Your friend could be your weakest link

Picture this:

  • you were at a location that you were not supposed to be at.
  • a friend takes a snap and posts it on a social media site
  • your friend’s security setting is quite lax
  • the world can see that you were at that location
  • The Enemy(tm) searches for you but you have good OpSec so you’re ok
  • The Enemy(tm) expands their search for affliates, associations, etc.
  • The Enemy(tm) finds your friend
  • The Enemy(tm) finds your photo
  • sprung!

People that are connected to you form a web of trust. You trust them to be a connection whether it be friend, business associate, etc. These connections are people that you trust with a certain amount of information about you (online or otherwise).

Depending on your influence, your web of trust could be quite large, multi layered and complex.

As we’d like to keep things simple here, let’s say that your web of trust is online via a well known social networking site.

Now, if one of your connections were to be compromised, as shown by the opening example, you’ll have a lot of explaining to do.

As an attacker, our job is to find the weakest link and exploit it, even if that means finding your web of trust and use them as leverage to achieve a goal.

Naturally, if you’re a target, you may want to get tighten up your web of trust or communicate this scenario to your own web. Increasing the strength of your weakest link will increase the security of others on the whole.

There is even a tool to do find your web of trust:
http://www.theregister.co.uk/2014/06/03/rejected_researcher_builds_facebook_friends_harvester/

Let’s go phishing

Why do people get conned so easily, if you know their interests, you’re probably getting warm to the answer. This is what is called a ‘targeted attack‘.

  • Your dog’s name is Spot

 

  • Pictures of Spot is found on your Facebook profile which is not locked down…hummm…

 

Dear Bob,

We have your dog Spot, click on the link to see the photo.

http://evilwebsitewithsomedodgynastymalicioussoftware.com

If you want him back, you’ll need to transfer one million dollars to our Nigerian account.

Regards,
The Enemy.


 

Breaking it down, targeted phishing is:

  • Addressed in a personal nature
  • Something to get you to react
  • Consequence should you fail to act

Guess what happens next…you are now owned by The Enemy. Thankyou for your co-operation.

SocEng: it’s about playing the game

(NOTE: Long post)
(NOTE: Educational purposes only!)

Social Engineering or SocEng for short, is the art of communicating for some sort of gain (personal or otherwise).

From the movie ‘Usual Suspects’:

‘Who is Keyser Soze? He is supposed to be Turkish. Some say his father was German. Nobody believed he was real. Nobody ever saw him or knew anybody that ever worked directly for him, but to hear Kobayashi tell it, anybody could have worked for Soze. You never knew. That was his power. The greatest trick the Devil ever pulled was convincing the world he didn’t exist. And like that, poof. He’s gone.’

Convincing someone through communication is a very powerful device.

SocEng is not for the introverted and socially inept. You will be caught out early in the game or cannot maintain good OpSec (a statement about hackers can be placed here but that would be a major generalisation).

How SocEng is used depends on what the intent is (yes, there are good reasons to conduct a SocEng exercise)

If you are planning to do an exercise, here is a short list of things to consider:

  • Not have the need to backtrack or cover up your tracks during the exercise. If you have to do this, you’re blown!
  • Have a good solid cover: you can’t disclose who you are in real life and what your intent is.
  • Think 2+ steps ahead: if you have to think in the moment, game over
  • Context: A convincing story to tell: important, right?
  • Gain trust, it can be considered to be manipulation but remember…good karma!
  • Edge closer to the intent and capture the flag. Get what you need and run.
  • Keep it constrained, the longer you engage in the exercise, the more likely you’ll slip up.
  • Knowing when to stop and bail (exit strategy), you’ll need to pull the parachute before you get caught…always have a plan B

The best SocEngs can make things up on the fly, maintain character, be convincing and achieve their goals.

SocEng is a game of words (or actions). Needless to say I like a good SocEng exercise and it’s still amazes me the number of times senior people, socially aware people can fall.

How to bust someone practising SocEng:

  • Ask lots of questions: this will get them riled up and may cause them to break character.
  • Keep them engaged: depends on how much free time you actually have, they will get to a point where their patience will run out and break character (why do you think it’s really hard to be an undercover operative!)
  • Poke holes in their story: by alerting the SocEng to their flaws, they will need to cover it up on the fly, which is quite difficult to do unless if they are a trained veteran.
  • Use their tools against them: Be the dominant one in the conversation and lead the charge. Unless if this is a physical encounter, they can’t beat you up.
  • Smoke and mirrors: If you suspect that they want to capture the flag, keep moving the flag. Drop in false information, delay information, etc BUT don’t do this often as they will sense that they are being played.
  • Reduce the intensity: Taking away communication will get them frustrated not knowing what to do next, this leads to a break in character.

Ethical considerations:
Please be very, very careful with SocEng, doing this the wrong way can lead to some serious consequences on the target. Always maintain ground rules before you start. Remember, good karma.

Tinder hacking will be a really exciting exercise, watch this space.

Let’s talk about Hell

Hell is the point you reach when your life has been turned upside down by The Enemy.

For example: harassment.

You are the CEO of Drugs ‘R us, the largest manufacturer of drugs in all of the countries ending with -stan.

You are *rumoured* to have done animal testing, making you public enemy #1

You start getting random calls in the middle of the night, black cars with tinted windows driving past your place, your dog goes missing.

You can’t sleep, stressed, paranoid.

The calls happen nightly, you change your number. Have to get a new dog.

You don’t function well at work, you make bad decisions

Company starts losing leadership, direction, cash

Think about who you are and what you do, who depends on you?

If you’re going through hell, others that depend on you will also suffer.

OpSec(TM) giving you peace of mind since 1280BC (ok…a very long time)

What is your risk profile?

Risk: level of comfort one can take before going crazy

Let’s look at a few case studies:

  • if you’re a model and hate guys stalking you, you’re probably ‘high risk’
  • if you’re rich and don’t want to be robbed, you’re probably ‘high risk’
  • if you have kids and want them to be safe, they may be ‘high risk’
  • if you’re going to be famous one day, you’re probably ‘medium to high risk’ (depending on how famous you are)
  • if you have no assets, not going to be rich or famous, you’re probably ‘low risk’

Decide how much at risk you can take or which category you are in. This will help determine what level of OpSec you require.

What the [insert word here] is OpSec

The sooner you start practising OpSec, the less you’ll need to shovel/do in the future.

You’ve read the definition, right? Here it is again…

Information is like a car, it can get you places or it can be used to run someone over.

OpSec is a process where you:

  1. Review your information
  2. Identify what information could be used against you.
  3. Take steps to make sure that information is tucked away or will never see the light of day.
  4. Rinse/repeat

OpSec is not cheap but there are ground rules depending on your appetite for risk.
Remember: OpSec can be used for good and for evil, have good karma, use this information for good.