Information Gathering and the Social Engineer

Is the summer already over? I’m happy to report that the entire SEORG crew made it back alive from DEF CON albeit with a healthy dose of CON flu thanks to nick8ch (who from here on out will be known only as “Patient Zero”). By the way, worst text to ever get as you’re getting on a plane for home is “I had to go to the emergency room last nite, hope I didn’t get y’all sick!” But I digress. The SE Village was a smashing success and we had a really interesting and fun SECTF this year. We’ll give you the blow by blow in next month’s newsletter, but until then, I thought it might be interesting to spend a little time on a topic that many people don’t consider while watching the live calls.

I know what you’re thinking. Social engineering is sooo cool and sexy. We wear polarized sunglasses and brandish fake badges wherever we go. We wrap Chris in a latex catsuit and suspend him by wires to test corporate security. If only that were true!! The stories and examples we report are interesting and entertaining learning tools. There’s no doubt that it’s a great gig with the fun factor highlighted during our SECTF. But something to consider is the preparation that’s necessary before any interactions with people occur. Thorough research is absolutely critical to the success of a social engineering engagement. Yes, this can be the equivalent of a days-long police stake out prior to the thrilling 30-second foot chase through back alleys. But if you go in unprepared you may find yourself being shut down on a call or tazed by that sweet receptionist because you came across sounding creepy or false.

Information gathering and the social engineer
Actor recreation of Chris during our last engagement

Something a lot of people don’t realize that similar to a live social engineering engagement, we require our SECTF participants to conduct research on their target weeks before they get in our booth.  What we find year after year is that although there are some fantastic participants who think fast on their feet, the majority of people who do well did their homework well ahead of time and came prepared.

I think most of us in the security industry are painfully aware of the information on both people and organizations that is now available for anyone to find online. But something that still amazes me is the sheer amount that’s out there, and the numerous sources that can be mined.  I’m not sure that the average user is aware of the digital exhaust they create just by browsing, shopping, and engaging online. Until we find a reliable way to make our interactions more private, the Internet will continue to be a treasure trove for social engineers (and anyone else who cares to look).

I absolutely love my sister-in-law. She’s a fabulous mother to my nieces and nephew, tirelessly shuttling them back and forth to school events and friend’s houses. She’s also a rabid cell phone photographer, having documented the lives of her children, posting them to her social media accounts and texting them to eager relatives. What I was shocked to discover, however, is that she had absolutely no idea that her photos contained geolocation data, accurately pinpointing where her photos were taken. You can imagine that setting on her phone was changed post-haste. There have been a number of interesting articles highlighting this issue, and really pointing out the fact that the average user has access to increasingly powerful technology without the knowledge to operate safely. There’s a website called I Know Where Your Cat Lives which actually turned out to be a research project on the potential dangers of automatic geolocation in both photos and applications that geotag without making data private by default. There was also a very interesting story about a Russian soldier posting selfies to Instagram that at least on the surface indicated that he and his unit were operating inside the Ukraine. In the days that followed, there was a second article discussing the weaknesses in this argument, but again the implications are clear.

I wish I could say I had a simple and short answer when my sister-in-law asked what else she should be doing to keep her family safe. As a social engineer, I know that pictures are just one way of mining information about people or organizations. This article is just one in many that discusses how email can be used to provide senders with a way to track who opens their emails and where they are located. What can be used in marketing is employed by malicious phishers, as well.

Are you a social media user? Of course you are. A study conducted last year revealed that roughly 20% of tweets reveal user location, even when the option to broadcast this is turned off. This was done through analysis of other data such as time zone and language. 20% doesn’t sound like a lot, but considering the number of Twitter users worldwide, that amounts to millions of people.

Finally, if you’re really interested in how much detail on you is available, ask a retailer. With just a few pieces of information, they (and anyone else) can access huge databases that contain all the details about where you live, what you buy, and what’s going on in your life right now.

Readers, please take note. This article only scratches the surface when it comes to information gathering. There are tools, websites, and Google dorks that can and will find information for the person who is patient and thorough enough to dig. There is also information gathering done the good old-fashioned way via elicitation of unsuspecting individuals.

So what did I finally tell my sister-in-law? Be vigilant. Think about the information you give, even in casual conversation. Treat any interaction that uses a computer as broadcasting your information to the entire world for eternity (because that’s what’s happening). The security implications are simple to understand but difficult to implement. The truth is out there, and if you are a professional social engineer, you will serve your clients and organizations well if you do your research and create informed users.

Stay tuned for our next chapter from SEORG, tentatively titled: What I Did This Summer or Hackers Request Getting Handcuffed at SE Village.

Written by: Michele Fincher