. Do not just trust in the fact that everything is secure because they “said so”.

Social media has its place and it can be useful, but as you hopefully have discerned through our other articles, it is a danger too. It allows for social engineers to gather information on people, sometimes information that we don’t even tell our closest friends.

It allows the social engineer to plan a pretext that will work based on that knowledge. Then launch an attack that will have the maximum effect on us.

These things are a reality and until the users demand more serious security protocols these companies are not going to provide.

Tags: , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Interesting SE Articles | 2 Comments »

« Older Entries



SE Polls

SE CTF

Brad Smith