Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: social engineering

DeepSEC: The Future of Social Engineering

The Future of Social Engineering Sharon Conheady

Being this short is really helpful for social engineering. When a security guard comes I can hide anywhere… I’ve spent hours hiding under desks!

Origins of social engineering

The term sociale ingenieurs was introduced by the Dutch industrialist J.C. Van Marken in 1894

A hundred years ago was the age of the con artists.

Con artists like Victor Lustig managed to sell the Eifel Tower on multiple occasions. Selling it for scrap!

This kind of con still works… in the last year a man in the UK was jailed for trying to sell the Ritz hotel

Frank W. Abagnale

  • Conveyed authority
  • Did his research
  • Acted and looked the part

He liked to play the part of an airline pilot, or airline crew….

That would never happen now though right….

“Fake pilot arrested after 13 years” –> http://news.bbc.co.uk/2/hi/europe/8549954.stm

10 years ago

  • Love bug virus
  • AOL Account takeovers

Now

  • Attacks against Google using social networking
  • Facebook charge scam
  • Robin Sage (Provide Security)

5 Thoughts on the future of SE

  • Same tricks, new technology
    • Advance fee fraud (Started in the 16th Century)
    • So many instances through history
    • Now present in modern email scam / 419 scams
    • Old attacks reworked for social engineering
    • People taking advantage of current events –> Volcanic Eruption in Iceland in 2010
  • More sophisticated and more targeted
    • We still see wide-spread blanket emails, but more and more things are tailored for the victim
    • Avoidance of attaching malicious executables to bypass technical protections
    • Attacks starting in the real world (parking ticket scam)
    • The more creative the attack, the more likely it is to succeed
  • Use of social networks
    • Great information source
    • No need for highly technical skills
    • Everybody can use it!
    • Less dumpster diving
    • Impersonation online is easier than in real life
  • Using technology to improve your SE
    • Photoshop ID cards
    • Maltego / Pipl / recon tools
    • SET (Social Engineering Toolkit)
    • Caller ID spoofing
  • Outsourcing
    • For €7-15 per call you can get somebody to make an SE call for you!
      • Buying credit cards online is easy now – But do you sound like a 77-year-old Italian lady!
      • Pay somebody to make the call for you
    • Cold calls to UK internet users

Social engineering has changed, but the tricks stay the same.

The future…. SE has become so popular that the need for SE testing will only increase

Links:

  • Frank Abagnale –> HERE
  • Malware delivered in parking ticket scam –> HERE
  • Warning over anti-virus cold-calls to UK internet users –> HERE

[BruCON] Head Hacking – The Magic of Suggestion and Perception

Head Hacking – The Magic of Suggestion and Perception (Dale Pearson)

Language is a strange thing, by listening to this presentation your brain is processing things in a way you may not understand. If we can learn more about this process, then we can use it to improve our social engineering.

How can you get the Jedi powers talked about so much by professional social engineers.

5 different types of social engineer:

  • Type 1: Opportunist
    • Uses physical skills (attractiveness)
    • Some skills, but doesn’t do this everyday
    • Possible first timer
  • Type 2: Natural Confidence
    • Talks the talk
    • Doesn’t always walk the walk
    • Good communicator
    • Comfortable interacting (loves themselves)
    • Lacks experience
  • Type 3: Professional
    • The geek
    • Skilled in InfoSec
    • Regimented processes
    • Knowledgable
    • More Art, Less Science (Not sure why things work)
  • Type 4: Seasoned Pro (i.e the Ninja)
    • Repeatable process
    • Experience
    • Handles confrontation
    • Passionate
    • Think they know everything
  • Type 5: Master manipulator
    • Understands how things work and why
    • Has a game plan
    • Multiple outs
    • Passion and Dedication
    • Tried and tested
    • Constant evolution (new vectors)
    • Creative
    • Cocky

The result of 24 months research is how to work towards becoming a master manipulator.

Best tool for the job: Be mindful, use your mind to think on your feet and understand how to change how people think.

  • Limbic System – Animatistic responses (Fight or Flight)
  • Subconscious – Power House (11,000,000 pieces of information a second)
  • Conscious – Our Reality (16 to 40 pieces of information, based on what we perceive to be a priority)

Get committed

  • Focused
  • Planned Path
  • Persuasion
  • Agreement
  • Choosing the right ear
  • “We stay true to what we say”

Make the leap for the subject, believe what you’re trying to convey. Give off the correct signals. This increases your success rate.

<demo> using language to subtly effect the subconscious decision processing of a subject (in this case the audience).

Neuro-Linguistic Programming

  • Study of Therapy
  • NOT science
  • Art / Process

One of the most important things found is the Rapport. We like others that like us. When two people have good rapport, they often mirror each other.

Frames

  • We all have a frame of our existence
  • Changing your frame of reality through ReFraming

What would it take to make it happen… Ask! What would it take to get what I want!

NLP Pattern Examples

  • Redefinition – Change the focus and question
    • It’s not about why you don’t have a badge, it’s about the problems if you don’t get your task done. Who’s going to explain that to the manager!
  • Agreement – Agree on the negative, focus to positive, your idea/requirement
    • Agree that you don’t agree
  • Awareness – Bring attention to something, key words
    • “I don’t have my badge but I need to get _in_”
  • Interruption – Confusion, overflow, derailment
    • Change their process before they start
    • 1-3 second gap to “inject your code” before they get back on track

NLP.. good, but disappointing. NLP practitioners as a group aren’t interested in discussing social engineering.

So what about hypnosis? What if you simply ask for the password?

We always answer at some level, Maybe not verbal, but physical reactions

Hypnosis

  • Been around since the 1840’s
  • Based on neuro-hypntosism
  • James Braid (Scottish Surgeon)
  • Focused state of attention
  • Subconscious Communication
  • Art of vagueness and assumptions
  • Rapid induction techniques
    • Can’t get a subject to lay on a bed and be talked to for an hour after all!
  • Stateful inspection
  • Keep it simple

Many different techniques and strategies

Anthony Jacquin – Reality is plastic –> Book about Rapid Induction Techniques

Negative = Positive

Brains don’t do negative too well

“Don’t think about a pink elephant” makes you think of a pink elephant

So try “you don’t have to let me in”

Guardian of the mind

Protects the mind. Can be bypassed by saying a series of true sentences until the brain takes for granted that the things are true.

Buffer Overflows

Inserting unfinished stories until the subject has so many unfinished loops until confusion is caused

Create a YES set by only talking the truth until it’s taken for granted that you’re telling the truth about everything.

Reinforcement

  • Pacing and Leading
  • Direct and Indirect
  • Share the experience
  • Perspective of the subject

Alternate Reality

Through hypnosis, you can’t make a person do something they don’t want to do. You can however alter their reality.

  • Alter the scenario
  • Modify the game
  • Truth and Lies
    • Ask a person to lie about everything
    • Repeat asking them to be truthful (slip in your question)

What can you do with hypnosis then?

  • Make people forget
  • Catalepsy (go stiff)
  • Anesthesia
  • Hallucinations
  • Regression / Progression
  • Time distortion
  • Post-hypnotic suggestion

Mentalism

Because if hypnosis doesn’t work, you look like an idiot. Backup plan, an out!

  • Magic
  • Illusion
  • Cold Reading
  • Mind Control
  • Psychological subtleties
  • Telepathy
  • Hypnosis

Baseline

These things won’t work the same for everybody

  • Visual people
  • Auditory people

Confidence doesn’t really exist, it’s all about controlling fear.

To fail is to learn, because difficult isn’t impossible!

Protection

  • Educate
  • Empower
  • Test
  • Communicate
  • Make it personal
  • Don’t be a target
  • Be mindful

LINK:

[BruCON] Red Team Testing

Chris Nickerson –  Red Team Testing

The reality of security – Don’t just say what could be done, show what can be done. Prove the sky is falling

Humans have know how to protect themselves for thousands of years, so why do we suck at it now. Just because it’s a computer.

Defending against a dynamic threat is complex.

How do you know your controls work if they’ve never been tested. How do you know you can put up a fight if you’ve never taken a punch ? If an attacker has no rules, why should the defenders. Hackers don’t have scopes, why should testers. Simulate real world attacks.

Compliance isn’t the end of the line, it’s the first step. testing 1% of your company assets doesn’t make your whole company secure.

It’s possible to have a process that is inconstant (without scope or limits) and yet have consistent results.

You never know the value of what you have until it’s gone.

Why traditional testing is dead ?

  • It doesn’t focus risk on business, but on exposure of vulnerability
  • Testing that replicates an attacker (sparring partner) has its hands tied
  • The perimeter is DEAD

Attackers are moving to the client-side (8 of the 20 SANS Top 20 report are client attacks). Most attacks are not something that a perimeter can protect against. Direct and focused attacks are the new style.

  • External Direct – Server / App Attack
  • External Indirect – Client-side / Phishing / Phone calls
  • Internal Indirect – Key/CD drops / Propaganda
  • Internal Direct – Social engineering / Physical
  • Exotic Attacks – Flash mob / Thinking out of the box

Figure out whats important to the company and steal it (physically take it). you can prove ROI if you can prove what you can steal (how much was that router I stole ?)

Best method of attack — Take the EASY way in. If you don’t get in, then you didn’t do enough information gathering.

Social networks are the best way to find out how to act like your target and find information.

Breaking into a company when people are out is the best plan. pick your timing. You can ignore people when they’re asking a question you don’t want to ask.

What you should have in your kit .:

  • Costumes
  • ID Cards
  • Paperwork
  • Lock Picks
  • Laptop
  • Bag
  • Phones (to leave behind)
  • leave behinds
  • Biz Cards
  • Candy
  • Smokes
  • A lighter
  • A Camera of Video recorder
  • Mylar Balloons
  • String
  • Helium
  • Blowup doll (not just for fun!!!)
  • Call jammer
  • Appropriate cables
  • Lineman’s set
  • Grappling hook and rope
  • Audio recorder

Get costumes from different companies and locations so you can easily assume an identity. Speaking a foreign language, faking misunderstanding.

Remote observation with things like GSM bugs, spy camera pens, powerstrips (with wlan , video, audio), Wireless robots, fake alarm sensors,….

Remote key copying by taking a picture and reproducing it offsite. Dress like a janitor and go in like you’re meant to be there.

iPWN – Running iphones as a remote connection to the network.

Cell phone bugging – Flexispy – Alter settings on the phone to proxy things through a central location.
Cell phone tracking – http://www.instamapper.com, http://www.opengpstracker.com – Use mobiles for GPS trackers

If you hack a person, they are harder to reboot!

Get ready, Get set

  • Time and date
  • Character
  • Costume
  • Methods
  • Memorizing Data
  • Entrance Strategy
  • Exit Strategy
  • Plan B (C,D,E,F,G,…)

Last defense should be a fake get out of jail free letter – do they really check that ?

Always checkout local business service companies (like printers etc…) lots of sensitive data get left at these locations. Go and say your company left a copy of something last time they were in. Copy Centers are like the Disneyland of social engineering.

Badge Forgery – Make it look real, spend all the time you can to make it look perfect (RFID, Digital Camera picture, etc…)

Spoof calls with tools like SpoofApp.com – Various tools for the different platforms

In Person

  • NLP
  • Breathing techniques
  • Touch
  • Psychosomatic Presence
  • Magic
  • Hypnotism
  • Ekmann Coding
  • Facial Feedback
  • Temperature Reading
  • Communication Stances
  • Satir comm. Models
  • Classic Con’s

Social engineering isn’t about lying, it’s a complex and scientific process. Find a process that works and use it.

Lock Picking – If a door stands in the way, pick it. Find a way to trigger the door (blow up doll to trigger a motion sensor)

Finally, Go for GOLD – Use what you’ve learned about people and the systems to get the information and access you need to prove the point. Get things that the business are interested in. Hackers don’t run the business, so why focus on things they think are important.

Automated tools to find things .:

  • Spyder
  • Vericept
  • Any other DLP solution
  • Powershell searches
  • Nessus
  • GREP (regex for what you want)
  • dbDataFinder
  • FileHunter
  • PowerGREP
  • WindowsGREP

Don’t spend hours searching for the crown jewels, use automated scans and attach from outside to download the good stuff.

Bluetooth fun

Well I’m finally getting a chance to update my blog after a few weeks of Semi holiday. Saw some interesting things in London, just a pity I was too slow with the camera. I saw an error message on an advert screen that would have made Johnny Long proud. IP address and all….

As some people who read this blog are probably aware, I like to play about with Bluetooth when I’m on a trip. After all when you’re in a train of a bus, there’s not much else to do. I’ve been using the Bloover app from Trinite group for a while now, just for scanning the local area and looking at what devices are pumping out information. The application is a simple java install and even works on my ancient Nokia phone from before the dawn of Metasploit (or dawn of time if you prefer). All you need is support for J2ME on your phone and you’re laughing. After a couple of long(ish) train journeys to and from London, I had amassed quite a list of Bluetooth names (Some of which are Shown below). Knowing what a battery hog bluetooth can be, I really wonder about some peoples phone use. After all nobody in my cabin on the train was using a bluetooth headset, infact most where just shouting into their headsets doing the usual thing where they think everybody needs to know about their life. Anyway lets ignore that fact before people start to draw up analogies to people blogging 😉

Amongst the usual names like Nokia, SDH-900 and various other brand/model names, there was a distinct pattern emerging. A good percentage of people simply give their name as the Bluetooth broadcast ID, the rest say something about their character (I’m looking at your Thrustmeister). It’s all very entertaining, at least it gave my Girlfriend and I endless fun. However on the more serious side, the uses for this in a Social Engineering situation could be amusing. Sitting in a coffee shop snooping on Bluetooth ID’s until you can pinpoint who’s phone belongs to who. If you can find a Bluetooth Broadcast ID displaying a name, or a company name, then the follow-up conversation becomes so much easier. After all, nobody wants to admit that they’ve totally forgotten their first boyfriend/girlfriend back at high-school or the Boss from the Canadian office.

Tip of the day.. turn off your bluetooth when you’re not using it. End of story…