Volume 02 Issue 08
In this issue
• The Trust Hormone
• SE Tool Review
This month the device we have is so amazing we aren't allowed to put pictures of it. It is a Professional Grade RF Audio Bug with approx: 900 -1000 Feet Wireless Transmission.
This device is the best on the market and has amazing clarity and range. Truly it is remarkable. I am working now on getting some videos made to demo the usage of this device.
Spy Associates says this is a very secretive device and they can't have it adverstised so if you think you are interested in this amazing device you need to contact Jeff directly and tell him you heard about it on our podcast and newsletter.
You have to check out the link above and see what else Spy Associates has to offer. They have been an amazing sponsor and really have some of best social engineering/spy gear on the market. This can be a great addition to the tool set of professional SE's.
There is more to come, but till then make sure to check out Spy Associates for the latest and greatest Social Engineering Tools out there.
I am taking a different approach this month to the SE Tip. Instead it is an offer... We have had a lot of people in the last month ask to submit blog posts, articles and more.
So we are calling all social engineers. Do you want to have your article published? Do you want to have your skills highlighted? Do you want to show off your talents?
Here is your chance. Submit your article or research and if you can handle some editing and proof reading we will use it in our blog posts or newsletter.
Want to seem extra special? Submit a video showing off some social engineering talent and we will showcase you on the Resources and Videos page under a new section called DEMO's.
Each month, if we get a submission, we will showcase one special social engineer and their talents.
Here is all we ask - no articles or videos that are of an illegal nature. Of course if you are going to show us how the bad guys do their deeds, make sure you have the permission of the participants.
Each person who has an article used or a video showcased will land on the TEAM page for social-engineer.org and if your article is superb you will be featured in the newsletter.
In addition, any video we use will be discussed in the podcast and the newsletter.
Are you good enough? Prove it!
Keep those submissions coming.
A special thanks to Nicholas aka aricon this month for his excellent research into the trust hormone. A great article with some dynamic and NEW information for us as social engineers.
Great work and thanks aricon.
To contribute your ideas or writing send an email to firstname.lastname@example.org
This month is just as amazing. One of the leading professionals on earth in the subject of human influence is our guest. You will not want to miss this amazing podcast.
If you want to listen to our past podcasts hit up our Podcasts Page and download the past epidsodes.
What else? We are being featured along with Offensive Security in the Securabit Podcast this month. Shout out to those awesome guys. Be sure to check us out.
Social Engineering for the Rest of Us: Protection for Humans
Social Engineering attacks can be devastating. They are so
effective, that they make up the basis of many modern attacks, and
to McAfee, 46% of browser attacks were directed toward PDFs. This is
of course a combination of weak security in Adobe’s Code, as demonstrated by Logan’s
video, but it also carries with it the implicit notion that the
target has to open the pdf. This means SE tactics will be required.
Phishing attacks are another example of widespread social
engineering attacks that we have seen for years yet are still hitting hard
and heavy. The fact they are still happening so much just means that people
still fall for them regardless of numerous warnings.
Take these traditional attack vectors and combine them with the
widespread adoption of “social media” sites by the mainstream public, and
times are great for attackers. More and more the general public is entering
into areas that increase their exposure to social engineering attacks, and
they are just not ready for it. Traditional advice for these users, while
well intentioned, is just not resonating with them. This has been explained
quite well in the paper “So
Long, And No Thanks for the Externalities: The Rational Rejection of Security
Advice by Users” from Microsoft Research. The question becomes: What
advice can we give non-technical people that will help protect them from
Social Engineering based attacks?
Last week I was given the opportunity to speak with a community
group about this topic. This was a great chance for me to interact with a
segment of this user base and see what problems they are facing, what
concerns they have. By no means do I think that they are representative of
users everywhere, but it was a start.
After working with them, I walked away with a few concepts I tried to boil down to ten of the most basic, foundational, items that everyone needs to know The following list is written to help non-technical people, but really all in the community can benefit from the information it contains.
1. Common sense you use in day-to-day life applies online
2. The Internet is not evil.
More than anything else, the Internet is a tool that provides
amplification. The same actions, interactions, and content can be found
online or offline. However in all cases these actions, interactions and
content become louder if it is online. There are a multitude of reasons for
this that include the one to many contacts which can be made to the
permanence of any action taken online. The reasons don’t matter; just know
that something that happens on the Internet is going to be “louder”.
3. You can’t buy your way to safety.
In fact there is a strong argument some make that states too
much reliance on software such as anti-virus encourages people to engage in
unsafe behavior. When people think that they are protected from malicious
code by a quality
anti-virus product they are more likely to download and run unknown
software. We all know how effective that is. This aspect of human behavior
where a consistent risk level is maintained in the face of imposed safeguards
is the basis of risk compensation
4. Don’t be scared.
This fear drives much decision-making, putting many in
situations where they “spend” on the wrong problems. Everyone has a limited
amount of time and energy to put into online safety issues, so it is
important that what effort that will be put out gets put where it matters
most. Deciding where it matters most is not something that can be done
without being familiar with the problem set. Give up the fear, and jump in.
Where possible, deal with root causes of issues and not symptoms. Spend
energy on the highest impact locations, and accept the fact you will never be
5. Be aware of behavior modeling.
It’s important to also ask yourself, who models their behavior
off of you? If you are a parent with kids using Twitter or Facebook, are they
modeling their behavior on those networks off of you? Or is that not possible
because you are not using those services? If they don’t model their behavior
off of you, then whom are they modeling it off of? And are you comfortable
with that selection?
6. Assume everything you do on a social network is public.
7. If you don’t respect your privacy, no one else will
Much emphasis in recent years has been put on credit ratings.
Your online reputation is just as important. Personally, I have Googled
everyone that I have ever interviewed before the interview. For right and for
wrong, what I have found has either made me more excited to speak to the
applicant or decide not to bring them in at all. You have to understand that
this is happening all the time, for many different reasons. If you have no
respect for your privacy and online reputation, it will affect you. This is
one reason why some behaviors such as sexting can be so devastating. Content
that is placed online can not be removed, so any sort of embarrassing content
will stay around for far longer then was ever intended
8. You can lie.
On the flip side, you can lie as well. If a site is asking for
information from you, and there is no reason for them to have it, either
leave it blank or make something up. Does a site really need your
birthday? Do they really need to know your relationship status? Your annual
income? Your address? Take a moment to think critically about what sites are
requesting of you and if there is any good reason to provide it. If there is
not and they insist on some value being entered, make
9. There is no such thing as free.
10. Expect problems.
You will be harassed online at some point, and just like in real life there are appropriate ways to deal with the situations when it occurs. Never think you are the first and only person to encounter an issue. If you look around, you will find resources that specifically address your problem.
In recommending protective measures, we have to be respectful of
people’s time and knowledge. We can’t expect them to become experts in order
to be safe online, that’s just not reasonable. This list is a starting point
in trying to answer the questions of: What rules does everyone need to know
when he or she goes online? What defenses do we need to ensure that everyone
has? We would love your input on this, so we can continue to improve and
validate this list.
Feel free to put this in front of those you think might need it. In your business, at your school, or perhaps even in your family. If you have anything of value, someone is going to want to take it from you. Everyone could use some additional defense.
Jim O'Gorman - A chief contributor for social-engineer.org and consultant for Continuum Worldwide
Oxytocin the "Trust" Hormone
Most modern social-engineering (SE) techniques are used to analyze observable facets of human behavior and social interactions, but when it comes to bio-chemistry the field is wide open. While various crude pharmaceutical means can be used to provide a leg up in applied social-engineering efforts few if any appear to offer the promise of a simple hormone naturally produced by the human body.
First synthesized in 1953 by Nobel Prize winner Vincent
du Vigneaud, Oxytocin was initially developed and later marketed as a
medication to treat postpartum hemorrhages and to reduce the occurrence of
premature birth in human and veterinary subjects. The drugs that
contain the hormone are typically delivered via injection or by use of a
nasal spray rather than via ingestion as they are broken down without
significant absorption into the blood stream by the digestive system.
Other direct applications include studies for the treatments of social
bonding in autistic children and treatments of postpartum depression.
The neuropeptide is theorized to be produced by neurons for uptake into
receptors. It is released in large doses by cert illicit drugs
oxymethamphetamine (ecstasy) which is believed to be the cause of the
drug's feelings of empathy and closeness to others. In addition to uses
in maternity studies concerning its efficacy in the formation of trust
relationships between peers has also been raised.
Beginning with studies in rats in the late 1980s and leading
ultimately to a study in 2005 concerning the effects of Oxytocin on new trust
relationships and reduction of apprehension towards peers provides evidence
that it has a profound influence in this arena. The primary human study
on this subject utilized an "investor dilemma" trust experiment in
a double-blind study with 128 participants as well as a risk experiment
consisting of 66 participants used as a control group. The study showed
that in the group given a dose via nasal spray of Oxytocin in the trust
experiment had a mean average of 15.6% greater chance of investing in a trust
relationship where those without potential gain in the risk group showed no
statistically significant increase in their willingness to grant trust to
another. What this study indicates is that when an opportunity for
monetary gain was presented to a person under the influe! nce of the hormone
as opposed to the placebo they had a greater chance of investing that trust
in the other party, but in the cases where no gain could be garnered from
giving away their money they did not wish to do so. An additional study
designed to measure the duration of oxyticin levels in the bloodstream after
being administered showed that the drug has a relatively short
half-life of 1-6 minutes, which as the 2005 study on trust also noted
points to the fact the effect of the synthetic drug is very short-lived.
Knowing the results of these studies may not on the surface
provide for any significant effect on the social-engineering techniques that
you employ, but there is but more to this hormone other than simple trust
experiments using nasal sprays and illicit drugs. The naturally
occurring formation of Oxycontin varies in the adult human brain due to established
factors that are related to the levels of regular sleep a person
experiences and the duration of sustained stress levels that they
experience. In a 2009 study it was shown that individuals that were
under raised psychological stress levels for periods of several days or more
had reduced levels of of Oxytocin in their systems and showed signs of
increased distrust and hopelessness as compared to those that had not been
under these circumstances. Additionally the study showed that people
that had been in reduced stress situations that involved increase! d levels
of natural sleep had increased levels from the median average. When
this information is taken into account some interesting attack vectors become
relevant if some additional research is performed.
Using some basic information gathering techniques, such as
including checking social media updates for activity times when sleep would
otherwise be occurring, notices of vacation or extended work-hours or
personal relationship conflicts can all be indicators as to which parties
might be more apt for forming the kind of trust relationship a
social-engineer is looking for. Otherwise it could point out parties
that you may want to avoid or that you might otherwise approach as an attack
vector when other opportunities present themselves. These guidelines
may give a social engineer the edge they need to succeed where they
might otherwise fail in an engagement or at least give them greater
confidence that their target is susceptible to trust based manipulation.
There are certain websites that offer the sales of "Liquid Trust", which is a spray on version of Oxytocin. The claim is that by using this as a perfume you can instantly build trust with those around you. Whether this works or not, we are unsure, but for $50 it might be worth checking out the claims.
Until a better delivery mechanism arrives for artificially
produced oxytocin it is likely not a reliable tool for use in SE attacks, but
knowing how it is produced naturally and using the queues about its
production may be just as important to a talented social-engineer. In
order to best apply this knowledge towards this end a social engineer must
work hard to build a trust relationship using techniques that could
allow for disclosure of sensitive information. Additionally the person
could have a greater willingness to preform minor tasks for the social
engineer including plugging in a usb key to retrieve some information from it
or to allow them access to sensitive areas when posing as service personnel
requiring such access to complete a task. Trust relationships in these
situations prove crucial to an effective compromise to the human barriers
that would otherwise complicate an engagement.
Written by Nicholas "aricon" Berthaume & Chris "logan" Hadnagy