Social-Engineer.org Newsletter

Volume 02 Issue 06

In this issue

· How Much is Too Much – Social Media Gone Wild

· Fidelity, Mental Bandwidth, and Icons

· SE Tool Review

· The Monthly Tip

· What’s coming…

SE-review

We had a ton of fun with the devices from Spy Associates this month. Some of it you might not believe if you didn't see it.

This is a body worn camera that looks like a button. It takes full audio and color video and records it to a mini DVR with a 2gb hard drive.

The quality of this device is remarkable. Not only that, but it is very easy to use. The device is definitely a “must have” for all social engineers. This can be hidden almost anywhere on your person and with the mini-hidden microphone it also has great audio range.

This can be a great addition to the tool set of professional SE's as well as help document the attacks that are successful and those that aren't.

There is more to come, but till then make sure to check out Spy Associates for the latest and greatest Social Engineering Tools out there.

UNSUBSCRIBE

by sending an email to newsletter@social-engineer.org

The Monthly SE Tip...

Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. In the context of social engineering, obligation is closely related to reciprocation but is not limited to it. This can be as simple as holding an outer door for someone will usually make them hold the inner door for you. It can be escalated to someone giving you private info because you create a sense of obligation. This is a common attack vector when targeting customer service people.

How could this work on people in a social engineering? Lets analyze from the point of two professionals.

1)Psychologist Steve Bressert makes this point in his article "Persuasion and How To Influence Others"

"For example, according to the American Disabled Veterans organization, mailing out a simple appeal for donations produces an 18% success rate. Enclosing a small gift, such as personalized address labels, nearly doubles the success rate to 35%. Since you sent me some useful address labels, I’ll send you a small donation in return.”

2) In a recent discussion with a Harvard Psychologist I was told a story about a person who merely put an ad in the paper that said, "Please mail $1 to....

". This person made a ton of money with this simple request. How?

Obligation. A weird as it may seem, people feel obligated to respond to requests even if the requests seems unreasonable. This is an aspect of persuasion.

For more information on this wait till next week when the podcast comes out!

______________________

What's coming up….

WOW this one is amazing. Truly amazing. I know you will enjoy it. We have some great guests lined up and we are working on others too that will blow your socks off.

If you want to listen to our past podcasts hit up our Podcasts Page and download the past episodes.

__________

Want to get involved?

We are asking you to keep sending in your submissions and ideas for social-engineer.org We appreciate all the feedback and ideas.

To contribute your ideas or writing send an e-mail to contribute@social-engineer.org

Feature SPECIAL FEATURE: A special Social-Engineer.org REPORT at the end. Make sure to download now!

How Much is Too Much – Social Media Gone Wild

We are a connected generation. From our social websites to our cell phones we can literally let the world know what we are doing, where we are, what we are eating, when we leave home and what our thoughts are on the purchase we just made. All at a moment’s notice.

When is it enough? What is too much? This blog post will analyze two newer sites and if you haven’t seen these already, you will be dumbfounded.

Contestant #1 Step Up Please

How would you feel if I snuck up to your mailbox and took out your credit card bills and started itemizing your purchases? Or, if I went into your accounting system and started to make lists of everything you bought online in the last 6 months? Are you calling the cops yet?

Well, I don’t have to sneak to anyone’s mailboxes; thanks to a new social media site called Blippy.

Believe or not, ladies and gentlemen, Blippy posts a “tweet” every time a user purchases anything.

Take a look at the front page:

Now, that doesn’t tell you too much, but let’s say we are auditing a company and we find out some of the staff have twitter accounts. Maybe we take that user name and search for it on Blippy. What information is found?

Our target has bought 3 airline tickets, $750 in Ads and a couple grand at Google. The ability to profile a person based on their likes and dislikes is amazing.

What happens if we delve deeper? What else can we learn?

As see in the figure above, our target owns an online game company, he is located in Silicon Valley and he has ties with venture capitalists. A lot was learned in a just a few minutes and we can continue to follow the target and see what he purchases and more.

The CEO of Blippy takes it even a step further:

Not only does he tell us how much he spent, not only does he tell us where he spent it, but he tells us WHAT he spent it on. Exactly, from the meal, the amount of fuel, to the type of clothes he bought.

What makes this even more dangerous are posts like these:

Here, users are helping each other link their bank account information to the site… Yes, simply “click here” and then enter your login information for your bank and…. Anyone else seeing a potential for redirection? How dangerous can it get?

Obviously our medical records are protected from the prying eyes of would be malicious social engineers? Not if you post them to Blippy!

Wait, come on… this can’t be…

Poor Patrick has to see the doctor often, but at least he seems to have a low co-pay.

Not only that, but a little more research and we can learn a lot about our buddy Patrick…

He has an account at Bank Of America and what is this, Blippy is linked to his checking account too? It lists his checks as you can see above from check # 0722?

Believe it or not, with this overwhelming evidence, there are still people who have said to me, “What’s wrong with sharing data if I want to share it? What’s the harm?”

Excellent question, one that I think can be best answered by showing and not telling. The space for this newsletter column is running out so what I have done is create a downloadable document that will help to answer that question in one of many Social-Engineer.org Special Reports.

By Chris loganWHD Hadnagy

Fidelity, Mental Bandwidth, and Icons

One of the best parts of going to a con is being able to meet people from all walks of life. Even with that in mind, out of everyone you meet, how many do you remember? And of those you remember, why did you remember them?
This is a particular issue for me, as I am horrible with remembering names. And with the “new person” overload you can experience, to actually remember someone a week later, there has to be a reason for it. Some impression needs to be made.

There are a lot of ways to make that impression, such as, give a talk that is memorable. Another effective way is to perhaps punch me in the face. I won’t have a kind memory of you, but I will remember. Really; however, these methods are not (thankfully) for everyone. One method that I see a lot is one that it is many people don’t even realize they are doing.
Before I get into that; however, I want to talk about comic books.

(Image is from Understanding Comics)

Comics are interesting when you look at their history. Many of the most memorable characters were created years ago when printing technology was nowhere near as high quality as they are now. Color was limited to four simple colors with no real blend (look closely at old books and you can see every separate dot), and details within the art were horrible. When the comics were printed, telling the difference from one character to another was very difficult due to the poor printing.

Artists of this time had to work around the limitations of the technology. They needed to make their new heroes memorable; easy to pick out on the page. For the most part, this was accomplished through the use of props, unique costumes, unique physical traits, and icons. Let’s look at some examples.
An obvious example of this is the classic Superman.

This is an example of the unique (for its time) costume, complete with the icon on the chest. The icon on the chest became such an obvious and effective method, that it was utilized across the whole industry. There are so many examples of this that to list them all would be silly, but I am sure you can think of at least a dozen off the top of your head, demonstrating the effectiveness of the technique.

For props and unique physical traits, let’s take a look at Dick Tracy. Look at the poor artwork reproduction of the time, but how each character still has a very unique image.

As for props, check out this picture of the famous detective.

Here you have props in the watch, the hat and the coat, which also serves as much of the same function as the costumes mentioned before.

With all that said, let’s get back to what I was discussing previously about some people at the cons having ways of being remembered.

Now, I am in a bit of a delicate position here as I don’t want to call anyone out by name and have him or her feel like I am picking on them. I am going to just describe some of the ways that I see people being remembered at the con. If you think I am getting at one person or another, you may or may not be right.

Let’s take the categories and we can start with props. How many times have you been at a hacker con where someone pulls out a cell phone jammer? When this happens, it will often become a quick object of conversation and an instant connection can be made. What about unique hats? I can think of some individuals that have been at many of the conventions I have been too and they always have the same unique hat.

Unique costumes, well I saw no one running around in spandex, but I am pretty boring and don’t normally travel in those circles; however, it is very common to see more modern uniforms. For instance, I was wearing a Social-Engineer.org shirt at Shmoocon. Another common example is orange cammo pants, an example of which not only is unique and memorable, but can instantly link all those wearing them so they are all associated with a common group.

Unique physical traits jump out as well. With everything from truly epic beards (which some wield with pride) to various body mods, piecing and tattoos. While common, some people sport unique ones that make one stand out from the crowd. And finally, icons. See many icons in this day and age?

These are everywhere in the form of corporate logos printed on everything from clothing to stickers on laptops.

These might all seem minor, but consider a situation where you meet twelve people, all with good personalities and very friendly. But one of them has a beard unlike anyone else that you have seen in quite a while. Which one are you most likely to remember?

Now, you might be thinking “Jim, you have been rambling for a while now and while this is interesting what in the world does this have to do with Social Engineering?”.

Everything.

Without really thinking things through, what most people do when they go out in the world is put them self together (together in the form of what clothes they have on, their hair, and just general self image). They are framing themselves and how they want the world to see them and treat them.

This has the side effect of making some people more easy to remember; more likely to stand out in a crowd. In some cases, this might be intentional and in others, it is just a side effect.

This same sort of question comes up in professional life all the time. When you go someplace, do you wear a suit? Business casual? T-Shirt and jeans? I saw this question posed recently on twitter when someone was starting their first day at a new job. They were putting thought into how they want to be perceived when they enter a new environment, and what the ramifications of this perception should be.

And while it may not be right to judge a book by its cover, it’s a fact that people do it all the time. In the absence of other information, people will use what little they do have access to and make assumptions for the rest. When meeting someone new for the first time, this initial physical appearance may be all they have to go on.

So how can we as social engineers put this to use?

The most important thing, and something that many people forget on a regular basis when creating pretexts is, we live in a world of constant inputs. When we first start to interact with a target, we are not the only series of inputs they have at the time. And, unlike the comic book artists of years past that were dealing with issues of how to make images easier to comprehend in the proper context while fighting low resolution image reproduction, our targets are flooded with high fidelity input.

We have to keep this in mind when we simplify what we are doing so it can be comprehended with the minimal amount of thought by the target. In this situation, the target does not have the depth of information necessary to make a comprehensible decision; we present them with only the information needed to come to the conclusions we want them to.

These simplified methods remind us of the tools the old comic artists had to utilize. Icons, props, costumes and physical traits should not be complex or subtle. They should be simple and easy to understand. This will lead to a much higher success rate for you in your various endeavors.

While examining the solutions that comic book artists utilized in the past to solve their problems may seem odd when dealing with modern social engineering problems, as you can see, there are lessons to be applied. This is what I love about this field. If you keep an open mind and pay attention to the world around you; you never know when you might come across something helpful and relevant. Don’t be afraid to try something unorthodox once in a while, just because a solution was created to solve one set of problems does not mean it won’t apply to yours.

Written by Jim "Elwood" O'Gorman