Social Engineering Blogs

Is combosquatting a new trick hackers use to lure users into visiting malicious websites?

The KnowBe4 Blog — Wed, 01 Nov 2017 11:30:11 +0000

Georgia Tech researchers reported that hackers are using a technique identified with a new coined term “combosquatting” to trick users into visiting malicious websites.

Sorry to break it to you guys, but this type of social engineering has been done for at least a decade. Perhaps the actual news is the scale and fully automated level it happens at today.

The post Is combosquatting a new trick hackers use to lure users into visiting malicious websites? appeared first on Social Engineering Blogs.

Putin Uses Psychiatrists For Social Engineering Attacks Against Individual Targets

The KnowBe4 Blog — Mon, 30 Oct 2017 11:20:36 +0000

Newsweek cross-posted an article that first appeared on The Daily Signal, and this is extremely relevant to what we are battling here today.

Kiev, Ukraine—Since 2014, Russia has used Ukraine as a testing ground for its hybrid warfare doctrine, underscoring what some security experts say is a case study for the new kinds of security threats the U.S. and its Western allies can anticipate from Moscow.

“The threats Ukraine faces are harbingers of things to come for the U.S. and its other allies,” said Junaid Islam, chief technology officer and president of Vidder, a California-based cybersecurity firm that does work in Ukraine.

“It is in the national strategic interests of both the United States and Ukraine to cooperate deeply in cybersecurity, because Ukraine is a canary in the cyberspace coal mine,” Islam told The Daily Signal.

The post Putin Uses Psychiatrists For Social Engineering Attacks Against Individual Targets appeared first on Social Engineering Blogs.

The Ben Franklin effect: How to turn haters into friends

psychmechanicsblog — Wed, 01 Feb 2017 14:36:00 +0000

“He that has once done you a favor will be more ready to do you another than he whom you have yourself obliged.”

- Benjamin Franklin

Benjamin Franklin was an 18th-century American statesman, scientist, inventor, musician and author. You probably got introduced to him at a very young age when you read that nursery rhyme, "Early to bed".

Once, a person lambasted him publicly with a long speech. This angered him but instead of taking some kind of an outright revenge, he decided to try something different.

He realized that his goal was to turn his hater into a friend because, according to his estimation, this man who'd berated him could one day become very influential.

So Ben wrote him a letter asking him if he could lend him a ‘scarce and curious book’. Ben worked at and maintained a library at that time and was widely known for having good literary tastes.

Needless to say, the hater was flattered and sent the book eagerly. Next time he met Ben in person he talked to him and ‘ever after manifested a readiness to serve him on all occasions.’

The Ben Franklin effect

What you just witnessed has come to be known as ‘The Ben Franklin effect’.

It states that when we do a person a favor, we tend to like them more as a result- even if we didn’t like the person or hated them initially. In other words, you can effect a favorable change in the attitude of a person toward you just by asking them to do a favor for you.

At first, it almost seems like magic but there is a good psychological explanation as to why this happens...

Consider how you behave when you’re indecisive. If I offer you a chocolate cake you probably won’t show any indecision and will gladly take and eat it. It just tastes so good.

However, if you’re watching your weight and I offer you a chocolate cake, indecision can kick in since the potential cost of eating a chocolate could be weight gain.

In order for you to eat the cake, the perceived potential benefit of eating it has to outweigh the potential cost of eating it. ( see why we do what we do and not what we don’t do)

While you’re still unable to decide whether to eat the cake or not, let's say I insist that you eat it and you cave in.

At this point, your mind will likely slip into a state of cognitive dissonance because you just did an action that didn’t match your psychological state. You weren’t psychologically prepared to eat the cake.

In order to restore stability, your mind now has to invent excuses and rationalizations to justify what you did so that your cognitive dissonance is resolved.

So you might say something like, “One piece of cake isn’t going to do any harm” or “I’ll do extra cardio tomorrow morning.”

The human mind is designed in such a way that it tries its best to do those actions which carry more benefits than costs.

If it fails and ends up doing something that carries more costs than benefits it has to somehow convince itself that it didn't really fail because the knowledge that we incurred more costs than benefits is difficult to handle.

When you ask someone for help and they do help you out, even if they had no good reason to do so, they’ll need to invent one. Since we usually help those whom we like, the person’s mind goes like, “I helped him, therefore I must like him.”

"Did you just say you don't like me? Would you mind passing me that bread, please?"

In the incident of Ben Franklin, some other factors were at play too that shouldn't be overlooked. We like it when someone likes our favorite book, movie or TV show because it helps us boost our ego. (see Why we want others to like what we like).

In many cases, hatred is just a way to make yourself look better than your competitor. Often, when someone says “I hate you” what they’re really saying is “I hate how you’re better than me.”

Ben Franklin’s hater probably hated him because he knew at a deep level that Ben was better than him- hence the need to lambast him publicly.

When Ben fed his depleted ego by asking for help (the helper is at a superior position than the helped), he was pleased and ‘ever after manifested a readiness to serve him on all occasions’.

He could now think of Ben as his equal or even as his inferior. But we all know who's really the clever one and superior one over here.

The post The Ben Franklin effect: How to turn haters into friends appeared first on Social Engineering Blogs.

Different Types of Penetration Tests for Your Business Needs

Security Metrics Blog — Wed, 18 Jan 2017 00:25:00 +0000

What area of your business would benefit the most from a penetration test?

By: Chad Horton
Penetration Testing Manager
CISSP, QSA

Penetration testing is a form of ethical hacking that simulates attacks on a network and its systems. It goes beyond running an automated vulnerability scanner; the tests are performed by experts that dive deeper into your environment.

In a previous blog post, Types of Penetration Testing: The What, The Why, and The How, we discussed the different ways a penetration test can be performed: black-box, white-box, and gray-box. We also told you why it’s a good idea for a business to have penetration tests performed regularly.

So, what type of penetration test should you get for your business?

Tweet

What areas should you focus on? There are several tests or activities that penetration tests include. Here are a few you may want to consider.

Network penetration test

The objective of a network penetration test is to identify security issues with the design, implementation, and maintenance of servers, workstations, and network services.

Commonly-identified security issues include:

Misconfigured software, firewalls, and operating systems
Outdated software and operating systems
Insecure protocols

The remediation of commonly-identified security issues include:

Reconfigure software, firewalls, and operating systems
Install updates
Enable encryption or choose a more secure protocol

Segmentation check

The objective of a segmentation check is to identify whether there is access into a secure network because of a misconfigured firewall.

Commonly-identified security issues include:

TCP access is allowed where it should not be
ICMP (ping) access is allowed where it should not be

The remediation of commonly-identified security issues are the same:

Reconfigure the segmentation control (firewall rules) to properly restrict access

Application penetration test

The objective of an application penetration test is to identify security issues resulting from insecure development practices in the design, coding, and publishing of the software.

Commonly-identified security issues include:

Injection vulnerabilities (SQL injection, Cross-site scripting, remote code execution, etc.)
Broken authentication (The log-in panel can be bypassed.)
Broken authorization (Low-level accounts can access high-level functionality.)
Improper error handling

The remediation of commonly-identified security issues include:

Re-design the authentication and authorization model
Recode the software
Disable remote viewing of errors meant for developers

Follow for more data security articles like this

Wireless penetration test

The objective of a wireless penetration test is to identify misconfigurations of authorized wireless infrastructure and the presence of unauthorized access points.

Commonly-identified security issues include:

Insecure wireless encryption standards
Weak encryption passphrase
Unsupported wireless technology
Rogue/open access points

The remediation of commonly-identified security issues include:

Update wireless protocol to an industry accepted protocol (WPA2)
Replace the insecure passphrase with a longer, more complicated one
Identify the open access point and disable it

Social engineering

The objective of a social engineering assessment is to identify employees that do not properly authenticate individuals, follow processes, or validate potentially dangerous technologies. Any of these methods could allow an attacker to take advantage of the employee and trick them into doing something they shouldn’t.

Commonly-identified issues include:

Employee(s) clicked on malicious emails
Employee(s) allowed unauthorized individuals onto the premises
Employee(s) connected a randomly discarded USB to their workstation

The remediation is always the same: training.

Because the intent of this assessment is to take advantage of the trusting nature of employees, this type of assessment should only be done after employees have completed a training course on defending against social engineering attacks.

Which type of penetration test is right for you?

For starters, choose the type of penetration test that focuses on the controls you are most concerned about:

Web application or API = application penetration test
Infrastructure = network penetration test (and possibly a wireless penetration test)
People = social engineering

If your objective is to obtain PCI compliance, at the very least, you’ll want to consider getting a network and an application penetration test.

Once you have an idea on the type of test you would like and how comprehensive you would like the results to be, you need to decide from which perspective you would like testing to be performed.

By making these decisions wisely, you can choose a penetration test that matches your business' needs and budget.

Need a penetration test? Talk to us!

Chad Horton has been the Penetration Testing Manager at SecurityMetrics for over five years. His responsibility includes managing a team of eight employees who conduct manual assessments of web applications and corporate networks. In addition, Horton is QSA, CISSP, and CompTIA Security+ certified, and has written numerous web application tools to assist in exploiting vulnerabilities.

The post Different Types of Penetration Tests for Your Business Needs appeared first on Social Engineering Blogs.

Project ‘Sender ID’

The Anti Social Engineer Blog — Sun, 01 Jan 2017 18:38:49 +0000

Over 100 Billion SMS messages are sent per year in the U.K., whilst this figure continues to fall due to mobile device users opting to use alternative communication mediums such as WhatsApp, Facebook Messenger and Signal – we are still a nation dependant on this older form of messaging. If you think it’s going to disappear anytime soon you should… Read more →

The post Project ‘Sender ID’ appeared first on Social Engineering Blogs.

2017 and Beyond

The Anti Social Engineer Blog — Tue, 27 Dec 2016 17:24:10 +0000

It’s been 2 years to the day since The AntiSocial Engineer Limited was founded; The seasonal timing and also the fact we seem to be doing enough right to pay the bills have made us sit down and question where we take it from here. It sure has been educational and part of our future plans came from a reflection on… Read more →

The post 2017 and Beyond appeared first on Social Engineering Blogs.

Appeal to Ethos, Logos & Pathos – Rhetorical Techniques

Modern Machiavelli — Sat, 20 Aug 2016 12:46:02 +0000

According to Aristotle, there are three means to persuade in a debate or speech. Every argument we make can be attributed to one of these categories and knowing and mastering them is bound to give you the rhetorical advantage over your adversaries. The three modes of persuasion, explained in his book about Rhetoric are the following: “Of the modes of persuasion furnished by the spoken word, there are three kinds. Persuasion is achieved by the speaker’s personal character when the speech was so spoken as to make us think him credible. Secondly, persuasion may come through the hearers, when the

The post Appeal to Ethos, Logos & Pathos – Rhetorical Techniques appeared first on Modern Machiavelli.

The post Appeal to Ethos, Logos & Pathos – Rhetorical Techniques appeared first on Social Engineering Blogs.

Everybody on the floor, this is a data breach

The Anti Social Engineer Blog — Wed, 03 Aug 2016 17:18:21 +0000

So it might not be immediately apparent but when I am not hacking things and complaining about the lack of security in businesses, I also do mundane things. I tidy the house, I go shopping for soy milk and vegetables, I have recently adopted running and when i’ve done all the basics of life, I even try to complete the… Read more →

The post Everybody on the floor, this is a data breach appeared first on Social Engineering Blogs.

Ethical Boundaries of Simulated Testing

Subliminal Hacking Blog — Sat, 09 Jul 2016 12:48:52 +0000

Like most days social media is flowing with opinions, perspectives, ego and testosterone

The most recent discussions that have sparked my interest have been those around what is or in many cases isn’t considered to be accurate or real simulated testing.

Like others I have my opinion on what this means to me and I don’t want to go into all the details of my opinions, approaches or theories here, but I wanted to make a couple of observations that I think are primary to the boundaries that exist in the world of simulated testing. I am not focusing on any specific part of simulated testing, but obviously in the context of things here I gravitate to the human elements associated with social engineering.

So here are my two main points. Point one, no simulated testing is every going to fully replicate the real adversary as if it does then now your the criminal also, point two a very select few outside of the real adversarial groups / gangs really know with suitable detail the TTPs used to allow full replication in a simulated scene.

No doubt some of you just spat your drink, cursed at the screen and crossed me off your christmas card list, but let me briefly clarify my thinking. The one thing that should separate a simulated vs real adversary should be their ethical boundaries they constrain themselves with. This should balance pushing the boundaries to their limit to replicate the real activities, but with strained to the point you are an employee or service provider to an organisation, and as a result their are lines that shouldn’t be crossed, as the personal damage could be substantial. A simple example could be that the real adversary sends emails and makes phones calls to the CEO of the company, making threats about family members to influence decision making, sure you could do this in a simulated environment, but then when its communicated it wasn’t for real, it was to test how people handle an adversary the damage is already done, the emotional turmoil has occurred and cannot be undone. The second point I make is that, no matter how good an intelligence function maybe, or whats read in the media the information is typically based on whats been discovered to date, hear say or some other theory. The reality is aside from the adversary themselves no one knows the full extent of their tools, tactics and procedures, so this is why I don’t believe anyone can claim to fully simulate anything, instead its more pragmatic to utilise the information, tools, techniques to push the boundaries to suitable levels within the ethical levels acceptable to the individuals conducting the work and those who are on the receiving end and or approved to authorise them.

Like everyone else on the Internet this is just my opinion, I don’t think there is one size fits all, and some approaches and appetites may deliver more value than others, but without ethics and without boundaries things become a darker shade of grey.

The post Ethical Boundaries of Simulated Testing appeared first on Social Engineering Blogs.

InfoSec Interviews – Richard De Vere

The Anti Social Engineer Blog — Sat, 18 Jun 2016 07:50:50 +0000

Original article by IT Governence: here So a while back I was interviewed by Lewis Morgan from the IT Governance Blog and thought i’d share this on the site. It is a little tongue in cheek reading it back actually! But genuine none the less. First, let’s quickly cover the basics: what is social engineering? Well, a good question straight… Read more →

The post InfoSec Interviews – Richard De Vere appeared first on Social Engineering Blogs.