FEATURE: A special Social-Engineer.org REPORT at the end. Make sure
to download now!
How Much is Too Much – Social Media
We are a connected
generation. From our social websites to our cell phones we can
literally let the world know what we are doing, where we are, what we are
eating, when we leave home and what our thoughts are on the purchase we
just made. All at a moment’s notice.
When is it enough? What is too much? This blog post will
analyze two newer sites and if you haven’t seen these already, you will
Contestant #1 Step Up Please
How would you feel if I snuck up to your mailbox and took out your credit
card bills and started itemizing your purchases? Or, if I went into
your accounting system and started to make lists of everything you bought
online in the last 6 months? Are you calling the cops yet?
Well, I don’t have to sneak to anyone’s mailboxes; thanks to a new social
media site called Blippy.
Believe or not, ladies and gentlemen,
Blippy posts a “tweet” every time a user purchases anything.
Take a look at the front page:
Now, that doesn’t tell you too much,
but let’s say we are auditing a company and we find out some of the staff
have twitter accounts. Maybe we take that user name and search for
it on Blippy. What information is found?
Our target has bought 3 airline
tickets, $750 in Ads and a couple grand at Google. The ability to
profile a person based on their likes and dislikes is amazing.
What happens if we delve deeper? What else can we learn?
As see in the figure above, our target
owns an online game company, he is located in Silicon Valley and he has
ties with venture capitalists. A lot was learned in a
just a few minutes and we can continue to follow the target and see what
he purchases and more.
The CEO of Blippy takes it even a step further:
Not only does he tell us how much he
spent, not only does he tell us where he spent it, but he tells us WHAT
he spent it on. Exactly, from the meal, the amount of fuel, to the
type of clothes he bought.
What makes this even more dangerous are posts like these:
Here, users are helping each other link
their bank account information to the site… Yes, simply “click
here” and then enter your login information for your bank and….
Anyone else seeing a potential for redirection? How dangerous can it get?
Obviously our medical records are protected from the prying eyes of would
be malicious social engineers? Not if you post them to Blippy!
Wait, come on… this can’t be…
Poor Patrick has to see the doctor
often, but at least he seems to have a low co-pay.
Not only that, but a little more research and we can learn a lot about
our buddy Patrick…
He has an account at Bank Of America
and what is this, Blippy is linked to his checking account too? It
lists his checks as you can see above from check # 0722?
Believe it or not, with this overwhelming evidence, there are still
people who have said to me, “What’s wrong with sharing data if I want to
share it? What’s the harm?”
Excellent question, one that I think can be best answered by showing and
not telling. The space for this newsletter column is running out so
what I have done is create a downloadable document that will help to
answer that question in one of many Social-Engineer.org Special Reports.
By Chris loganWHD Hadnagy
Bandwidth, and Icons
One of the best parts
of going to a con is being able to meet people from all walks of life.
Even with that in mind, out of everyone you meet, how many do you
remember? And of those you remember, why did you remember them?
This is a particular issue for me, as I am horrible with remembering
names. And with the “new person” overload you can experience, to actually
remember someone a week later, there has to be a reason for it. Some impression
needs to be made.
There are a lot of ways to make that impression, such as, give a talk
that is memorable. Another effective way is to perhaps punch me in the
face. I won’t have a kind memory of you, but I will remember.
Really; however, these methods are not (thankfully) for everyone. One
method that I see a lot is one that it is many people don’t even realize
they are doing.
Before I get into that; however, I want to talk about comic books.
(Image is from Understanding Comics)
are interesting when you look at their history. Many of the most
memorable characters were created years ago when printing technology was
nowhere near as high quality as they are now. Color was limited to four
simple colors with no real blend (look closely at old books and you can
see every separate dot), and details within the art were horrible. When
the comics were printed, telling the difference from one character to
another was very difficult due to the poor printing.
of this time had to work around the limitations of the technology. They
needed to make their new heroes memorable; easy to pick out on the page.
For the most part, this was accomplished through the use of props, unique
costumes, unique physical traits, and icons. Let’s look at some examples.
An obvious example of this is the classic Superman.
is an example of the unique (for its time) costume, complete with the
icon on the chest. The icon on the chest became such an obvious and
effective method, that it was utilized across the whole industry. There
are so many examples of this that to list them all would be silly, but I
am sure you can think of at least a dozen off the top of your head,
demonstrating the effectiveness of the technique.
props and unique physical traits, let’s take a look at Dick Tracy. Look
at the poor artwork reproduction of the time, but how each character
still has a very unique image.
for props, check out this picture of the famous detective.
Here you have props in the watch,
the hat and the coat, which also serves as much of the same function as
the costumes mentioned before.
With all that said, let’s get back to what I was discussing previously
about some people at the cons having ways of being remembered.
Now, I am in a bit of a delicate position here as I don’t want to call
anyone out by name and have him or her feel like I am picking on them. I
am going to just describe some of the ways that I see people being
remembered at the con. If you think I am getting at one person or
another, you may or may not be right.
Let’s take the categories and we can start with props. How many times
have you been at a hacker con where someone pulls out a cell phone
jammer? When this happens, it will often become a quick object of
conversation and an instant connection can be made. What about unique
hats? I can think of some individuals that have been at many of the
conventions I have been too and they always have the same unique hat.
Unique costumes, well I saw no one running around in spandex, but I am
pretty boring and don’t normally travel in those circles; however, it is
very common to see more modern uniforms. For instance, I was wearing a
Social-Engineer.org shirt at Shmoocon. Another common example is orange
cammo pants, an example of which not only is unique and memorable, but
can instantly link all those wearing them so they are all associated with
a common group.
Unique physical traits jump out as well. With everything from truly epic beards
(which some wield with pride) to various body mods, piecing and tattoos.
While common, some people sport unique ones that make one stand out from
the crowd. And finally, icons. See many icons in this day and age?
These are everywhere in the form of corporate logos printed on everything
from clothing to stickers on laptops.
These might all seem minor, but consider a situation where you meet
twelve people, all with good personalities and very friendly. But one of
them has a beard unlike anyone else that you have seen in quite a while.
Which one are you most likely to remember?
Now, you might be thinking “Jim, you have been rambling for a while now
and while this is interesting what in the world does this have to do with
Without really thinking things through, what most people do when they go
out in the world is put them self together (together in the form of what
clothes they have on, their hair, and just general self image). They are
framing themselves and how they want the world to see them and treat
This has the side effect of making some people more easy to remember;
more likely to stand out in a crowd. In some cases, this might be
intentional and in others, it is just a side effect.
This same sort of question comes up in professional life all the time.
When you go someplace, do you wear a suit? Business casual? T-Shirt and
jeans? I saw this question posed recently on twitter when someone was
starting their first day at a new job. They were putting thought into how
they want to be perceived when they enter a new environment, and what the
ramifications of this perception should be.
And while it may not be right to judge a book by its cover, it’s a fact
that people do it all the time. In the absence of other information,
people will use what little they do have access to and make assumptions
for the rest. When meeting someone new for the first time, this initial
physical appearance may be all they have to go on.
So how can we as social engineers put this to use?
The most important thing, and something that many people forget on a
regular basis when creating pretexts is, we live in a world of constant
inputs. When we first start to interact with a target, we are not the
only series of inputs they have at the time. And, unlike the comic book
artists of years past that were dealing with issues of how to make images
easier to comprehend in the proper context while fighting low resolution
image reproduction, our targets are flooded with high fidelity input.
We have to keep this in mind when we simplify what we are doing so
it can be comprehended with the minimal amount of thought by the target.
In this situation, the target does not have the depth of information
necessary to make a comprehensible decision; we present them with only
the information needed to come to the conclusions we want them to.
These simplified methods remind us of the tools the old comic artists had
to utilize. Icons, props, costumes and physical traits should not be
complex or subtle. They should be simple and easy to understand. This
will lead to a much higher success rate for you in your various
While examining the solutions that comic book artists utilized in the
past to solve their problems may seem odd when dealing with modern social
engineering problems, as you can see, there are lessons to be applied.
This is what I love about this field. If you keep an open mind and pay
attention to the world around you; you never know when you might come
across something helpful and relevant. Don’t be afraid to try something
unorthodox once in a while, just because a solution was created to solve
one set of problems does not mean it won’t apply to yours.
Written by Jim "Elwood" O'Gorman