Saturday, September 26, 2009

Social Engineering for Hacking

There are a lot of resources on the web that describe social engineering to gain access to computer systems for profit. This blog is focused on how it is advancing and going beyond the present electronic frontier. For resources on Social Engineering Prevention for computer networks:

Good reference sites for protecting your electronic frontier:
About.com - Antivirus Software
http://antivirus.about.com/b/2008/10/10/what-are-social-engineering-attacks.htm
Answers.com Social Engineering
www.answers.com/topic/social-engineering-political-science
McAfee's "The Origins of Social Engineering"
www.mcafee.com/us/local.../msj_origins_of_social_engineering.pdf

There are a lot more sites to google as well. Just be careful, some may be hacker sites.

Friday, September 25, 2009

An example of a social honeypot scheme?

Be aware of some of the spontaneous Internet honeypots that appeal to certain personality types; i.e., religious, mystical, fast money themes, empowerment themes, and more.

I've personally investigated a few honeypots over the years that surround alternative energy, UFOLOGY and anomalous phenomena aspects. There is a great majority of curious, creative and adventure seeking individuals that really love to get involved in the mysteries (it's mesmerizing - thought provoking). These type of anomalous phenomena social groups attract a broad array of individuals that fall into categories of curiosity, investigative, romantic, creative, and fantasy prone. Most of these people are very intelligent. Important note: Not all of these type of social pots in the anomalous phenomena area are directly malicious, not all list server groups are directly malicious, but we all need to be aware that they attract the social engineers who are on the hunt to lurk, join in, collect information on potential candidates, and more.

Some of the more direct malicious honeypots designed to recruit candidates for profit or espionage, sometimes start on a community list server announcement; then once a number of folks join in, the engineers will invite them to a number of face-to-face group meetings at a designated place to 'get to know each other'. There the social engineers get everyone to introduce themselves, and talk about their careers and personal interests. Good social engineers empower the group of individuals. Usually there is a team of social engineers at work during these greet and meet gatherings. The team may consist of one individual to work introductions and perform elicitation of information while others are quiet doing analysis, taking note of potential candidates, even buddy up to a candidate to further work into more personalized future meetings or settings. Once they have a number of good candidates that meet the criteria desired, they will stop the initial honeypot on the list server. Then the social engineering begins to work the potential candidates further into either a compromising situation, or focus on the ideology or ego working the 'feeling of being special or chosen for some project they need help on', or even appeal to the candidates needs identified in the initial meetings (money, attention, sex, etc.).

Many social engineers look for tendencies of "MICE", which stands for "Money, Ideology, Compromise or Coercion (depending on source), and Ego" in their subjects. What some work forward to is to appeal to the candidates professional expertise and/or opinions, political opinions, their national allegiances, fantasies, or their cultural or religious beliefs; and then manipulate them using the MICE attributes for coercion with motives spanning through financial, espionage, criminal activity, human experimentation, and more.

Thursday, September 24, 2009

Introduction to the Art of War on Social Engineering

This site is a place wherein I'd like to get some dialog and sharing started of insights and lessons learned on many advanced types of social engineering taking place in the professional world of high technology and science. In many cases social engineering encounters in these areas can become very frightening and some may be humorous (yet still considered serious if gotten out of hand).

I have come to learn over the years that there is a network of social engineers that take great time and care in research (data collection) and actual teaming to profile many individual subjects to work their way into finding the perfect candidate(s) to manipulate and control in performing actions and/or divulging sensitive information (personal, confidential, trade secrets, or even national security secrets) to profit from (there are many scenarios ranging from espionage to human experimentation). Many people in the general work force don't generally know how to recognize the initiation nor tactics these human/social engineers use. A lot of the time social engineers are personable, engaging, gift baring, helpful, always available in order to position themselves close by their primary target candidates (those whom they will profit most from) by using good intelligence collection in order to appeal or trap their primary target.

Wikipedia has a good sight on social engineering http://en.wikipedia.org/wiki/Social_engineering_%28security%29

Today many using the internet and web based media tools have become very open to the international front using tools, such as these blog spots, MySpace, Facebook, twitter, and many other media tools; leaving themselves a little too open. Readers be aware, the more you communicate about yourself, the more information social engineers can collect on how to appeal to you, capture your attention to them, etc. Many with the agenda to take advantage of your 'trust' (using what ever information they can gather to appeal to your trust).

Advice today: always be alert to how much information you are giving out on your live style habits, your personal desires, your reactions to things, etc. on these open public channels. You may want to review what information you have already given out, to know what some have collected on you already and can be using. There are thousands of social engineers out there gathering the data and profiling (especially if you work in any area that they may profit from).

More tomorrow!