Be Interesting or Be Ignored

No matter what sort of spin you want to put on it, Social Engineering is old and has been around and used as a tool in social interaction as far back as any of us can remember. It’s a skill that we are born with, as we discussed in the very first newsletter. It’s omnipresent and used in everything from marketing to politics, scams to retail store displays. Social Engineering is commonplace, old news, and well, just plain ol' boring.

Because Social Engineering is so common, it's easy for people to dismiss it. To say it's no big deal at all. This is the most common criticism we catch here at Social-Engineer.org, the idea that social engineering is really no big deal and we are just making a bunch of noise. While obviously I disagree with this point of view, I understand completely where people are coming from. Familiarity breeds contempt and the concept of SE is so common in our lives that it feels mundane.

Most of us at Social-Engineer.org come from the information security field and it's easy for us to see the impact of SE attacks. As a penetration tester, I am not ashamed to tell whoever asks that if I want to get into a company, the easiest way in is going to be a blended attack using social engineering techniques combined with some form of technical facilitation. In the penetration space, this sort of attack is not as common, as many compliance frameworks (the primary driver for much of the penetration testing that is conducted in the market place) don’t require it. But, if my objective is to get into a company and demonstrate the true impact that an external attack can pose against an organization, there is no doubt that some form of social engineering is going to be a part of that attack.

My methods are not unique.  Most people that I know who work as professional penetration testers use the same tactics. It’s common because it works.    Individuals without permission use this as well.   If you look at most large scale attacks that have occurred in the last few years, SE was a part of the attack. For example, the Google breach included SE within the targeted attacks that were directed to specific employees and the HB Gary hack included SE in getting a trusted party to reset a password to a known value. Additionally, I can attest to a number of breach investigations I have been involved in that were directly mapped back to social engineering tricks used in faking UPS mes sages to employees within small businesses.

But does that matter to people that are not in security? Or was it only interesting to them the first time they heard about it, but now that they hear the same story over and over again, people don’t really want to pay any attention to it? The problem may be that as a community, we do not report these problems in an interesting way; one that will make people pay attention. That’s not exactly easy to do and in fact, it is the same issue that news media has had for a long time: How do you get someone to spend their limited free time to pay attention to an issue that is important, but not interesting?

There is no way that I claim to have all the answers to this, but I do have some ideas. The most obvious one is while organizational breach stories are interesting because those of us in the security field can relate to it; these are not the ones we need to keep waving around all the time. It’s so easy to find SE around us. We should be able to find some examples that people will find more relatable and interesting.

For instance, on the topic of micro-expressions, this can often seem like meaningless details, but consider the new video game L.A. Noire. In L.A. Noire, the point of the game is that you are a cop who needs to go around and investigate crimes. This includes the typical gathering of evidence, but also includes a new twist in that a key part of the game is that you have to question witnesses, suspects, and pay attention to when they are not being forthcoming or even flat out lying.  Then, you must call them out on it. The game creators used the FACS system partly developed by Paul Ekman, to create realistic facial expressions and non-verbals so the characters can be read properly.  Reading body language and micro-expressions becomes the difference between success and failure in succeeding in the game.

There was also a recent news story out of Philadelphia about a weather man that took a trip to Miami Beach where he wound up drugged and with $43,000 charged to his American Express. What happened was the weather man was approached by two attractive women who slipped him a roofie, then took him to a “private club”, ran by their accomplices where they were able to get him to charge up a large amount on his credit card. They must of enjoyed his “company” as they were able to trick him again the second night. Pretty amazing when you consider the con was good enough to trick the man twice in a row, but going back to the idea that this is not new, you can look at the old movie Odd Man Out from 1947 where a similar scam was a key plot point.

On the topic of identity theft, there was the situation where a 24 year old Russian used the Forbes 400 list to identify people with money that were worth targeting. Using public information sources, such as property registers, he would gather enough information about his targets that he was able to go to financial sites and utilize the “I Forgot my Password” feature to reset the password to a value he knew.  He then would change the accounts address to one he controlled. At that point, he would have new checkbooks issued out to him and go on a shopping spree.

These are three SE related issues that I think are good examples that are not related to organizational breaches.  I would love to hear the ones that you think are good as well. Please send them to [email protected]. It's important that we share these sorts of examples with each other, as these are the ones that are more likely to resonate with non-security geeks. When putting together user education material, advocating security within your organization, or to friends and family, try to make use of these sorts of examples and see if it resonates with them on a more personal level. If we really want to effect change, if we really want to make people safer, we have to shoulder through the indifference that people hold and examples that are relatable (or understandable) are an important part of that.
 

Written by James O'Gorman

Jim O'Gorman is a founding member of Social-Engineer.org, assists with the training of Advanced Windows Exploits for Offensive Security, and conducts penetration tests for CSC's StrikeForce.

 

 

 

 

 

 

Looking for Professional Social Engineering Services?

Social-Engineer is branching out with our new website Social-Engineer.Com.

We are providing some of the following services:

 

  • Social Engineering Pentests

 

  • Social Engineering Risk Assessments

 

  • Professional Information Gathering Services

 

For more information on any of the above or how we might be able to help you protect your company from malicious social engineers contact us at:

[email protected]

 

 

 

This years Social-Engineer.Org CTF at Defcon 19 is sponsored by:

Offsec Sponsors

 

core Sponsors

 

qualys sponsor Sponsors