Archive for the ‘Social Engineering’ Category


There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.

Advertisements

My last post I was trying to see if someone had examples mapped to the book “The Psychology of Persuasion”.  Appears I jumped in too quick with my first article because after a few hours of research on the topic I came across the social engineering framework.

http://www.social-engineer.org/framework/Social_Engineering_Framework

This site does not really have a lot of examples but there are several sections like the “Influence Others” that directly map to the book framework.  There is still a good deal of expansion that can be done on this subject so I’m glad the community has a solid foundation they are using for a framework.


What is it that allows someone to be manipulated into giving you something?

At the brain tank conference the other weekend I watched a presentation called “Evolutionary Bias in Social Engineering: An Anthropologist’s Perspective”.  Unfortunately this wasn’t what I was expecting.  Randy, the presenter, spent a large amount of time explaining that ultimately humans all strive for one thing, sex.  Interesting enough but after 20 minutes I got the point and didn’t hear anything about social engineering anyone into having sex yet.  Near the end he started to get into more interesting content.  He put 5 words on the table about persuasion, which is basically why social engineering works.   Unfortunately it was just a perspective talk and didn’t really go into social engineering detail.  In any event those 5 words were very similar to some I read in a book previously.

The Book

In management you tend to read many books.  One I read several years ago was called “Influence: The Psychology of Persuasion”.   A great read on why people say yes and how to defend yourself against a persuasive person.

Those 5 words in Randy’s presentation almost mapped directly to the fundamental principals in this book.

 

From the book!

  1. Consistency
  2. Reciprocation
  3. Social Proof
  4. Authority
  5. Liking
  6. Scarcity

Unfortunately he didn’t give social engineering examples, which would have been great for each of the 5 topics.   I mean that would really be a good presentation. 

We all know “Liking” works great.  If you just make friends with someone during smoke breaks or say hi to the security guard that person will always let you do or get more than you should. 

Reciprocation also works great for phone calls as a phased social engineering tactic.  Call up someone acting as a vendor or part of IT and offer to fix their computer.  If they have a problem, try and figure it out and fix it.  Call back a few days later they will help you and provide information.

In any case I would love to hear if anyone has done any further analysis related to influence and social engineering as explained above.


The first annual Brain Tank conference – Small but effective!

There are good and bad things about small Hacker cons.  The good was that you have time to talk and figure things out with other people much more effectively than some of the larger conferences.  The bad is that larger conferences tend to have many items for purchase to help you improve your skills.  These items were not available at the Brain Tank con.  Overall the mix between Hacker/Maker proved interesting and informative for the presentations that I watched.  It was also good for those of us looking to get in more experience in the Lockpick Village hosted by Toool.  However, if you were looking for additional picks or tension wrenches this was not the place. 

http://toool.us/

Overall the event had about 150 people and was a good time helping gain more experience.  This event surely will grow over time and eventually have to relocate to a bigger space than that provided by A220.org.


Its about time!  Foundstone Professional Services has been added to the Avert Labs research blog.  So now the makers of all the free hacking tools are accessible online.  Check it out there are already some great posts. 

 http://www.avertlabs.com/research/blog/index.php/category/foundstone/

I’ve also added it as a Blogroll.


The PhishMe blog on building employee awareness to social engineering tactics was inspiring so I finally decided to put up a paper on this site regarding similar subject matter.

Extreme Social Engineering

Combating the Insider Security Threat – A Security Awareness Exercise

This paper has been developed to address the human factor of security and the apparent weaknesses within organizations due to employees’ lack of security awareness.  The purpose is to provide organizations a simple solution for increasing security awareness and combating other malicious insider security threats through a series of social engineering exercises. The document is available by clicking the name above or by accessing the “Papers” section of the site.  

PhishMe Blog Entry:

http://blog.phishme.com/2007/09/time-to-phish-your-customers/