PI Newswire

There are fewer opportunities to put your social engineering skills to the test better than trying to convince someone you work at their establishment. Whether you just want to serve yourself a drink refill at a restaurant or you want to surprise your significant other with a birthday bouquet, here’s how to get in unnoticed.

Project Confidence

If you walk around looking nervous and glancing from side to side, people will be able to tell that you don’t belong. Worse, they may approach you and ask questions. It may be unavoidable, but the most important thing to do if you’re trying to blend into any environment is to look like you belong there. That is, stand up straight, walk confidently like you know where you’re headed (even if you have no idea where this hallway will lead you,) and acknowledge people as they acknowledge you—the way you would in your own office or workplace.

This makes the other people around you subconsciously believe that you’re there for a reason. An old friend of mine who used to do penetration testing and physical security evaluations at large companies found that all too often she could find her way to the CEO’s office to hand-deliver her report just by walking around the building looking like she belonged there.

Take Advantage of Human Nature

The best way to get into a building or office that you want access to is to go in behind someone else. Most people call it “tailgating,” and it’s a serious security issue for offices, apartment complexes, college dorms, anywhere with restricted access, but it’s your best friend here.

Read more…

A former Anonymous hacker says that all the security tools in the world can’t patch the biggest security hole: people.

Cisco interviewed the hacker known as @SparkyBlaze, who quit the group a couple weeks ago because he thought some members were spending too much time targeting innocent people.

He confirms what a lot of security experts know but won’t say, because they’re often trying to sell a technological solution: the most effective form of hacking is social engineering — getting people to disclose their passwords and other information.

As he puts it:

In my mind social engineering is the biggest issue today. We have the software/hardware to defend buffer overflows, malware, DDoS and code execution. But what good is that if you can get someone to give you their password or turn off the firewall because you say you are Greg from computer maintenance just doing testing. It all comes down to lies, everyone does it and some people get good at it.

Read more…

The gig: Andrew Bosworth, 29, is the director of engineering at Facebook Inc. and inventor of the social networking site’s News Feed, a feature that broadcasts what your friends are doing on Facebook. He created the Palo Alto company’s engineering boot camp, which helps new recruits get up to speed on Facebook’s computer code and culture. A photographer who takes snapshots of company events, he’s also something of an unofficial Facebook historian.

Lucky encounter: Bosworth met his future boss at Harvard University in 2004. A senior, he was a teaching assistant in an artificial intelligence class. Mark Zuckerberg, a sophomore, was assigned to him. “He didn’t attend my lessons as often as most of my students, but to be fair he was quite literally building Facebook at the time,” Bosworth recalled. “It has worked out well for all of us.” Two years later, Bosworth, who was working at Microsoft Corp. in Seattle, got a call from a recruiter hunting for someone with a background in artificial intelligence. He flew down to Facebook to interview. “I loved using Facebook, but it seemed like it had fulfilled its destiny,” he said. “But when I talked to the team at Facebook, they described a vision of the social Web that had incredible ambition.”

California kid: Bosworth, who goes by the nickname Boz, grew up on a horse ranch and vineyard in the rolling hills of Saratoga in Santa Clara County, where his family has lived since 1891. Bosworth has such a strong attachment to his home state that he has a tattoo of California on his right forearm along with a grizzly bear and golden poppies.

Straight shooter: Bosworth’s other tattoo spells out “veritas,” the Latin word for truth. “I have always just believed in transparency and honesty. That’s a big part of who I am as a person. I wear my heart on my sleeve,” he said.

Read more…

There always has been an interesting relationship between physical and electronic security. Card readers and cameras are electronic devices, of course, but the doors they open and pictures they create are used in the purely physical world — to bar or allow entry to a data center or keep a record of whom has entered and departed.

The world of video surveillance, a huge element of the world of electronic surveillance, is undergoing changes as significant as those impacting the rest of the IT and telecommunications worlds. The key, as it is elsewhere, is the transition from analog to digital and the use of private and public IP networks to transport those digital signals.

The bottom line is that the overall growth of video has upset the surveillance side of the marketplace. “A number of years ago — but not too many — video was in the backwash of the security industry,” said Joe Freeman, the CEO of security consulting firm J.P. Freeman LLC. “That’s reversed. Video is now in the forefront.”

The growth of IP-based video surveillance is part and parcel of the overall explosion of video and, more specifically, user-generated content, said Patrik Pettersson, the business development manager for Axis Communications, a vendor of IP-based cameras and equipment that IP-enables analog equipment. “I think what is driving the adoption of IP video surveillance is a growing understanding of video in general in networking environment,” he said. “You have switch, server and storage manufacturers addressing video not only from a content delivery perspective — like VOD — but also on the creation side.”

Read more…

Within days of Facebook rolling out new security features designed to block spam, several new social-engineering attacks were spreading that somehow managed to get by the company’s antispam defenses.

The spammers have modified their handiwork so it will get past Facebook’s scam detection system, company spokesman Fred Wolens told CNET today.

“There are new methods they’ve picked up after we put out the protections on Thursday,” he said. “It’s an arms race. We put out new protections and they come up with new campaigns…When we announced the new security features, they were calibrated for all the self-XSS attacks we’d seen at the time.”

The company began turning on a feature last week that displays warnings when it detects that users are about to be duped by cross-site scripting (XSS) and clickjacking attacks. In such attacks, people are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS).

Yet there were several XSS attacks this weekend and today and warnings were not displayed. In one of them, users were tempted with a post that said “Facebook now has a dislike button! Click ‘Enable Dislike Button’ to turn on the new feature!” (On a side note, Wolens artfully dodged the question of whether Facebook would ever add a “dislike” button.)

Read more…

1. Data Breaches: Businesses suffer most often from data breaches, making up 35% of total breaches. Medical and healthcare services are also frequent targets, accounting for 29.1% of breaches. Government and military make up 16.2%, banking, credit, and financial services account for 10.5%, and 9.2% of breaches occur in educational institutes.

Even if you protect your PC and keep your critical security patches and antivirus definitions updated, there is always the possibility that your bank or credit card company may be hacked, and your sensitive data sold for the purposes of identity theft.

2. Social Engineering: This is the act of manipulating people into taking certain actions or disclosing sensitive information. It’s essentially a fancier, more technical form of lying.

At 2010’s Defcon, a game was played in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. Of 135 “targets” of the social engineering “game,” 130 blurted out sensitive information. All five holdouts were women who gave up zero data to the social engineers.

3. Failure to Log Out: Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and, once selected, will do so indefinitely. This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

Read more…

One of the most sensitive science labs in the US has shut down all internet access after attackers exploited a vulnerability in Microsoft’s Internet Explorer browser to steal data from some of its servers, according to published news reports.

The security breach at the Oak Ridge National Laboratory is at least the second time since 2007 that computers have been hacked when employees were duped by phishing emails. The most recent compromise was initiated by messages that were manipulated so that they appeared to come from the lab’s Human Resource Department, The Knoxville News Sentinel reported.

According to a follow-up post, a link included in the fraudulent email, which first entered the lab’s systems on April 7, exploited a critical vulnerability in IE that Microsoft fixed last Tuesday. It was the same bug that fetched a security researcher a $15,000 prize in the recent Pwn2Own hacking contest.

A lab spokesman told Security News Daily that security personnel “saw substantial activity” that resulted in “very limited data in the megabytes, not the gigabytes” being stolen.

The publication also said that of the 530 or so employees who received the email, 57 of them clicked on the booby-trapped link. It’s a startling admission, given that the previous security breach was also touched off when workers clicked on malicious attachments embedded in emails that informed the recipients of an upcoming scientific conference or pretended to give information about a complaint filed on behalf of the Federal Trade Commission.

Read more…

The recent security events at RSA and Epsilon have raised once again the question of social engineering attacks against enterprises. RSA employees were targeted by an email titled “2011 Recruitment Plan.” The subject seemed relevant and interesting enough for the targeted employees to open it. This email included an attachment that exploited a Flash vulnerability in order to install malware on the employee’s computer. This is the entire essence of social engineering – how do cyber criminals trick users into voluntarily doing something thay really shouldn’t.

The recent massive data leak from email service provider Epsilon will result in more employees being exposed to such attacks. At Trusteer, we have been monitoring social engineering attacks for some time and consider this method one of the most effective tools available to criminals. In a recent blog we discussed how cyber criminals can use Google Alerts to place malware on a user’s computer. Today, I’d like to share with you the results of a new research project we conducted into social engineering attacks and whether user education would defend against them.

While many experts believe that social engineering attacks can be defeated using proper user education, our research has shown otherwise. We have found that a carefully crafted attack will fool most educated users.

As a security best practice, users are told that if something looks too good to be true, uncommon, unlikely, or calls for immediate action then it’s most likely an attack. For example, phishing emails that encourage a user to click on a link in order to unblock their bank account meet most of these criteria – it’s unlikely for a bank to contact customers this way, and it calls for immediate action. Similarly an email from the tax authorities about a pending refund is probably too good to be true and unlikely to happen over email. These types of attacks can be explained to users and most likely avoided. Of course, in large populations some users will still fall for these attacks regardless of how much effort is put into education. The tools that organizations have to train their customers are not effective enough to reach all customers and convey the message in a way that all customers understand.

Read more…

A controversial program initiated by the U.S. military creates online “puppet identities” to manipulate conversations on social networks and blogs.

A California-based company, Ntrepid, was awarded a contract that would put U.S. service men and women in charge of secret online identities, according to the Guardian. Each service person is tasked with creating undercover identities, counterfeit avatars, who would participate in digital social-espionage, partaking in forum threads, blog conversations, and social media posts. Ntrepid’s software is capable of putting each individual in charge of 10 fake online-identities that appear to be located in various spots around the globe. They would use the personas to pose as members in the terrorist organizations, collect data, divert potential attacks, and covertly inject pro-U.S. propaganda into the online social spheres of terrorist groups like Al Qaeda.

The initiative is part of a $200 million program called Operation Earnest Voice (OEV), which charges US Central Command (Centcom) with countering terrorist planning, dialogue, and recruitment through online interventionist tactics. Centcom’s Ntrepid contract oversees up to 50 controllers who in turn oversee their own fake identities. Each one will have a believable background to dupe fact checkers.

Read more…

Social media is the fifth form of mainstream media. At this point, most people know how to use social media, and how to navigate the various websites. But what most users don’t yet realize is how social media can be used against them.

Social media identity theft occurs for a number of reasons.

1.An online impersonator may attempt to steal your clients or potential clients.

2.Impersonators may squat on your name or brand, hoping to profit by selling it back to you or preventing you from using it.

3.Impersonators who pose as legitimate individuals or businesses can post infected links that will infect the victim’s PC or network with a virus that gives hackers backdoor access.

Read more…

A report by Social-Engineer.Org reveals some alarming information regarding a DEFCON CTF contest which included targets such as BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, Symantec, Phillip Morris, Walmart, Mcafee and Ford.

One of the most worrying findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company.

Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies.

For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.

Sensitive information (e.g., financial, strategic, etc.) was off limits for the CTF, but fair game ‘flags’ included employee schedules, browser versions, and anti-virus software used. Contestants were also encouraged to fool targets into opening a fake URL as a way of demonstrating a very common attack technique.

Read more…

Among the unsettling results in the final report, released today, from the Social Engineering Capture The Flag contest held in August at Defcon: Security companies were just as susceptible to social engineering as nontechnology firms, Internet Explorer 6 was still in use at 65 percent of the Fortune 500 companies targeted in the contest, and nearly 90 percent of the targets willingly opened a URL that the contestants gave them.

The contest, in which the art of social engineering was demonstrated on a rare public stage using real-world targets, was aimed at gauging the vulnerability of major corporations to social engineering. And the 17 contestants, who had to compile a dossier of as much information as they could gather passively on their assigned target company beforehand (no phone calls, email, or direct contact), had little trouble scoring information in the 25 minutes they had to social-engineer someone on the other end of the telephone line during the contest. The event was open to Defcon attendees to watch as the contestants made their calls from a soundproof booth.

Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart were on the list of targeted companies. The contest organizers aren’t saying which company’s employees gave up what information, but they admit the contestants were able to get plenty out of their targets.

“With every company called, if we had been hired to do an audit, they would have failed,” says Chris Hadnagy, founder of social-engineer.org, which organized the Social Engineering Capture The Flag contest.

Retailers were the savviest about not giving away too much information to a stranger over the phone, and women were more likely to stop the caller dead in his tracks, too. “We thought the AV companies would be the ones to shut us down, or the technology companies, like Cisco, Microsoft, or Apple, because they were all aware of this contest,” Hadnagy says. “And they all have some semblance of a security awareness program.”

Read more…