Volume 01 Issue 04

 
header.jpg

 

In this issue

·         Social Engineerings and Market Secrets Revealed

·         Twinkle – Online Enticement

·         SE Tool Review

·         The Monthly Tip

·         Next month...

 

SE-review

This month we were given the Mini Cam Recorder to review.  This little device is a fully functional, high quality video recorder with a built in DVR.  It uses a 8gb mini-sd card and records either by the press of a button or set it to record when it hears sound.

We did a few tests with this device and found it to be a very nice little utility to have in our arsenal.  Although it is not super covert it is worth checking out and if you need something that is inexpensive and can be hidden easily, this is the device for you.

It records in full color and does a great job at capturing even in low light.

 http://www.spyassociates.com/images/403_04.jpg

 

UNSUBSCRIBE

by sending an email to [email protected] with the subject of UNSUBSCRIBE from the email address you used to sign up.

The Monthly SE Tip...

 

This is not really a social engineer practice tip... but we have had a lot of interest from people on the insecurity of social networks and some have written in to ask... What is the solution, just don't ever go on a site? 

Before you run our and delete all your social network accounts we have a couple tips for you that are so easy, yet so often not thought of, that it can keep you somewhat secure.  Here are 3 tips for your consideration:

1)  Use complex passwords.  Too often we choose passwords that are easily guessed or even worse just plain dumb.  A password of your name and month of birth is NOT a secure password.  A password that is a sentence or an acronym of a sentence can be much harder to guess.  ie.  MyFavoriteMonthi$M@y would be harder to guess for a hacker than May1973 (ps that is not when I was born)

2)  If it looks too good to be true, it is.  If some ultra hot girl is hitting on you on facebook... go look in the mirror and remind yourself this probably doesn't happen in real life. Sorry, but the truth hurts.  If it is too good to be true, it probably is.

3)  Never, ever, under any circumstances accept an attachment or a file from an unknown source and just double click.  If you must, do it in a VM or on a networkless machine you care less about.  Do not do it on a machine that houses your whole life.

These three tips can go a long way in protecting yourself from social engineers and hackers.  Of course the only true way to be 100% secure is to move to the Amazon and do not use a computer, cell phone or other piece of technology, but for us that don't want to do that... this may help just a little.

Till next month.

______________________

 

 

What's coming next month….

 

The Podcast will be released in another week.  A new format for this month, instead of an interview we had a round table discussion.  Make sure you get this one as Dave, Jim, Chris and Brad discuss NLP and SE and how they are used to make YOU spend spend spend. We know you will love this episode.

 

If you want to listen to our past podcasts hit up our Podcasts Page and download the past episodes.

 

 

__________

 

Want to get involved?

We are asking you to keep sending in your submissions and ideas for social-engineer.org.  We appreciate all the feedback and ideas.

To contribute your ideas or writing send an email  to [email protected] 

 

Feature

Revealing the top secrets of social engineering in marketing

The world of sales and marketing is chock full of social engineering, NLP and manipulation techniques.  There is no better time to see all of these techniques in full bore than during the holiday season. We can learn a lot by examining and dissecting these aspects of SE and NLP that are used.  Lets analyze a few...

The first and one of the most effective methods is redirection.  The same way a magician or street hustler will "redirect" you attention to your right forearm as he slips the watch off your left wrist is the way marketers will try to redirect your attention from the cost of items, especially in economic downturns.  What is redirection?  Simply redefining the problem so it doesn’t look like a problem. Marketers use it to move you away from the real problem and into a more controllable area.  Here’s a simple pattern to redefine someone’s thoughts.  “It’s not about X, it’s about Y”.  “It’s not about how much this gift costs, it’s about how happy your children will be when they get the toy everybody wants!”  By redefining the problem (how expensive it is) the emphasis is moved off the price and onto how happy your children will be.  This is a pow! erful technique to get the buyer (YOU) to forget how little is in your bank account and how much this will cost but only to focus on how HAPPY your children will be with you.

“It’s not about the price, it’s about the treats your girlfriend will give you when she sees this treasure she’ll keep forever.”  Same story - different buyer.  Notice how the ending is followed by thoughts of future  benefits.  Now that you have redefined the problem, the sale is yours.

Our next method that is used often is agreement framing. Holidays always give people time to agree with each other.  Many people want to seem agreeable this season but really want their way?  Here’s the pattern to do it: “I agree and would add…”  “I agree the gift is expensive and would add that’s why it’s the best gift they will receive this holiday and you’ll see them smile for years to come.”  You’ll see the most amazing changes to this simple statement.  When you practice this Agreement Frame and then start noticing how much it is used in marketing you will be amazed.  You will also quickly see how beneficial it is at work when you can agree with everybody and still get what you want. 

You can combine these two patterns into a larger pattern.  “I agree it’s an outrageously ugly gift and would add, it’s not about how perfect it isn’t, it’s about how much attention you’ll get this holiday season.”  Now you see how simple it is to make powerful turns in the conversation, turns you want the conversation to make. 

Our next method to look at is a form of redirection using the BUT and YET words. Using this method many marketers add or delete themselves our thoughts.  Here’s one method of doing this.  The technique is simply a modified "redefine" that we've already discussed.  Using the same “it’s not about X (BUT or YET) it’s about Y.”  How do you feel when each is used?

“I really like you BUT….”  BUT acts as a delete key because most people don’t really hear anything after the BUT.  When people hear the BUT in a sentence they assume that bad news is coming next.  This method works by changing the sentence around, giving the bad news first then the good news.  The BUT negates the first part of the sentence leaving you with the good part at the end.  “You really have lots of flaws but I know you’ll improve yourself and become a great person” or “I understand this is really an expensive gift but think about how happy they will be when they get the present”

When you use YET in a sentence, it creates movement to the next thought.  Using this pattern, you can connect two dissimilar thoughts into one coherent thought.  “I understand this is a really expensive gift yet it’s a joy that will last for many years.”  Notice how the expense implies that it will last for years yet there is no proof it will last 20 minutes.  

Our next method is a power-house.  This method is used to change someone whole frame of reference.  Wouldn’t you like to change someone’s point of view?  Changing people’s frame of reference to see things in a new way is a powerful tool.  One technique is to use words like “notice”, “see”, “aware” or “realize” as they imply presupposed truths.  This implication can be subject to challenges so be aware and practice the patterns that you’ve learned since you started reading this article. 

“Are you aware that we have the most complete collection of plastic things in the city?” or at a holiday feeding “It’s been great meeting you.  Have you noticed how much rapport we have together?  I look forward to the next time we’re together, it means we’ll get on even better!”  Using the “notice” calls attention to the rapport.  This starts the listener thinking about rapport or plastic things and keeps these at the top of mind awareness.

Want to start some family fun?  Do you have a family member that just grates on you? Well for that family member that you don’t really like.  “Have you noticed how much people are talking about you behind your back?  No?  Sorry I brought it up.  Have some more Turkey?”

This is just a rough overview of several popular and easily learned techniques used by marketers especially during the heavy buying season.  As social engineers we can learn a lot by reviewing and practicing these techniques.

Here are some other more subtle holiday SE thing to be aware of.

•    Watches usually have their hands set at 10:00 and 2:00 to give the appearance of a smile. 
•    Women’s ads usually have more words, especially those involving family, love and future.
•    Children’s  ads have lots of color and pictures
 

You probably won't look at shopping the same again.  Social Engineering, or manipulating people to do what you want, has been used in sales and marketing... well since sales and marketing have been around.  It necessarily negative all the time, but it is important we are aware of the tactics they will try to use to make us part with our hard earned cash.

We know there are many more methods used and these just scratch the surface, but feel free to practice these and let us know how you do.  We want to hear your progress, ideas and input.

By Brad "TheNurse" Smith & Chris "loganWHD" Hadnagy

Twinkle - The Future of Online Enticement?

I have recently started using an iPhone for a variety of different functions related to my work. All in all, I have to say it is not my favorite phone, but it is serving a purpose in allowing me to become familiar with a variety of different options that this mainstream device offers. In working with the device and looking for a new Twitter client, I came across an application named Twinkle. I wanted to share with the community some of my observations from using the application.

Twinkle is a social networking application created by Tapulous for the iPhone or iPod Touch. It is similar to Twitter, with a few key differences. When a user first installs and runs Twinkle, the application requests an e-mail address to generate a Tapulous account. The e-mail address is utilized to confirm the account and a profile is created.

From this point on, the profile is accessed and managed on the iPhone with no password required. This process makes it extremely easy to start up and use the application. The ease of use combined with the large number of iPhone owners creates a sizable potential user base.

Users also have the option of associating the application with a Twitter account. If this step is not conducted, the profile and all generated content lives only within the Twinkle network and is only accessible through the iPhone or iPod Touch.

The key feature of Twinkle, and main difference from Twitter, is its location awareness. Within Twitter, users have to "follow" other users to see what they have posted to the network. Twinkle on the other hand, has the ability to build a dynamic network based on the proximity to other users. Users are able to quickly pull up all posts from other users within a defined proximity from their current location (default is 50 miles). The user’s location is automatically identified by Twinkle.

In most circumstances, this is a powerful feature. This allows users to quickly identify others in their local area and discuss popular events, places to eat, weather, traffic problems, and so on. If desired, users have the ability to define friends in the same manner as Twitter. Private messages are supported as well as attaching images to both public and private posts.

I find great utility in this application as it gives users a way to find out what is going on in their area from a “word on the street” level without relying on other news sources. When traveling, it is a great way to get a feel for the local area.

However, there is a huge potential for abuse that could occur on the network. For instance, below is the content that was displayed today when launching the application. This was the default list of recent posts from users close by.

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0011.PNG

If you look closer at the posts from one of the profiles on the list we find:

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0012.PNG

This sort of behavior, while regrettable, is almost expected of any service such as this.

One of the surprising aspects of this are some of the actions of the female profiles. For instance, here is a public profile from a young female within my local area:

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0015.PNG

Notice the repetitive requests for direct communication of "let's talk!” This is interesting from the perspective that this is a young female that is actively soliciting private communications. It’s possible that this isn’t a legitimate account and is someone posing as a female just to attract conversation (not law enforcement related activity). You can tell by the picture icon on some of those posts that pictures are attached to them. An example of the pictures which are posted:

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0013.PNG

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0014.PNG

At this point it’s impossible to tell if this is a valid account with activity by a young female or someone else utilizing pictures of young female to add “legitimacy” to the posts.

Within the application, you can also view a list of a user’s friends. This female profile had a number of friends with one that stood out due to the graphic nature of the posts.

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0016.PNG

http://www.social-engineer.org/resources/newsletters/issu04/IMG_0017.PNG

This was the only picture in this male’s profile that was safe to post. The other images were entirely too graphic. It is interesting that this account was tied to the previously mentioned female profile as a friend since they are not in the same geographic area. It is unknown as to the intentions of these users, but it could be said that much of the activity is inappropriate.

When I first came across Twinkle, I noticed some of this content and initially dismissed it. However, after some weeks of using the application I have found this sort of content to be very common in my local area (and this may not be representative of other areas).

I do want to state that I am not trying to discredit Tapulous, the publisher of Twinkle. I appreciate that they are trying to publish a quality iPhone app for free. The negative aspects that I described come at the fault of the users, not of the software publisher. From reading the Tapulous support forums, it appears as if the publisher takes abuse seriously, and removes accounts that engage in inappropriate behavior.

I wrote this post simply to bring attention to Twinkle and the potential for its use in online enticement. This application is uniquely positioned for this purpose due to the reckless behavior by the user base, the fact that users are able to identify the proximity of other profiles, the relative anonymity of accounts (sign up under a false e-mail address), and the lack of attention paid to the content of the network.

The Twinkle network is widely unknown and I hope that this post will provide a resource to anyone involved in enticement investigations. By making parents and law enforcement aware of the negative possibilities, it is hoped that they can help educate their children and stop potential offenders before anything bad can occur.

Update:

I wrote this post over the weekend to post here on Monday. Sunday night, I took another look at what was happening in my local area, when I saw this:

http://www.social-engineer.org/resources/newsletters/issu04/photo.jpg

Here we have a user from my local geographic area soliciting 13 to 14 year old girls.

This one screen shot makes my case.


Written by Jim "Elwood" O'Gorman

 

footer.jpg