Of the $11.7 million companies lose to cyber attacks each year, an estimated 90% begin with a phone call or a chat with support, showing that the human factor is clearly an important facet of security and that security training is seriously lacking in most companies. Between open-source intelligence (OSINT) — the data the leaks out to public sources just waiting to be collected — and social engineering — manipulating people into telling you what you want to know — there’s much about information security that nothing to do with a strong login credentials or VPNs.
There’s great training available if you know where to look. The first time I heard about WISP (Women in Security and Privacy) was last June on Twitter when they announced their first-ever DEFCON Scholarship. As one of 57 lucky participants, I had the chance to attend my first DEFCON and Black Hat, and learn about their organization.
Apart from awarding scholarships to security conferences, WISP also runs regional workshops in lockpicking, security research, cryptography, and other security-related topics. They recently hosted an OSINT and Social Engineering talk in San Francisco, where Rachel Tobac (three-time DEFCON Social Engineering CTF winner and WISP Board Member) spoke about Robert Cialdini’s principles of persuasion and their relevance in social engineering.
Cialdini is a psychologist known for his writings on how persuasion works — one of the core skills of social engineering. It is important to note that while Cialdini’s principles are being applied in the context of social engineering, they are also useful for other means of persuasion, such as bartering for a better price at an open market or convincing a child to finish their vegetables. It is recommended that they are used for legal purposes and that they result in positive consequences for targets. Let’s work through the major points from Tobac’s talk and see if we can learn a little bit about this craft.
Continue reading “Airport Runways And Hashtags — How To Become A Social Engineer”
Here’s a puzzler for you: If you’re phreaking something that’s not exactly a phone, are you still a phreak?
That question probably never crossed the minds of New Yorkers who were acoustically assaulted on the normally peaceful sidewalks of Manhattan over the summer by creepy sounds emanating from streetside WiFi kiosks. The auditory attacks caused quite a stir locally, leading to wild theories that Russian hackers were behind it all. Luckily, the mystery has been solved, and it turns out to have been part prank, part protest, and part performance art piece.
To understand the exploit, realize that New York City has removed thousands of traditional pay phones from city sidewalks recently and replaced them with LinkNYC kiosks, which are basically WiFi hotspots with giant HDTV displays built into them. For the price of being blitzed with advertisements while strolling by, anyone can make a free phone call using the built-in VOIP app. That was the key that allowed [Mark Thomas], an old-school phreak and die-hard fan of the pay telephones that these platforms supplanted, to launch his attack. It’s not exactly rocket surgery; [Mark] dials one of the dozens of conference call numbers he has set up with pre-recorded audio snippets. A one-minute delay lets him crank the speakerphone volume up to 11 and abscond. The recordings vary, but everyone seemed most creeped out by the familiar jingle of the [Mr. Softee] ice cream truck franchise, slowed down and distorted to make it sound like something from a fever dream.
Yes, it’s a minimal hack, and normally we don’t condone the misuse of public facilities, even ones as obnoxious as LinkNYC appears to be. But it does make a statement about the commercialization of the public square, and honestly, we’re glad to see something that at least approaches phreaking again. It’s a little less childish than blasting porn audio from a Target PA system, and far less dangerous than activating a public safety siren remotely.
Continue reading “Manhattan Mystery Of Creepy Jingles And Random Noises Solved”
Google is pulling the plug on their social network, Google+. Users still have the better part of a year to say their goodbyes, but if the fledgling social network was a ghost town before, news of its imminent shutdown isn’t likely to liven the place up. A quick check of the site as of this writing reveals many users are already posting their farewell messages, and while there’s some rallying behind petitions to keep the lights on, the majority realize that once Google has fallen out of love with a project there’s little chance of a reprieve.
To say that this is a surprise would be disingenuous. We’d wager a lot of you already thought it was gone, honestly. It’s no secret that Google’s attempt at a “Facebook Killer” was anything but, and while there was a group of dedicated users to be sure, it never attained anywhere near the success of its competition.
According to a blog post from Google, the network’s anemic user base isn’t the only reason they’ve decided to wind down the service. A previously undisclosed security vulnerability also hastened its demise, a revelation which will particularly sting those who joined for the privacy-first design Google touted. While this fairly transparent postmortem allows us to answer what ended Google’s grand experiment in social networking, there’s still one questions left unanswered. Where are the soon to be orphaned Google+ users supposed to go?
Continue reading “Google Discovers Google+ Servers Are Still Running”
I’ve been aware of the Social Engineering panels, talks, and villages at many conferences over the past few years. For some reason, be it the line to get in or conflicting schedules, I haven’t made it to one. Today was my day and I had a blast. The Social Engineering Panel at HOPE XIII is a great introduction to the dark(ish) art and a stroll through memory lane with some notables in the field.
Social Engineering (SE) is the pseudo-science of getting what you want by convincing people to share information, usually without them even knowing they’re doing so. This particular panel focused on over-the-phone SE and the four panel members began with a simple illustration. SE has changed over the years in large part because it is increasingly difficult to get a human on the phone. For about ten minutes an attempt was made to reach a person at Verizon, AT&T, and Spectrum Cable. With a two minute limit per phone number, all were fails.
But this didn’t derail the talk, which featured story time from Emmanuel Goldstein, Alexander J. Urbelis, Flyko, and Cheshire Catalyst. As phreakers back in the day, and tele-social engineers still, the stories were very entertaining. The panel was live streamed but doesn’t look like the video is available on demand yet so I’ll give you a quick and entertaining overview.
Continue reading “HOPE XIII: Oh The Fun You’ll Have With A Bit Of Social Engineering”
Where do you travel every day? Are there any subtle ploys to manipulate your behavior? Would you recognize them or are they just part of the location? Social engineering sometimes gets a bad rap (or is it rep?) in the mainstream, but the public-facing edge of that sword can keep order as it does in Japanese train stations. They employ a whirlwind of psychological methods to make the stations run like clockwork.
The scope of strategies ranges from the diabolical placement of speakers emitting high-frequency tones to discourage youthful loitering to the considerate installation of blue lights to deter suicides. Not every tactic is as enlightened as suicide prevention, sometimes, just changing the grating departure buzzer to a unique tune for each station goes a long way to relieving anxiety. Who wants to stand next to an anxious traveler who is just getting more and more sweaty? Listen below the break to hear what Tokyo subway tunes sound like.
Maybe you can spot some of these tricks where you live or something similar can ease your own commute. Perhaps the nearest subway has a piano for stairs or a 3D printing cyborg.
Continue reading “Social Engineering By Railways”
In 1978, Tim Jenkin was a man living on borrowed time, and he knew it. A white South African in his late 20s, he had been born into the apartheid system of brutally enforced racial segregation. By his own admission, he didn’t even realize in his youth that apartheid existed — it was just a part of his world. But while traveling abroad in the early 1970s he began to see the injustice of the South African political system, and spurred on by what he learned, he became an activist in the anti-apartheid underground.
Intent on righting the wrongs he saw in his homeland, he embarked on a year of training in London. He returned to South Africa as a propaganda agent with the mission to spread anti-apartheid news and information to black South Africans. His group’s distribution method of choice was a leaflet bomb, which used a small explosive charge to disperse African National Congress propaganda in public places. Given that the ANC was a banned organization, and that they were setting off explosives in a public place, even though they only had a few grams of gunpowder, it was inevitable that Jenkin would be caught. He and cohort Steven Lee were arrested, tried and convicted; Jenkin was sentenced to 12 years in prison, while Lee got eight.
Continue reading “Hacking When It Counts: Prison Locksmithing”
As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.
History Repeats Itself
Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.
How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational. Continue reading “Social Engineering Is On The Rise: Protect Yourself Now”