Are you information promiscuous?

Picture this:
You had a big night, given your phone number to a cute stranger, started talking for a while, got on well, then it turns sour…

…how does this end?

Well, it could end nicely (which we all hope putting making this blog useless) or it could end badly (…so much for happy endings)

Bad…how bad, well, you’ve heard the stories.

What can you do now…well, you have to change your number, get a bodyguard, put out a restraining order, hide your details from the Internet, get valium, etc, etc, etc…

or

if you’ve been practising good OpSec you could have done:

  • Got a ‘burn’ phone so that you don’t have to change numbers should things go wrong
  • Use aliases on social media/posts/etc to avoid being cyber stalked
  • Not give too much information about where you live, your full name, etc so that physical tracking attempts would be limited

Only to think that it all started by giving your number away…you can be promiscuous without being a target.

Prevention is definitely better than cure.

SocEng: it’s about playing the game

(NOTE: Long post)
(NOTE: Educational purposes only!)

Social Engineering or SocEng for short, is the art of communicating for some sort of gain (personal or otherwise).

From the movie ‘Usual Suspects’:

‘Who is Keyser Soze? He is supposed to be Turkish. Some say his father was German. Nobody believed he was real. Nobody ever saw him or knew anybody that ever worked directly for him, but to hear Kobayashi tell it, anybody could have worked for Soze. You never knew. That was his power. The greatest trick the Devil ever pulled was convincing the world he didn’t exist. And like that, poof. He’s gone.’

Convincing someone through communication is a very powerful device.

SocEng is not for the introverted and socially inept. You will be caught out early in the game or cannot maintain good OpSec (a statement about hackers can be placed here but that would be a major generalisation).

How SocEng is used depends on what the intent is (yes, there are good reasons to conduct a SocEng exercise)

If you are planning to do an exercise, here is a short list of things to consider:

  • Not have the need to backtrack or cover up your tracks during the exercise. If you have to do this, you’re blown!
  • Have a good solid cover: you can’t disclose who you are in real life and what your intent is.
  • Think 2+ steps ahead: if you have to think in the moment, game over
  • Context: A convincing story to tell: important, right?
  • Gain trust, it can be considered to be manipulation but remember…good karma!
  • Edge closer to the intent and capture the flag. Get what you need and run.
  • Keep it constrained, the longer you engage in the exercise, the more likely you’ll slip up.
  • Knowing when to stop and bail (exit strategy), you’ll need to pull the parachute before you get caught…always have a plan B

The best SocEngs can make things up on the fly, maintain character, be convincing and achieve their goals.

SocEng is a game of words (or actions). Needless to say I like a good SocEng exercise and it’s still amazes me the number of times senior people, socially aware people can fall.

How to bust someone practising SocEng:

  • Ask lots of questions: this will get them riled up and may cause them to break character.
  • Keep them engaged: depends on how much free time you actually have, they will get to a point where their patience will run out and break character (why do you think it’s really hard to be an undercover operative!)
  • Poke holes in their story: by alerting the SocEng to their flaws, they will need to cover it up on the fly, which is quite difficult to do unless if they are a trained veteran.
  • Use their tools against them: Be the dominant one in the conversation and lead the charge. Unless if this is a physical encounter, they can’t beat you up.
  • Smoke and mirrors: If you suspect that they want to capture the flag, keep moving the flag. Drop in false information, delay information, etc BUT don’t do this often as they will sense that they are being played.
  • Reduce the intensity: Taking away communication will get them frustrated not knowing what to do next, this leads to a break in character.

Ethical considerations:
Please be very, very careful with SocEng, doing this the wrong way can lead to some serious consequences on the target. Always maintain ground rules before you start. Remember, good karma.

Tinder hacking will be a really exciting exercise, watch this space.

Everyone practising OpSec = Security Utopia

Your OpSec is also influenced by the people around you, your family, friends, pets, etc

Let’s say that you are a celeb, your friends have your private phone number.

One of your friends has their phone stolen. Your Enemy looks through the stolen phone and finds your number…it’s all over, red rover.

It only takes one hole to sink a ship, tell your friends good OpSec means that you’ll still be invited to the next social gathering (or get them to read this blog!)

Let’s talk about Hell

Hell is the point you reach when your life has been turned upside down by The Enemy.

For example: harassment.

You are the CEO of Drugs ‘R us, the largest manufacturer of drugs in all of the countries ending with -stan.

You are *rumoured* to have done animal testing, making you public enemy #1

You start getting random calls in the middle of the night, black cars with tinted windows driving past your place, your dog goes missing.

You can’t sleep, stressed, paranoid.

The calls happen nightly, you change your number. Have to get a new dog.

You don’t function well at work, you make bad decisions

Company starts losing leadership, direction, cash

Think about who you are and what you do, who depends on you?

If you’re going through hell, others that depend on you will also suffer.

OpSec(TM) giving you peace of mind since 1280BC (ok…a very long time)

What is your risk profile?

Risk: level of comfort one can take before going crazy

Let’s look at a few case studies:

  • if you’re a model and hate guys stalking you, you’re probably ‘high risk’
  • if you’re rich and don’t want to be robbed, you’re probably ‘high risk’
  • if you have kids and want them to be safe, they may be ‘high risk’
  • if you’re going to be famous one day, you’re probably ‘medium to high risk’ (depending on how famous you are)
  • if you have no assets, not going to be rich or famous, you’re probably ‘low risk’

Decide how much at risk you can take or which category you are in. This will help determine what level of OpSec you require.