Volume 02 Issue 07
In this issue
SE Tool Review
The Device they gave us this month is an amazing little tool. A serious MUST HAVE for any social engineer.
Have you ever been worried your phone is tapped? Your hotel room is bugged? Stay in a hotel for a con and want to make sure the convo about the newest exploit you are developing is not being listened to?
This is the tool for you! Spy Matrix PRO SWEEP TCSM Sweep Kit is an amazing kit. Look at some of these features:
It can track
You have to check out the link above and see this device and what it can do. I will be brining one to the next con in Vegas if you want to see how it works hit me up there or hang tight and I will be testing it and taking video soon.
This can be a great addition to the tool set of professional SE's.
There is more to come, but till then make sure to check out Spy Associates for the latest and greatest Social Engineering Tools out there.
Social proof is a psychological phenomenon that occurs in social situations when people are unable to determine the appropriate mode of behavior. It is easy if you see others acting or talking a certain way, to assume that is appropriate. Social influence in general can lead to conformity of large groups of individuals in either correct or mistaken choices. This is common when people enter into unfamiliar situations and don't have a frame of reference on how to deal with the situation, so they mirror their behavior off of others that they assume are more familiar and therefore better informed.
This is an amazing concept and can be used in some pretty powerful ways. We have been doing some research on this and will be posting some pretty cool facts to help support how social proof can effect all of us. For now, check out the framework page on Social Proof for more info.
Using it as a Social Engineer: Social Proof basically states you will be able to control what action others take by either getting others to take a similar action or given the target the perception that action is acceptable and normal. In a simple example this is demonstrated once when I saw a guy standing on a street corner just staring up into the sky. A few minutes later another person stopped on the other side of the street and was looking up, only a few minutes into it and there was 10 people looking up trying to see what he was seeing. There was nothing, he was just looking.
This can be used by SE's to control the path a target will take by getting others to take the same path or making them think it is already being done by many others and is acceptable.
Stayed tuned for more on this exciting topic.
If you want to listen to our past podcasts hit up our Podcasts Page and download the past epidsodes.
To contribute your ideas or writing send an email to [email protected]
What Motivates a Social Media Junkie?
Social media has been a theme that keeps jumping out at me with no reprise. Again this month I am revisiting it with another newsletter article. I wanted to address the question:
Why do people put so much information out there?
This question comes up again and again whenever I talk to someone that is not familiar with the social media space. They look at what is being done, and are just mystified as to how people place themselves in these situations. To those that have grown up without social media, and only share information with a few trusted individuals, engaging in this sort of mass orgy of information sharing seems like a foreign language to them. I think part of the issue is that those of us in the infosec world don't see things the same way a lot of early adapters do.
Early adapters flock to new services. Then a day later attackers load in and go after this fresh meat. The day after that is when we show up and start trying to make sense of what is going on.
Lately this new territory has been social media, which has provided those of us that engage in any aspect of social engineering a treasure trove of information to utilize for whatever our goals may be. Efforts like last month’s profile, which started from some information discovered on Blippy and grew into a entire profile, happen all the time. It could be an employer looking at potential new hires, scammers looking for new sheep, an insurance company deciding if a claim is valid or not, or simply a spouse wanting to know what their mate is doing when not at home. Social media provides the raw information used to feed the information gathering beast.
As a neat little exercise, go to Youtube and search for the word "Haul" . Watch some of those videos and consider what you see. When I first came across this, I was really surprised. It seems like such a stupid topic for youtube videos, but there are so many of them. And not only that, look at how often they have been viewed. At the time of this writing, the top one has over 600,000 views, and almost 12,000 ratings. All for what some girl bought at a store? And that’s not really an exception, a number of these videos are over 100,000 views.
So the question enters my mind: Why are these videos showing up?
This is along
the same topic as what we covered last month with
Blippy: the need for affirmation. The plea of being judged based off
who we are, but what we have. That if we are going to be stereotyped,
to control what stereotype we fall into. And perhaps a fair degree of
wanting to be told what is cool so they can mimic it and feel better
Understanding this motivation is key. Why would someone use Blippy? Why would someone make videos of what they bought at the store? How can we take advantage of this as social engineers?
Most times when social engineers look social media we use it as raw pools of facts waiting to be dredged. Then we use this information to build wonderful profiles chock full of information. From there, a social engineer can launch various attacks such as phishing e-mail attacks that are targeted on interests we know they have. And this all proves quite effective.
But what if instead of stopping at that surface layer you went deeper. What if you looked at why is this target engaging in this activity? What is missing from their life that this is an attempt to fill? And is there a way I can prey upon this need?
If this sounds disturbing then good, it should be. Unfortunately this is much the same approach that predators of all sorts use when trying to gain the trust of their prey, online or off.
Let’s look at an example. Not long ago I attended a local event for those that are fans and supporters of social media. I found it very interesting to see what these people wanted to get from social media, and why they were there. I saw some interesting items that I was not expecting.
Whenever the economy gets shaky, people start to get uneasy. This unease can sometimes lead to people seeking out alternative income streams such as perhaps they will start selling Tupperware or jewelry. Or perhaps they will become increasingly concerned with their career, and how competitive the job market has become. In this concern they start looking for something to set them apart from everyone else.
Enter social media.
At the event I attended there was much talk about how everyone’s "personal billboard" was working. About their personal brand, and what it says about them. How you can monetize a twitter feed, and when is that not ethical. It was all about how they can ensure that their career will be solid.
However the interesting thing about this is, at this event there were very few that were already established in their careers. Most were not looking to protect what they already have, but instead were wanting to obtain what they desired.
In a way, they were all engaging in a SE of their own. Trying to mimic the image of success before actually obtaining it. Everyone was complicit in their attempts to validate others in hopes that the favor will be returned upon them. Social media was being used as a mirage directed toward their targets, potential employment or promotions at their current job. It was as if social media was the fertilizer they intended to use to grow their careers beyond what they currently had.
With all that need in the room, how quickly and easily do you think it becomes to infiltrate the various cliques? A fake profile, a good picture, some compliments, along with a few questions to make them feel like you view them as an expert and you are in. They will open any file you care to send, any link you email, or even sign up on your new ning community you have created. Once you become the one that is fulfilling that need in their life, they are compromised. The trick is identifying that need.
Now, granted I am only speaking about a subset of those that utilize social media. Not everyone out there is operating with the same motivation, or even the same level of desperate need. But from a social engineers perspective, this user base is a dream come true and is very much worth talking about. It’s like finding a remote island where the animals have not yet grown to fear humans. An avid hunter could take his prey with a butter knife as opposed to camouflage and a rifle. A bit disturbing? Yes, but it is happening every day.
In many ways, this is why the information security community is two dates behind and the attackers are one. InfoSec has always done a poor job in understanding the motivation of the user base they are tasked to protect. In a concern over making sure that best practices are being followed and compliance is in line, information security often never stops and considers motivation the same way an attacker does. The attackers are just after prey they can bring down with a minimal amount of effort. They don't really care about anything else.
Next time you are utilizing social media in any capacity, stop and consider the motivation of those that you are interacting with or targeting. See if you can isolate what that motivation is, and see if you can use that knowledge to your advantage. This is a very effective way of both gaining trust and endearing yourself with your targeted community.
By Jim O'Gorman - A chief contributor for social-engineer.org and consultant for Continuum Worldwide
Social Engineering Assessments for the Business
Social-Engineering assessments within penetration tests are still not as prevalent as we would have expected in the security industry and businesses. With the ever-changing threat landscape companies face and the desire for criminals, black hats, and state sponsored efforts to gain unauthorized access to confidential information; still one of the easiest methods into an organization is through humans. We continuously hear the problems about poor programming practices with web applications, or the fact that the latest and great exploit just came out, however the large brunt of attacks occurring as of late have been direct attacks against employees.
Never before have we seen such dedication towards businesses in an effort to steal and compromise information in the manner as it is today. With the growing knowledge around ensuring quality secure code, firewalls, intrusion prevention systems, and the same old cat and mouse game, users are one of the biggest risks -period. Understanding this, there has to be a clear way of tackling the issue of social engineering and personnel attacks, so that a business can adopt and incorporate test for these into their overall security program.
In 2008, Dave and Busters, a popular game and restaurant business in the United States fell victim to a social engineer attack where hackers impersonated a point of sale (PoS) provider and gained invaluable information about the Dave and Busters network to steal credit card data. In that same year, MTV reportedly was hit by a social engineer attack that compromised over 5,000 employees.
In the case of Google, hackers targeted multiple people within the organization by compromising friends of the employees and utilizing a zero-day vulnerability. These advanced attacks are focused on key information about the organization that can be used for a variety of purposes or to further aid in another attack. Overall, after the dust settled, Adobe, Juniper, Symantec, Northrop Grumman, and Dow Chemical were also targeted in the same attack.
Most organizations see social engineering as a hypothetical scenario that doesn’t necessarily apply to them, the above stories show that from fun and games to serious defense companies can fall victim to these attacks. We always hear of breaches occurring from the web application layer, or that our data is leaving the company, but most companies truly have a hard time understanding how effective social engineering is.
Penetration tests are nothing new; the main goal of a penetration test is to show real world proof of concept scenarios that emulate what a hacker could possibly do. They aren’t a magic bullet to find every vulnerability and exploit in a network, but a facilitator to help identify how effective a security program is working. It is also a checkmark for the majority of compliance and regulatory requirements out there. Penetration tests should absolutely be unrestrictive and allow full mechanisms an attacker would, this has to include social engineering.
Without testing the controls around how a user awareness program or how well your security controls work against this type of attacks a company can be left wide open to this massive vulnerability. This can absolutely be one large risk that you aren’t accounting for. Lastly, the ability to present how a hack occurred to the management can provide additional funding or business drivers in accomplishing certain initiatives that you want to deploy through the organization with little fight.
In stating this, a penetration test only goes so far, it’s a good test to see where you are at and where you need to go. Really diving down into protecting yourself…from yourself is a whole different aspect and challenge within an organization. You will never reach 100 percent of your populous unless you’re a small organization. We are advocates of coupling a user awareness program that educates the users on the attacks however realize that we can’t educate everyone in the company.
You have to incorporate technological solutions that also prevent the users from hurting themselves. Strict controls around local administrative rights will essentially knock out large exposures to the business by at least 60%. Combine that with heavily monitored and restricted egress (outbound) points and this can easily reduce the threat landscape by another 20%. Add a decent content filtering, HIPS, AV, and patched solution and this can cut back on another 15%. That leaves you with a 5% gap on protecting your user base and where hopefully user awareness can cover.
This is where social engineering pentests come into play. It is becoming more and more prevalent that companies are beginning to ask for social engineering in their pentest quotes. When discussing this with your management, show them how effective it is by utilizing real world examples of these types of attacks and how the threat landscape is constantly changing. Use resources like the videos on www.social-engineer.org to show simple, yet real and effective attacks that happen in the wild.
Get approval to test and show how effective it can be with just one person. Most companies are moving or have moved (for a long time) to the risk based approach of information security. Looking at the sheer volume of numbers coming out towards advanced attacks around social engineering should be a large risk factor alone and proof that this method isn’t going away anytime soon.
As the statistics for identity theft, corporate espionage and social engineering attacks increases so must user awareness. Education, penetration testing and a vigilant policy on how to handle these attacks can help secure your company. There is nothing that can make you 100% secure against a dedicated attacker, but these principles can make it very difficult for them to gain access to your data.
Written by David Kennedy