A long time coming…5 years!
Yay for OpSec.
Existing users, it’s time to review yours?
To see what the world sees (subject to change):
- Look for ‘View as public’ or
- Click on the padlock button near the notifications
- ‘What do other people see on my timeline?’/View As
Ok, not quite the end…
I’d like to dedicate this post to one very intelligent, charismatic young lady who is/was hurt by this experience. If you’re reading, all I ask is that you understand my crusade, please don’t lose trust in people resulting from my actions, I/this came from a good place 😦
Forward: This subject sprawls to lots of different areas, we’ll stick to the key points. The reader may have ethical or moral questions about this post. My request is that you read this with an open mind before forming a discussion/conclusion.
One reason why these exercises only last for a short time (eg: one week) is to ensure that the attacker does not form any emotional attachments with the target that could jeopardize the exercise. Brutal but true. Bad guys pillage and run. SocEngers act/think the same to be ahead of the game.
There are associated risks from SocEng to both parties. Taken in a military context, lives would be at stake. We’re all human.
To categorize the failures as mistakes would be a misconception, the mistakes are emotions which make us human. This is why SocEng works so many times.
In my history of a security professional, I faced a massive moral and professional dilemma. I broke a key rule and had to deal with the consequences:
Do I open up and blow the exercise or do I continue and shatter another person’s trust.
I wanted to open up and dispel misconceptions raised by the target, I was in too deep. I chose the latter with a heavy heart and even to this day I’m not certain if I had made the right decision.
NOTE: Respecting everyone’s privacy, specific details have been omitted.
After being matched, it started off as a another interaction, we bantered and bantered we did. The one week mark came by and the rules state that I had to abort and go for full disclosure.
This was undoubtedly my biggest mistake, I did not stick to the rules: I played offense and attempted to move the conversation off Tinder.
The next day, my gut knew what was going to happen next: she followed.
What ensued was innocent fun. For most of the interaction, I stuck to the rules for as long as I possibly could.
The one rule broken was exchanging photos, I held ground without raising suspicion as long as I could without being socially awkward.
The situation got comfortable, there was some level of trust until…
A few weeks in, small warning signs appeared, I was called out for being cagey. Namely, my reluctance of revealing my physical details, opening up, etc. It’s natural, this was bound to happen. I was still in exercise mode especially after a month of continuously engaging in OpSec, disengaging did not cross my mind.
Further to this, I was conscious of time spent online. With one month coming up after continuous contact, I had a decision to make and it was one not to be taken lightly.
My options were:
- full disclosure: at the expense of prematurely ending the exercise and losing my anonymity (the latter is not necessarily a bad thing but goes against the rules)
- completing the exercise: demonstrate the risk at the expense of losing trust
Just after the one month anniversary, I dropped a ‘seed’, before closing. The outcome resulted with me completing the exercise at the expense of losing trust. The end was a deliberate change in persona from what was displayed over the month, it was ruthless and I still feel bad about it.
Usually, the exercise would be done in an controlled environment such as an organizational drill, etc but it wasn’t, the situation got out of hand and blew things out of the water. In short, things should have ended differently.
There are a few points that remain:
- What was her account of the exercise?
- Did she know what she was a target?
- When did her suspicions arise?
By writing this, I hope that anyone planning a SocEng exercise take into account the ramifications towards the target. Depending on the target, the outcome could be more than just the loss of trust.
In retrospect, I shouldn’t have broken the first rule but then again, things are always easy to say things in retrospect.
To everyone out there, if you ever find your self with a lady with exceptional conversational skills, make sure you treat her well with the utmost respect and tell her that I’m sorry.
One week was the target, here is a summary of other observations and closing.
- Been chatting for a week? Time to make a call, meet them to see if they are real or dump them.
Side note: from a socially accepted point of view, if you have been online continuously for more than a week, the person is probably privy to the idea of meeting up. Give them the number to your burn phone and meet them.
Above and beyond the call of duty
Interestingly enough, there have been instances where people have disclosed way too much information and as a result the interaction came to a premature halt. Really, people, please, don’t do this.
I have seen security badges, graduation certificates with people’s full names, one person actually told me exactly where they worked!
Mixing and matching, a recipe for disaster
There have been instances where people have offered instagram accounts to see more photos of themselves. Now two problems here:
- Too much information…have you verified who I am?
- Some people’s Instagram account name is infact their full name, you no longer have the protection of anonyminity!
Phone numbers are no better, unless it’s a burn phone that is not tied to anything but Tinder, dating, etc.
The importance of asking questions
If you suspect something is off, ask questions, apply pressure. Better you find out the truth now rather than after you meet. The Enemy will crack and give in, yes, disaster averted.
There have been a few instances where people are shy, don’t be.
One week was the termination point for each target and most of the exercise was completed in a month.
Martin Gladwell suggests that to become a master you must spend 10000 hours on a particular task. After this experience, I’m ready to lay off SocEng for a while and sticking to meeting people one on one in real life.
Here are a few pointers:
*Top tip: if you are concerned about your personal security, get a ‘burn’ phone/email address. Sim cards/phones are cheap and email accounts are even cheaper, give this out to strangers or people you’ve just met for the first time.
*Review the photos before you them online, ask yourself, can they identify me in any way (name, home, work, etc) if they can, choose another photo (also, as Tinder is tied to Facebook, they shouldn’t be on Facebook either).
*Please don’t mix social media sites. If anyone wants to know more about you, let them get your permission first.
*Never ever move off the site where you first met. *Usually* online dating sites are quite good at sanitising your information. By moving communications off the site, you will be disclosing information which may be help the attacker.
*The lots of time spent online without meeting the person face to face is never a good idea (unless if you’re trained for it). Always keep it short and try to meet up as soon as possible. (this way you can use your 6th sense to see if they are the real deal).
*Always be asking questions, be the annoying kid at school. If they are there for an alterior motive, they will get uncomfortable and bail.
As time went on, it was difficult for me to juggle multiple conversations and maintain good OpSec.
The cracks are:
- The target wanted for me to reveal myself. Not a surprise, how long can one sustain this for?
- The target became suspicious about me or my motives. The fact that I was not requesting anything or pushing for anything raised alarm bells asking, what I’m doing on Tinder in the first place.
- After revealing all at the end, the respondents felt that they didn’t feel threatened in any way, which was good.
This quote serves as a timely reminder:
Be careful whose toes you step on today, they might be attached to the ass you have to kiss tomorrow.
This is the second part of the Tinder hacking experiment, see part 1 here.
We left off the last blog by being selected and engaging in conversation. Next, we do what all friendly people do, put on their best suit and get to know each other, and so on…
Humans are bad at being random. Conversations follow a predictable format, so it was easy to go with the conversation, ‘seed’ and listen to the ground for clues. This is why SocEng is so successful, as long as you don’t do anything stupid, you can get just about anywhere.
The Enemy will SocEng in order to break down the other persons OpSec to get the crown jewels in the shortest period of time. My goal is different, to see what information the target will volunteerailiy/passively disclose.
- Avoid answering any questions with specific detail, hard to do but after time conditioning will kick in.
- Don’t drag out the conversation on Tinder longer than it should, if you express interest in each other, the guy should have the balls to arrange a meeting (in a public place, don’t forget your burn phone).
The scary stuff:
In utopia, you can say/do anything about anything and not feel the repurcussions. Unfortunately, this is not the case, otherwise, this blog will not exist and I’ll be a landscape gardener. There have been instances where I have had to deal with some really nasty stuff resulting from something that started so innocently. Again, if someone has the motive and inclination to carry something out, they will do it (irrational minds do some really stupid things). Don’t make life easy for them. Yes, the truth sucks.
SocEng on Tinder:
When under the guise of relationships, it’s socially accepted to ask questions about one another. The usual, where are you from, what do you do, how big is your pay packet, etc…which are all fine to ask/answer but there are some definite things you shouldn’t do.
Ever watched TV and see the subliminal advertising censored out? You *know* it’s an ad but you don’t know which company. That is how you should treat the interaction: tell them enough to answer the question but not enough to reveal exactly what it is. Some time is required for conditioning but unless if you meet face to face in a mutually agreed setting, it’s best to keep the personal details until then.
The exercise was done in two separate ‘areas’, one ‘area’ known to be a bit more open and relaxed and the other a bit more closed. Think of it as the big city vs small city mentality.
In the ‘small’ city scenario, people were more open to meeting others, more open to share information including personal information about themselves, generally more trusting towards strangers. In the ‘big’ city, people were the exact opposite, unwilling to share information and less trusting towards others.
There are different theories as to why this is so, in the limited numbers questioned, it was due to the fact that some people have heard/known/experienced uncomfortable situations which leads them to shut down.
This resonates well with the thought of the ‘global’ community, techology bridging people and associated problems being part of the package. Unfortunately, the once ‘safe’ and trusting places will in the future be targets for information based crimes unless education and awareness is put into place.
Side note on trust:
The problem with trust is, once tainted, you can never go back. It’s hard to regain/earn trust. A quick example would be one of the Irish Travellers, they set off to quiet communities targeting their trust and for a better word, innocence. When they are there, they pull of a con and leave. The legacy they leave is the target losing money, a cleanup bill and damaged trust. This distrust follows for a while, exhibited to strangers and brings out the worst in people (as mentioned in the previous <blog>) without trust, society as a whole become closed and any action by strangers is met with resistance.
It is why that mom and dads struggle with online security=lack of information and awareness=easy targets=level of trust has changed/increased paranoia.
Trust is the key, you have to have some. It is what bonds people together.
Too much information:
As mentioned, targets that live in the big city tend not to share out information as freely as those from the small cities. Probably due to the level of trust and heightened paranoia.
During the interactions, I was absoutely amazed as to the quality of the information disclosed, some were found in pictures/text and others were from conversation:
- Area of where they live (narrowed down searches)
- What they did (narrowed down searches)
- Where they went to school/work (company names!)
- Phone numbers (hummm…)
- Photos (identifying locations!)
- How to get in touch on other social media sites…ummm…really bad idea!
- etc, etc…
With this information, one could quite easily conduct some profiling on the subject (remember: this is out of scope) The frightening thing is the ease of which this is done. Hell yeh, I’d be concerned if I were a parent!
It’s human nature to be open especially when looking for love, however it’s equally important to be alert and not compromise one’s safety.
- Get to know each other, have fun but save the detail for when you both meetup
- Adopt the ‘big city’ mentality, it’s not a bad thing.
OpSec specific notes:
- If the target asked questions about me, I will answer it truthfully to avoid any awkwardness/suspicion however, not to the point where they could identify me as an individual.
Importance of seeding:
As mentioned, the conversations I had were ‘seeded’. Examples of ‘seeding’ include telling the target that:
‘we’re comfortable with the conversation’=we’ve reached a point where we trust each other, time to confide
‘I’ll come and visit one day’=you’ve given me too much information about your location
‘it’s amazing but you haven’t pissed me off yet’=we’re going to end this soon, full disclosure time
This has proved to be very important when convincing the target that it the interaction was staged, refer back to where issues appeared and it was done was for research and nothing else (read: no manipulation, etc)
This blog series is dedicated to those that have been affected by some crazy people out there. I hope that this can help others avoid being targets in the future.
This is an account of my Tinder hacking experiment as discussed in my previous blogs.
1st of a multi part blog, an introduction to what was done. Remember: educational purposes only. Don’t use this for bad and this is not a pickup blog, be good to others. Karma’s a bitch.
- Everyone online is a stranger unless you have met them in person.
- SocEng is an amazingly effective tool. Always verify the entity you’re communicating with, sharing information only with trusted sources and not get ‘conned’.
Definitions: see the other terms in the first post here
Social Engineer: me (in a friendly, ethical way of course). Other social engineers may not be so friendly and ethical.
Target: the person at the other end of the line.
- This is not a comprehensive research experiment, quick observations only
- No one was hurt during this exercise.
- Blind testing, duh…if I had told everyone up front, my cover was blown and would have skewed the exercise.
- Minimal phishing will be done. Like Aikado, we use the offensive force to generate momentum. This is done to maintain neutrality, I didn’t phish it out, you told me.
- Keep it truthful/real, I am using my *real* identity as my cover BUT will maintain a very strict level of OpSec. I didn’t have a cover, no time to create one! Therefore, no lies, smoke and mirrors, etc were necessary.
- Keep it clean, above the belt. I never initiated any sexual topics, scare tactics, etc. I prefer lawyers as friends and not for them to represent me.
- Photos, videos, etc were out of the exercise unless if the target initiates. It was all about ‘the game’, no interest in photos but will exchange photos just to avoid any suspicion. Not to mention, blow my OpSec.
- Extra intel about the person is not permitted. No Googling, recon, etc… It’s a self imposed rule and it’s creepy.
- ‘Seeding’: This is very important, this is where I drop a hint of what is next to come. The idea two fold: mark that a ‘stage’ has been reached and provide the target evidence that this was staged/learn from the experience. The target is able to go back and examine what events just unfolded.
- Apart from banter, plans to make physical contact would abort the interaction (there is an important note regarding this, more later).
- Time limit max a week and full disclosure at the end to the victim (where possible). This also avoids deep emotional attachments, I’m here to research and not to break people’s hearts. The longest was a month and that was an exception rather than the rule. Maintaining OpSec is important.
- There are quite a few external factors involved to get to the discussion stage, again, we’re aiming to see where we can go with a very sparse, untrusted profile. Sorry guys, again, this is not a pickup blog, there are other places on the Interweb for that.
- Examine what kind/quality of information will people willingly expose that will affect their OpSec
- Do cultural/social differences have an impact on the information shared
- Gentle education for the target about OpSec
- About a month or until such time I lose my sanity, which ever comes first.
Why Tinder hacking?
It was a period where there was little opportunity to do any major research, life was busy and I had limited my physical/social contact with people. To keep my sanity, I needed a new hobby that would still allow me to have some sort of human engagement, was fun and didn’t stretch my available time.
Tinder fit the bill nicely, it was also chosen because there is an known exchange component (romance..), easy to get started and perfectly illustrates the absence of a trust model and how to build trust.
Let’s summarise what Tinder is all about:
- Online place to meet people for relationships, etc, etc (OpSec context: there is a common interest which involves an exchange reason for a ‘motive’ ie: love…well, insert appropriate definition here)
- A person will flick through photos and can like or dislike a person (OpSec context: you have NO idea if you can trust the person, remember the SocEng countermeasures)
- If there is a match, you can start chatting (OpSec context: you’re looking for something, what will you do to get it? This is where you have to be on the lookout)
The profile chosen was very ‘mysterious’ designed to invoke curiosity, with a bit of text. The point is to rule out any form of attachment through appearance, maintain anonymity and using Brad Pitt’s photo would be just plain wrong (that is identity theft!). From an OpSec point of view, being different is NOT what you want to do, arousing suspicion will prematurely end your mission.
First observation was my amazement to see the number of people that selected my profile. Note: in context it leaves the target at a larger disadvantage I know a bit more about them then they do about me.
Once matched, out came the SocEng, wit and charm, the first step of any SocEng exercise is to establish context, a story. The timeframe available gave sufficient time to gain trust.
Let the games begin…
- Unless if you’re well acquainted with SocEng, it’s best to be avoid or be apply caution when using social media