Volume 01 Issue 01

 
header.jpg

 

In this issue

 

--SET  - New Tech for SE

--When Did You Start to Suck at Social Engineering?

--The Monthly SE tip....

 

 

 

 

SE-Review

No Tech Hacking by Johnny Long

This books offers a wide array of social engineering skills discussed in the The Social Engineering Framework.  Johnny captures many of the thoughts and ideas of what it is like to be a social engineer with excellent stories, descriptive photographs and detailed information on each topic.  He doesn't just talk the talk, but he walks it too.... and then shows you how to walk it.

A must read for all interested in social engineering, and the proceeds go to feeding kids in Africa, so you get double goodness with each purchase.

 

 

 

 

 

The Monthly SE Tip...

 

To be a social engineer you must master the art of elicitation, or asking questions and probing.

 

Practice using open ended questions in your daily conversations and then truly listening to the answers.  You will be amazed at what you learn.

 

An open ended question cannot be answered with a Yes or No response. Follow up with “Why” or “How” and try to NOT be accusatory.

For more information on "How To Become a Social Engineer" see our blog series starting on our site.

 

 

 

 

 

 

 

What's coming next month….

 

Our first podcast will be released in just a few days!  We are interviewing ex-law enforcement interrogator Matthew Churchill on the subject, "Interrogation and Social Engineering"

 ......

 

The newsletter will feature an article on Social Engineering in Advertising

…..

 

Check back at the website www.social-engineer.org for the most up-to-date information.

 

Have an idea or a question you want answered? Email us at:

newsletter@social-engineer.org

 

 

 

Want to get involved?

We are asking our readers to help us gather a database of different emotions on people's faces from different cultures.

 

We are asking for the emotions to be real or as close to real as you can get.

 

If you would like to be a part of this project send your pictures to contribute@social-engineer.org

 

Sending in a picture means you have the legal right to allow us to use it. Merely sending one in does not mean we will use the picture.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

UNSUBSCRIBE

by sending an email to newsletter@social-engineer.org with the subject of UNSUBSCRIBE from the email address you used to sign up.

 

TO:

Newsletter Archive

Volume 1 - Issue 1

Feature

Social Engineers Toolkit—a New Wave of Technology for Social Engineers

When we launched http://www.social-engineer.org we wanted to create a place that would promote awareness of the attack vectors that threaten so many companies in the world today.

When we called on the community to assist in helping us spread this message we had many responses to help with writing, research, development, web design and all other aspects of the creation of this cornerstone of the www.  One area we didn’t really know what to expect was tools.

This is where Dave “Rel1k” Kennedy comes in. Dave has been in the security community for 9 years serving in the US Military and then the private sector as a lead penetration tester in his company, Secure State. 

At times he has had to make tools to fit a particular need, one such tool is Fast-Track.  Which is now a popular tool and included in the #1 penetration testing distribution, BackTrack. Dave answered our call and offered to develop a tool that would assist a penetration test/social engineer in auditing a company's response to social engineer attacks.  It is a python based system that works in conjunction with the Metasploit Framework and has built in power tools. It closely mimics what the “bad guys” are doing and allows a security consultant to give clear answers back to the company as to their staff’s response to such attacks.

What can it do for you?

Social Engineers Toolkit or SET, as we call it for short, can help you test your company’s response to these attacks.  It will allow you to set up a malicious website, or send out an email from a spoofed address with a maliciously encoded PDF to all your employees.  Both of these vectors lead to getting shells on the victim’s machines.

What will this tell me about my company?

This is a good question, because, sure the tool is FUN.  We just sit around all day getting shells on virtual machines because it is fun and it never gets old.  So fun factor aside, what will this do for you?

SET provides you or your social engineering company you hire to audit you, an environment to automate some of the technological aspects of a good social engineering vector.  Both setting up of a malicious website, sending out emails with encoded PDF’s or other file types and then most importantly, collecting the shells for those attacks.

The future of SET

We are excited about the way the industry has responded to SET and the benefits it can provide.  Dave has been working hard on a new feature that will just take SET to a whole other level.

It is so new to even us, we don’t have a name for it yet, but basically it will allow you to wget any webpage you want and then implant your malicious payload into that page.  Using the arp spoofing feature, or redirecting your client you can point the targets to a web page that looks, feels and reacts exactly the same as any commercial site out there.  Yet with one major difference…. When they browse they get owned.

How Can You Protect

As wonderful and fun as all this is, really the end result is how can you protect against this?  If we can spoof your email address, if we can mimic any website out there, including your homepage, if we can send you a necessary java install signed from Microsoft, if we can  do all this remotely or internally… what possible way can you protect yourself?

Education, awareness and policies are the three fold cord to tie this together.  Of course policies really don’t enforce anything.  They do have their purpose though, they let your employees know what your expectations are and what you would want from them.  It lets them know the rules and the consequences for not following them.

The real fix is in awareness and education.  Many times when we demo these attacks for companies the response is jaw drop and tears.  Why?  They had no clue these things where possible and not that difficult.  They spend $500,000 on IDS, firewalls, the brand new gadget to protect their hardware… and $20 on the lock or $0 on education and root access was granted in a matter of minutes.

Having a regular, annual or even more frequently held class for your staff educating them in what the dangers are, how to spot them and what to do if they suspect a malicious social engineer attack can save your company thousands or even millions.

By Chris loganWHD Hadnagy

When did you start to suck at social engineering?

 

There is an old saying that if all you have is a hammer, everything looks like a nail. While that saying is supposed to teach us something about how we all need to have a deep toolset to pull from, I think there is another lesson we can take away from it: Imagine if that was your only tool, think of how good you would get at using it.

 

Anyone that interacts with kids much knows one thing: they know what they want and they want it NOW! From some new toy, to not having to go to bed, to having a favorite meal, they want things. However, to actually get these things they want, they have to ask someone else to get it for them. They only have one tool, and they are really good at using it.

 

So what is it that makes a child so successful and getting what they want?  What is this “tool” they posses and what can you and I learn from it?  These are the questions that will help us to see when you started to suck at social engineering.

 

Now we are not saying that children are trained social engineers, but let's take a look at a true to life scenario that happened in my life to illustrate.  When one of my children was only two and half years old he loved to spend time at his cousins house. He wanted to stay the night there for a few days and I had been telling him no since we lived over 50 miles away at the time. We did talk every few days to them on the phone, so I figured that was enough. Finally, this transpired one evening:

 

Kid: Mom, I forgot! I'm supposed to stay the night at the cousins tonight. You'd better call them.

 

Mom: You are? I don't remember anyone saying anything to me about it. I think they would have told me if they needed you to, sweetheart. I think you might have heard something else.

 

Kid: No, they forgot to tell you so they told me. You should call them. Just call them and make sure tonight is the night they need me to. What day is today?

 

Mom: Thursday

 

Kid: YEAH!! It WAS tonight!! Just call them.

 

Mom: Alright. I'm calling her, I'm calling her.

 

Kid: I wanna talk first, please?!? (puppy eyes)

 

Mom: (dials the phone)  here.

 

(Kid grabs phone and runs to his room. He slams the door and sits down behind it to block it. I can still hear him though).

 

Kid: Hi. My mom wanted me to call you and see if I could stay the night tonight. She said she has some... umm..things to do... and umm.. (Mom opens the door and start reaching for the phone) Hi mom! She said I stay tonight. Bye! (Hangs up phone, throws it across room and runs from room to try to hide while mom calls to find outfit the cousins was as clueless with all of this as I was.)

 

As odd as it might sound, this really is a true story. So let's analyze this to see what we can learn.

 

The child's goal was to spend the night, he knew if he just came out and asked there was an almost guarantee of the answer being NO.  He knew, without knowing what he was doing, that he needed tools to win this battle.  So he first develops a pretext that he was asked to spend the night due to some unspecified event.

 

The mother almost throw's a monkey wrench into the mix when she expressed interest verifying the information.  Quickly the child tries to take control of the situation by being the one to speak on the phone first. A liberal use of the "cute" kid request was thrown in, just because he knew mom always responded well to that. With this professional execution, he gets through the first step with mom.

 

Now this is only half the battle, he now needs his cousins to agree or his plans are thwarted. First he tries to remove mom from the equation by going into a different room to speak to his cousins. He now needs to create a different pretext to tell his cousins.

 

He tells his cousins that he is calling because his mother would like him to stay over there, because she has "things to do". Was this going to be successful? Who knows, because mom interrupted this brilliant execution, forcing him to quickly try to wrap things up by making it so the two adults can't speak to each other to verify the situation.

 

The amazing thing about this is, it comes natural. So when did it happen that you started to suck as social engineering?  I am sure you have your own stories that are as good or better than this one.

 

As we get older some changes occur such as we begin to care what others think about us.  We become conscious that there are others in the world, and the universe doesn't revolve around our needs.  We begin to understand consequences for bad actions, or actions that we are told are bad.  As these changes occur we test our boundaries less and cease expanding our horizon's.  Fear of disappointment, fear of getting caught, fear of angering those we love becomes more serious to us.  All of this causes us to start sucking at social engineering.

 

Now this is not to say that to be a social engineer you must not care about people, your surroundings our your conscience, we are merely stating that these things put into us by society and our upbringing contribute to us being less manipulative of people. 

 

So if you choose a profession that involved your need to be skilled at social engineering what can you do?  Start at the basics and watch a kid to learn. But please, not in a creepy "Let me watch your children play" sort of way. That's bad juju.

 

Just watch a kid asking for something, and see how they do it. Try to categorize the way they interact, what they are playing off of. Go through the framework and see what items you can apply to the child's behavior. Some will be obvious, some will be subtle. Invest the time and while you may not learn anything new, but you are guaranteed to remember something you have forgotten.

 

Written by Jim "Elwood" O'Gorman

 

footer.jpg