Tag Archives: SocialEngineering

GCIH Gold Paper Accepted

As I alluded to in a past post, I have been working on my GCIH Gold paper for the past 6 months.  Well, I submitted it last month, and just found out that it has been accepted/passed!  This means that I now have my GCIH Gold certification.  I will be working on my GSEC Gold certification next.

As for the paper itself, I decided to do original research on social engineering on social networks–specifically, on the amount of information that people give up on the “harmless” quizzes they take on social networks like Facebook.

Below is the abstract:  (You can find the paper online here)

Social engineering for identity theft has always been around. But now, with the advent of
social networking sites such as Facebook, MySpace, and a host of others, it has become
easier than ever to harvest personal information from unsuspecting targets. This paper
looks into just how much personal information can be gathered by the seeminglyharmless
“What type of personality are you?” quizzes that are so prevalent on social
networking sites. The paper will then look at what the information could be used for, and
how to protect against this particular vector of social engineering.

-Josh

Tagged , , ,

Hurry! Only (random_num) Spots Left!

I have no idea who Greg, developer of the Penny Stock Secret is, or whether or not he really is a millionaire, but I do know one thing for sure:  They really need to obfuscate their javascript better.

So the idea of PennyStockSecret.com is that after ‘Greg”, “studied all the investment theories, consulted financial advisors and spent extraordinary amounts of time at his computer,” he found the “keys that bring stock market success.

And for only a one time fee of $97, you can be in on his success!  How?

Well, “More than just identifying the best stocks to buy, we tell you exactly when to sell them too.” They do this through subscribing you to a newsletter that will alert you when you should buy and sell.

But wait, there is a catch!  There are only Insert Random Number Here spots on the newsletter list available!

Wait, what?

Yes, if you view the source, you can see that all the Javascript does is generate a random number for how many spots are available.

What is sad is that I’m sure they are bilking quite a few people out of their cash.  Why?

Wizard’s First Rule.

-Josh

Tagged ,

Social Engineering & Neuro-Lingustic Programming (NLP) Profiling

As I mentioned in my previous post, I am currently working on some original research dealing with Social Engineering.  For background, I have been reading some of the few books on social engineering.  One of them, Hacking the Human, by Ian Mann, has been fantastic.  One of the areas of research he goes into is some basic principles on using Neuro-Lingustic Programming to profile a target.

Neuro-Lingustic Programming (NLP) was first developed by Richard Bandler and John Grinder, as a form of psychological therapy.  They felt there was a  “…theoretical connection between neurological processes (‘neuro’), language (‘linguistic’), and behavioral patterns that have been learned through experience (‘programming’), and that can be organised to achieve specific goals in life.” (Wikipedia)

One aspect of NLP that Mann brought out was the idea of observing eye movements to indicate current thought processes.  For example, the idea that as one talks to themselves, their eyes drift bottom-right.

The following is a diagram of the different possible locations:

I found a great video that showcases this.

(Used with Permission)

I found this to be a very interesting concept–So I decided to test it out for myself.  I asked the same questions as the above video to a friend, while videoing him answering.  Interestingly, I got the same results, though not quite as pronounced as the above video.

To bring this back to Social Engineering: Mann saw this as a powerful tool to add to his repertoire for face to face social engineering attacks–being able to get clues to the current thought process of the target–even being able to tell, with a high percentage of accuracy, if the target is lying! (Mann, Hacking the Human)

Just another exploitable vulnerability in the being that is the called the Human.

-Josh

Tagged , ,

Josh Brower’s GCIH Gold Project

Just wanted to give you a brief update on what I have been working on lately.

I am currently working on my GCIH Gold paper–My abstract was accepted by SANS, and I have been working on it for a little over a month now.

I would rather not share the abstract for now, as it is an area of original research, and I would rather not tip my hand.

But to give you a clue of the general direction, here is a pic of some of my source material for the background research.

Current Reading

Josh

Tagged ,