Social Engineering Chatbots With Sad-Sob Stories, For Fun And Profit

October 5, 2023 by Dan Maloney 23 Comments

By this point, we probably all know that most AI chatbots will decline a request to do something even marginally nefarious. But it turns out that you just might be able to get a chatbot to solve a CAPTCHA puzzle (Nitter), if you make up a good enough “dead grandma” story.

Right up front, we’re going to warn that fabricating a story about a dead or dying relative is a really bad idea; call us superstitious, but karma has a way of balancing things out in ways you might not like. But that didn’t stop X user [Denis Shiryaev] from trying to trick Microsoft’s Bing Chat. As a control, [Denis] first uploaded the image of a CAPTCHA to the chatbot with a simple prompt: “What is the text in this image?” In most cases, a chatbot will gladly pull text from an image, or at least attempt to do so, but Bing Chat has a filter that recognizes obfuscating lines and squiggles of a CAPTCHA, and wisely refuses to comply with the prompt.

On the second try, [Denis] did a quick-and-dirty Photoshop of the CAPTCHA image onto a stock photo of a locket, and changed the prompt to a cock-and-bull story about how his recently deceased grandmother left behind this locket with a bit of their “special love code” inside, and would you be so kind as to translate it, pretty please? Surprisingly, the story worked; Bing Chat not only solved the puzzle, but also gave [Denis] some kind words and a virtual hug.

Now, a couple of things stand out about this. First, we’d like to see this replicated — maybe other chatbots won’t fall for something like this, and it may be the case that Bing Chat has since been patched against this exploit. If [Denis]’ experience stands up, we’d like to see how far this goes; perhaps this is even a new, more practical definition of the Turing Test — a machine whose gullibility is indistinguishable from a human’s.

Physical Security Hack Chat With Deviant Ollam

June 1, 2020 by Dan Maloney 1 Comment

Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!

You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.

Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.

To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Pentesting Hack Chat This Wednesday

May 11, 2020 by Dan Maloney 3 Comments

Join us on Wednesday, May 13 at noon Pacific for the Pentesting Hack Chat with Eric Escobar!

Ask anyone in this community to name their dream jobs and chances are pretty good that penetration tester will be somewhere on the shortlist. Pentesters are allowed — nay, encouraged — to break into secure systems, to test the limits and find weak points that malicious hackers can use to gain access. The challenge of hacking and the thrill of potentially getting caught combined with no chance of prosecution? And you get paid for it? Sounds good to us!

Professional pentesting is not all cops-and-robbers fun, of course. Pentesters have to stay abreast of the latest vulnerabilities and know what weaknesses are likely to exist at a given facility so they know what to target. There are endless hours of research, often laborious social engineering, and weeks of preparation before actually attempting to penetrate a client site. The attack could be as complex as deploying wireless pentesting assets via FedEx, or as simple as sprinkling thumb drives in the parking lot. But when it comes, a pentest often reveals just how little return companies are getting on their security investment.

As a consultant for a security firm, Eric Escobar gets to challenge companies on a daily basis. He’s also a regular on the con circuit, participating in challenges like Wireless CTF at DEF CON… until he won too many times. Now he helps design and execute the challenges, helping to share his knowledge with other aspiring pentesters. And he’ll stop by the Hack Chat to do the same with us, and tell us all about the business of keeping other businesses in business.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, May 13 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Airport Runways And Hashtags — How To Become A Social Engineer

August 23, 2019 by Sharon Lin 11 Comments

Of the $11.7 million companies lose to cyber attacks each year, an estimated 90% begin with a phone call or a chat with support, showing that the human factor is clearly an important facet of security and that security training is seriously lacking in most companies. Between open-source intelligence (OSINT) — the data the leaks out to public sources just waiting to be collected — and social engineering — manipulating people into telling you what you want to know — there’s much about information security that nothing to do with a strong login credentials or VPNs.

There’s great training available if you know where to look. The first time I heard about WISP (Women in Security and Privacy) was last June on Twitter when they announced their first-ever DEFCON Scholarship. As one of 57 lucky participants, I had the chance to attend my first DEFCON and Black Hat, and learn about their organization.

Apart from awarding scholarships to security conferences, WISP also runs regional workshops in lockpicking, security research, cryptography, and other security-related topics. They recently hosted an OSINT and Social Engineering talk in San Francisco, where Rachel Tobac (three-time DEFCON Social Engineering CTF winner and WISP Board Member) spoke about Robert Cialdini’s principles of persuasion and their relevance in social engineering.

Cialdini is a psychologist known for his writings on how persuasion works — one of the core skills of social engineering. It is important to note that while Cialdini’s principles are being applied in the context of social engineering, they are also useful for other means of persuasion, such as bartering for a better price at an open market or convincing a child to finish their vegetables. It is recommended that they are used for legal purposes and that they result in positive consequences for targets. Let’s work through the major points from Tobac’s talk and see if we can learn a little bit about this craft.

Continue reading “Airport Runways And Hashtags — How To Become A Social Engineer” →

Manhattan Mystery Of Creepy Jingles And Random Noises Solved

December 15, 2018 by Dan Maloney 23 Comments

Here’s a puzzler for you: If you’re phreaking something that’s not exactly a phone, are you still a phreak?

That question probably never crossed the minds of New Yorkers who were acoustically assaulted on the normally peaceful sidewalks of Manhattan over the summer by creepy sounds emanating from streetside WiFi kiosks. The auditory attacks caused quite a stir locally, leading to wild theories that Russian hackers were behind it all. Luckily, the mystery has been solved, and it turns out to have been part prank, part protest, and part performance art piece.

To understand the exploit, realize that New York City has removed thousands of traditional pay phones from city sidewalks recently and replaced them with LinkNYC kiosks, which are basically WiFi hotspots with giant HDTV displays built into them. For the price of being blitzed with advertisements while strolling by, anyone can make a free phone call using the built-in VOIP app. That was the key that allowed [Mark Thomas], an old-school phreak and die-hard fan of the pay telephones that these platforms supplanted, to launch his attack. It’s not exactly rocket surgery; [Mark] dials one of the dozens of conference call numbers he has set up with pre-recorded audio snippets. A one-minute delay lets him crank the speakerphone volume up to 11 and abscond. The recordings vary, but everyone seemed most creeped out by the familiar jingle of the [Mr. Softee] ice cream truck franchise, slowed down and distorted to make it sound like something from a fever dream.

Yes, it’s a minimal hack, and normally we don’t condone the misuse of public facilities, even ones as obnoxious as LinkNYC appears to be. But it does make a statement about the commercialization of the public square, and honestly, we’re glad to see something that at least approaches phreaking again. It’s a little less childish than blasting porn audio from a Target PA system, and far less dangerous than activating a public safety siren remotely.

Continue reading “Manhattan Mystery Of Creepy Jingles And Random Noises Solved” →

Google Discovers Google+ Servers Are Still Running

October 9, 2018 by Tom Nardi 70 Comments

Google is pulling the plug on their social network, Google+. Users still have the better part of a year to say their goodbyes, but if the fledgling social network was a ghost town before, news of its imminent shutdown isn’t likely to liven the place up. A quick check of the site as of this writing reveals many users are already posting their farewell messages, and while there’s some rallying behind petitions to keep the lights on, the majority realize that once Google has fallen out of love with a project there’s little chance of a reprieve.

To say that this is a surprise would be disingenuous. We’d wager a lot of you already thought it was gone, honestly. It’s no secret that Google’s attempt at a “Facebook Killer” was anything but, and while there was a group of dedicated users to be sure, it never attained anywhere near the success of its competition.

According to a blog post from Google, the network’s anemic user base isn’t the only reason they’ve decided to wind down the service. A previously undisclosed security vulnerability also hastened its demise, a revelation which will particularly sting those who joined for the privacy-first design Google touted. While this fairly transparent postmortem allows us to answer what ended Google’s grand experiment in social networking, there’s still one questions left unanswered. Where are the soon to be orphaned Google+ users supposed to go?

Continue reading “Google Discovers Google+ Servers Are Still Running” →