Volume 01 Issue 02

 
header.jpg

 

In this issue

·         Human Buffer Overflows

·         What's in your taskbar?

·         SE Tool Review

·         The Monthly Tip

·         Next month...

 

SE-review

This month we were given a special little device to test.

The Spy Hawk SuperTrak GPS Worldwide Data Logger from Spy Associates.

This amazing little device attaches to many covert places on a car and then logs location, speed, time stopped, date/time, and more.  You can view it in the easy to understand interface or even better view it in Google Maps with one click.

You also can export it to a Google Earth Fly Through. 

For the Full Review see our page on the Framework for GPS Trackers.

 http://www.social-engineer.org/resources/newsletters/isu02/Pic4.jpg

 

UNSUBSCRIBE

by sending an email to [email protected] with the subject of UNSUBSCRIBE from the email address you used to sign up.

The Monthly SE Tip...

 

Another key aspect to becoming a social engineer is being able to make people like you.  We are more open and easy going with people we like.

The steps that we need to master are:

1.    Project a useful attitude.

2.    Establish rapport

3.    Synchronize

4.    Effectively communicate.

 

For a more detailed review of this very extensive topic see our section on "Liking" in the Social Engineer Framework.

For more information on "How To Become a Social Engineer" see our blog series starting on our site.

______________________

 

 

What's coming next month….

 

The podcast will be released next Monday.  An AMAZING interview with radio icon Tom Mischke and the topic of pretexting is dissected

For a listen of last month's podcast go to our Episode One Podcast page

 ......

Check back at the website www.social-engineer.org for the most up-to-date information.

 Have an idea or a question you want answered? Email us at:

[email protected]

 

 

__________

 

Want to get involved?

We are asking our readers to help us gather a database of different emotions on people's faces from different cultures.

We are asking for the emotions to be real or as close to real as you can get.

If you would like to be a part of this project send your pictures to [email protected]

 

 

Feature

The Human Buffer Overflow - Code Execution in the HumanOS

As security professionals we all love the idea of writing a good buffer overflow.  To define, a buffer overflow is when extra data overwrites memory that may contain other data, including variables, instructions and program flow control.  This can result in erratic behavior which can cause the program to terminate or give errors... or in security terms cause a breach resulting in code execution on the remote server.

 

Now how can this be possible in the human brain?  Can we get the human mind to "buffer overflow" and execute code we want it to?

 

A Simple Test:

Lets establish a simplistic baseline for this discussion.  Try to read the COLOR of the word not what the word spells.  Do it as fast as possible, not stopping to think.  It is not terrible, but it will illustrate how easy it is to inject a thought... if you succeed do it faster and faster if you can.

 

Why is this so hard?  It is the way the human mind is wired.  Our brain sees the color but it reacts to the word being spelled first.  Therefore the thought in our minds is the WORD not the color.  This exercise shows it is possible to have "code" execute in the human brain that might be the opposite of what the person is thinking or seeing.

 

Setting the ground rules:

It has been proven that we speak 150 words per minute but we think at 500-600 words per minute.  This means that most people we talk to can jump around our conversations in their heads.  So overflowing the brain through fast speech seems almost impossible.

 

We must also understand how people make decisions in life.  Most decisions we make will be done subconsciously.  We make decisions like how to drive to work, to get coffee, to brush our teeth, what clothes to wear without really thinking about it.

 

Have you ever driven all the way to work and when you get there, you can't remember what billboards you passed, what route you took or that traffic accident on the news?  You were in a state of mind that where your subconscious took over and did what you always do without consciously thinking about every turn.

Most decisions we make are like this.  Some scientist even believe we make decisions up to 7 seconds in our subconscious before we make them in the real world.  When we finally do make a decision consciously we do it from more than just what we hear... we get our sight, our feelings, yes, our emotions involved in the decision.

Understanding how humans work and think can be the quickest way to creating our buffer overflow.

Fuzzing the HumanOS....

Just like fuzzing a program, where we through different lengths and pieces of data at the program till it crashes, we have to understand how the human mind reacts to certain types of data. There are certain laws in the human mind that seem to be inherent and we all follow them.  If you approach a building with two sets of doors and you hold the first set open for a complete stranger what do you think they will do next?  Either hold the next set for you or make sure that set stays open till you get inside.  Or if you are in a line of merging traffic and you let a complete stranger merge in front of you... most likely if you needed to merge later on he would let you in without even thinking.  Why?

The Law of Expectations -  The law of expectations basically states that a person will usually comply with an expectation.  Decisions are usually made based on what that person feels the requestor expects them to do. This is one way we can start sending our malicious "data" to the brain program...  Presupposition.

Presupposition can be described best by giving an example:

"My next door neighbor Ralph always drives a green ford escort."

In this sentence we presuppose:

·         I know my neighbor

·         His name is Ralph

·         He has a license

·         He drives a green car

 

To use presupposition effectively you ask a question using words, body language and facial expression that indicates what you are asking is already accepted.  The basic gist of this is to bypass the "firewall" (the conscious mind") and gain access directly to the root of the system ("the subconscious").  The quickest way to inject your own code is through embedded commands.

The rules of embedded commands

There are some basic principles to embedded commands to make them work:

·         Usually they are short - 3 to 4 words

·         Slight emphasis is needed to make them effective

·         Hiding them in normal sentences is the most effective use

·         Our facial and body language must support the commands

 

Embedded commands are popular in marketing with things like "Buy Now", "Act Now" and "Follow me" are common ones.  Like any good shellcode we need some padding to help the commands find their way.  We can utilize phrases that will help the target become padded to our code.  Phrases like "When you...",  "How do you feel when you...", "A person can..." , "As you..." - all of these statements create an emotion or a thought that allows you to inject code into the subconscious. 

Let's give an example... if you were on a sales call and wanted to use an embedded command you might say something like:

"When you purchase a product like this from someone like me what features are most important to you?"

The bold letters are where emphasis is placed but the sentence causes the person to use their memory to think about a time they bought this product and what is really important, as that thought is occurring you are injecting your code "When you purchase from me..." 

What's important is to not mess up our tones... if we are OVER emphasizing the words then we will sound odd and scare the person off instead of embed commands.  Just like a normal buffer overflow the information must match the command we are trying to overflow.

Putting it all together

As you probably have already imagined this is a vast field with a large room for messing up.  Practice will be needed to be very successful at it.  Although we do not promote using this information for seduction there are some decent videos that show how embedded commands can work. 

We do not want to paint the picture that this becomes some Jedi mind trick.  That is not the case.  Just because you tell the person "You will purchase from me"  does not mean they always will.  So why use these commands?

It creates a platform to make social engineering easier.  It is also a good lesson to companies you work with to educate them what to look for and how to spot someone who may be trying to use this information against them.

So let's write out the equation more simply:

shellcode +=Law_of_Expectations

shellcode +=Mental_Padding

shellcode +=Embedded_Codes

 

Start off with phrases, body language and speech that is assumptive.  Presume the things you ask for are already as good as accomplished.

 

Next pad the human mind with some statements that make it easier to embed code, at the same time embedding code.  In essence this is the recipe for the human buffer overflow.  Use it sparingly, but practice A LOT before you attempt it.  Try it at work or home.  Use simple exercises like trying to see if you can get a fellow employee to serve you coffee.  "Tom, I see you are heading to the kitchen, will you get me a cup of coffee with 2 creams please?" 

 

Escalate it to larger tasks to see how far you can get.  Try to use this to get commitment from people. Eventually use this to see how much information you can get, how many commands you can inject.

 

Let  us know how it works for you. 

 

By Chris loganWHD Hadnagy

What's in your taskbar?

 

When the Internet bubble was still rolling, vendors used to come by a lot. Almost daily. It got old pretty quick, and if you were sitting through the multitude of sale presentations, you would have to come up with something to keep your mind active. My friends and I made a game out of the situation, and would try to see how much we could learn about the sales person by studying their desktop. It was amazing what we could put together by just paying attention to the taskbar and desktop icons.

 

You can get a very complete idea of what sort of person you are dealing with by the simple things like their desktop environment. For instance, what brand of computer are they using and do they have the default crapware still installed? What sort of antivirus are they running? Instant message client? Mail client? VPN? Perhaps they are running a remote administration client.

 

Let's look at an example: http://webdev.ccac.edu/talkin/desktop.bmp

 

 

Here we see they are using a palm pilot, have a old version of Netscape and acrobat icons installed on their desktop, leading us to believe they have this software installed. The Outlook icon appears to be the mail client on the system, and based off the icon we can see that it appears to be Office 2000. Based off of just that limited amount of information we know quite a bit we could use to craft an attack.

 

To look at something a little bit more complex, let's look at an archive of shared desktops: http://www.flickr.com/groups/lifehacker-desktop-showandtell/pool/

 

This will going to be a bit more challenging, as we have to expect that the people sharing their desktops on here have highly customized them. There are a number of screen shots here however, so feel free to try it on your own.

 

The picture at: http://www.flickr.com/photos/islanddog/3992811883/sizes/l/in/pool-87689304@N00/ is a good example of another one for us to analyze.

 

We can see based on the UI that it appears to be Windows 7. This is primarily based on the taskbar changes, but we can't say with 100% certainty as there are some applications that will change Vista to look like Windows 7. We can assume that the user is going to be running a lot of "new" software as they are a early adaptor. That is driven home by the fact we see Office 2010 in the recent applications list. Microsoft Live messenger is in use, and we are able to see the username in place for this system. Firefox is installed, but not running, IE appears to be the default browser. A Pirates game is installed, and Filezilla is an FTP client installed.

 

With just this information, it is simple to start building a profile of the user as a tech savvy early adaptor. We have the users IM screen name, and the fact they play a game. Perhaps a social engineering attack could be conducted with this information, delivered through IM.

 

What brought this back to mind for me was preparing for a presentation I had to give. I found myself looking at my desktop and thinking "If there is time that my slides are not on screen, what does my desktop tell that audience about me?". There are a couple of ways a social engineer can work this situation.

 

Option one is try to prevent information leakage. Perhaps set up a new profile for the purposes of presentations that is used only for that purpose. Then the audience might be able to gain some information about your system, but very little about you directly.

 

Option two would be to try to manipulate the audiences view of you as the presenter. What sort of image do you want to portray, and what should your desktop look like to support that image? How should you set your desktop image, a solid color or a image? What applications should you have on your desktop? For instance, if the goal is to appear to be very professional and trustworthy, having a P2P client as a frequently used application may not be a good idea. On the other hand, a corporate desktop pattern might be great support.

 

This sort of casual information leakage happens all the time. Desktops images are just an example, and I am sure you can come up with many more. A social engineers, we have to be aware of where we might find information leakage and how we can put it to use. Plus, taking advantage of our information leakage to support various pretexts we are using is a asset that is too good to not put to use.

 

Written by Jim "Elwood" O'Gorman

 

footer.jpg