February 11, 2013

THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Disclaimer: This post has been modified to exclude specific subjects not approved for public viewing


emily1 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily Williams and Robin Sage

Emily Williams and Robin Sage don’t exist in the real world. They are fake social network accounts designed to obtain sensitive information. Robin Sage was created in late 2009 to obtain information from intelligence on US military personnel. Her story was presented at the Black Hat hacker conference upsetting many people by exposing the type of sensitive data provided over social networks. Joey Muniz and Aamir Lakhani decided to go one-step further and ask the hard question: “what else can happen outside of data being leaked over social networks”. We decided to find out using Emily Williams.

NOTE: The research presented is real. Many people reading this are friends with Emily and probably mad at us. We have informed anybody attacked so if you haven’t heard from us, you are just social network friends with Emily.

 

emily2 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily’s Real Employer 

Emily Williams was created in November 2011 for Facebook and LinkedIn. Our goal was to pick a specific target and see how far we could penetrate the target using social networks as the entry point for infiltration. The plan was to build up a social network with key personal and launch attacks from Facebook and LinkedIn that compromised systems using social networks. From there, we could gain entry into the network and more or less capture the flag. The research was made public with the goal of educating employees about security around social networks as well as the current potential threats that could target people like you. We had executive approval before conducting the experiment.

Social Network Findings

The first step was creating the Facebook and LinkedIn accounts. We found a non technical female employee from the restaurant industry (that happened to be a few blocks from our target) to volunteer pictures for Emily’s appearance. We developed a fake social security number, residence and other areas that may be searched to make Emily seem real. We gave Emily an IT background from the University of Texas and updated her profile with a matching employment background.

 

emily3 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

 Social Engineer Using Facebook Profile Info

 

conversation3 THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

User Flags Emily

Step two was building up friends prior to networking with our target audience. We decided to pick on Joey Muniz’s friends figuring if they flagged her as fake, they wouldn’t inform anybody from our target audience. Within hours we had over 100 friends using manual adding methods. We found very little resistance to accepting her as a friend however one individual not only denied her friend request but also posted to his friends a warning about Emily without actually calling her out. Another funny story was a friend ask “Do I know you?” and by simply replying with information from his social profile, we had him say he remember her. The lesson learned is think about what you post because it could be used against you!

job2 THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Job Offer Based On Profile Info

Once we had a decent number of friends, we updated her status as a new employee to our target with a technical engineering title. From there, we start adding potential targets starting with sales and mid level technical staff as well as our partners with the target. We not only grew our friends from the organizations, we also started receiving job offers, meeting requests and congratulations on the new job with our target. As our target audience friend number grew, we started moving up the rank eventually capturing people from Human Resources and Engineering who would be responsible for hiring Emily if she existed. We moved all the way up to executive leadership and happy to say our President denied her friend request based on looking for her name is the corporate directory. We have a lot of respect for his diligence.

endorse THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Can You Trust LinkedIn Endorsing?

At this point we have networked with our target audience and have enough key members linked to perform attacks. Part 2 of this story will feature how we leveraged the social network to obtain access to the network. Consider part 2 the answer to WHY Robin Sage and Emily Williams are a risk for organizations. Stay tuned for part two and again for those involved, don’t worry we didn’t do anything bad to you unless we told you. Oh and thanks for helping us prove our point about the dangers of social networks!

Article written and research conducted by:

Joey Muniz

Blog: www.thesecurityblogger.com

Aamir Lakhani

Blog: www.cloudcentrics.com

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

February 5, 2013

My Awesome Portable Lab – Apple Mac mini Running ESXI 5.0 5.1 hosting Cisco ISE, NCS, Backtrack, Lancope and More

applemacmini My Awesome Portable Lab – Apple Mac mini Running ESXI 5.0 5.1 hosting Cisco ISE, NCS, Backtrack, Lancope and MorePart of my job is being an expert on various technologies. This means having hands on experience with the latest products as well as the ability to demonstrate how specific solutions work. Many vendors are virtualizing their solutions making it easier to build a home lab that is portable and light on power usage. My team has researched the best method for a mobile home lab based on price, size, power consumption and noise. After comparing various servers and laptops, we found the Apple Mac mini to be the best choice. It’s small enough to fit in a backpack, low on power consumption, silent and around $1,400 fully loaded.

The Mac mini is 7.7 by 7.7 and comes with standard apple OS and a hdmi display adaptor.  Some monitors may need a VGA adapter, which a adapter can be purchased for $10-25 dollars. You will need a Apple super drive to load the ESXI ISO and possibly some drivers that are lost during the install depending on your Mac mini model and method of install. I’ve heard people doing it with other media methods such as USB storage however I’ve personally only used the super drive for two different Mac minis. Make sure to have a USB mouse and keyboard as well.

This website covers how to install ESXI 5.X on an older Mac mini (2011 or older) HERE. The steps are very straight forward however one lesson learned is you HAVE TO burn the driver disk that will be mounted from a windows computer. I wasted a dozen CDs burning the drivers with my MAC using various tools yet the CD never mounted. You can use any type of device to burn the ESXI software.

My Awesome Portable Lab – Apple Mac mini Running ESXI 5.0 5.1 hosting Cisco ISE, NCS, Backtrack, Lancope and More Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

6 Comments

Filed under Datacenter, General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 31, 2013

Invention Market Scam – Don’t Waste Your Money With Davison.

Screen Shot 2013 01 18 at 4.02.28 PM Invention Market Scam – Don’t Waste Your Money With Davison.I discovered a scam while researching methods to develop new ideas. Like many people, I have ideas but unsure how to make them real products. I found firms offering research, prototype development and marketing services for inventions. I decided to run a few ideas through the top advertised firm on Google known as Davison Design & Development.

Experience with Davison

Davison presents itself as a successful invention firm. Their website has customer quotes, products they brought to market (see HERE) and videos from popular TV shows like Lifetime’s The Balancing Act (see HERE). If you search Google for Davison customer feedback, you will find endless complaints and lawsuits. I question Davison about the negative feedback and was provided rebuttal videos targeting the Better Business Bureau as a means to defuse the bad press (see HERE). 

I submitted two ideas under different aliases to put Davison to the test. The first idea is something I believe is great while the other is ridiculous and should be discarded. I filled out an online form for both ideas and eventually spoke with a sales rep. One interesting part of the process is Davison requires users to accept that they have reviewed Davison’s success rate.  As you can see, they are open about how unlikely they can bring your idea to market. My gut tells me this protects Davison from future lawsuits.

Screen Shot 2013 01 11 at 4.33.01 PM Invention Market Scam – Don’t Waste Your Money With Davison.

Users Must Agree Before Submitting Ideas (click to enlarge)

Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , ,

January 15, 2013

How To Educate Your Employees About Social Engineering

How To Educate Your Employees About Social EngineeringA common saying is ” Amateurs Hack Systems, Professionals Hack People”.  Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.

Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.

Explain Why Policies Exist

How To Educate Your Employees About Social Engineering

It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.

Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.

Provide Examples Beyond The Intranet

How To Educate Your Employees About Social Engineering

Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 8, 2013

The Business Value Of NetFlow : Why Invest In NetFlow Technology?

The Business Value Of NetFlow : Why Invest In NetFlow Technology?There has been a rapid increase in demand for security solutions that can defend against Advanced Persistent Threats (APTs). Why? Because today, cyber criminals don’t use a specific attack to compromise targeted networks.

Successful attacks are typically made up of a number of chained exploits. A hacker may start with social engineering, deliver malware through phishing and gain internal access through compromised machines. Once the hacker has established a foothold into the internal network, he may spread rootkits through a hidden torrent like environment to communicate under the radar and steal information.

Defending against attacks like this is difficult to detect and to remediate. Point productions may catch a piece of the puzzle however you will need the complete picture to deal with sophisticated attacks. Solutions must have network wide visibility, which typically can be accomplished through logging, packet capture or network analysis. Logging requires security tools such as firewalls and IPS appliances spread across the network sending logs to a centralized system for event correlation and reporting. Analyzing packets usually requires collectors analyzing a tremendous amount of data obtained from key network segments. Network security and performance analytics can be obtained directly from network devices capable of providing NetFlow such as routers and firewalls.

Of the three methods, network analysis is becoming an extremely attractive method to defend against advanced threats since NetFlow can be harvested from existing devices.

What are the key reasons to invest in NetFlow when an organization has already invested in firewalls, anti-virus, IPS systems, and other security tools? Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 7, 2013

Does Your Alarm Have a Default Duress Code?

Brian Kerbs on his website Kerbs on Security writes a great article on how alarm systems can have a distress code

Sometimes it takes a security scare to help improve your overall security posture. Case in point: Over the holidays, I learned that our alarm system — one of the most widely used home security systems in America — contains a default code that disables the alarm. Although entering this code simultaneously alerts the police that an intruder is in the house, it also could give thieves just enough time to get away with your valuables without alerting the neighbors.

IMG 5008 285x293 Does Your Alarm Have a Default Duress Code?

Over the holidays, I lost my keychain. On said chain was a very expensive key fob for unlocking and starting our car, the keys to our front door, and a remote control that arms and disarms the alarm system. For several days, the wife and I searched frantically and repeatedly for the keys. Needless to say, I didn’t leave the house the whole time. In the hopes of perhaps disabling the alarm keyfob myself, I downloaded the user manual for my alarm system (a Safewatch Pro 3000), but I could not figure out a way to complete the process.

After of the fourth day of failing to locate the missing keys, we decided it was time to call a locksmith and ADT, our alarm company. The ADT technician arrived promptly and was extremely fast, courteous and helpful. But he said he couldn’t remove the fob without plugging in an external keyboard that he had on hand.

As he worked, I asked him about a feature of the alarm system that I’d read about in the manual: A duress code. Simply put, a duress code is a secondary, covert signal designed to be entered on the alarm keypad in the event that an attacker or robber ambushes you at home and forces you to disarm the system. A duress code will appear to disarm the system, but it will also send a silent panic alert to the ADT monitoring station that a potentially hostile intruder has entered the home.

I asked the technician how difficult it would be to set up a duress code for my system. He informed me that there was already one programmed into my unit, and that ADT technicians routinely set all systems like mine with the same default duress code: 2-5-8-0, the four digits that run straight down the middle of the keypad.

My temporary shock was interrupted by a phone call, and before I knew it the technician was done and heading to his next appointment. Later that evening, several Internet searches confirmed the technician’s statement. Thankfully, ADT helped me change the code to one of my choosing, but it took some trial and error via ADT’s phone support staff. The ADT support lady told me that my alarm panel indeed was supposed to be configured by the technician with a duress code of 2-5-8-0. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Penetration / Hacking, Physical Security

Tagged as , , , , , , , , , , , , , , , , , , , , ,

January 2, 2013

Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

This blog is typically dedicated to security topics however I thought I would share about two cool gadgets I’ve been using to a live healthier lifestyle. Check them out and make 2013 a healthier year for you.

Zombies, Run!zombies1 Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

I love playing soccer but HATE running as a form of exercise. The problem I have is my mind concentrates on how uncomfortable I feel. I can run for miles on the soccer field but not around the neighborhood.

Zombies, Run! makes running fun. It’s an iPhone / Android app that puts you in the middle of a Zombie apocalypse. There are too many Zombies to shoot so “runners” like you have to go out and gather supplies without weapons. You start a mission and run like your normally would wearing headphones and listening to music. The app plays music off your mobile device playlist and periodically interrupts with radio transmissions from an operator updating you on your mission status. You also pick up virtual supplies while running to bring back to base. Your actual running route doesn’t matter however the distance and pace determines how you do. You can also use this app on a treadmill.

That’s all cool however the real fun is randomly Zombies will chase you. Zombies, Run! uses your GPS to track your speed and warns you to run faster as zombies approach. You start hearing Zombies moaning over your music as they get close which really makes you push yourself. The app will start beeping when Zombies are nearby and prompt you every mile about your pace. 

photo Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

Run Log shows when Zombies attacked, virtual things I picked up and radio transmissions

photo 5 Two Cool Gadgets To Help Be Healthy This Year: Zombies, Run! Jawbone UP

List of missions I’ve completed and not unlocked Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as , , , , , , , , , , , , , , , , , , ,

December 28, 2012

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

es66715 coversecret Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

Is There More To This Image?

How we communicate has become extremely easy in today’s digital society.  Most mobile devices offer software that integrates with social networks, business applications and e-mail. People share anything from where they are eating to what they are about to eat in near real-time (personally I find it annoying). This convenience makes securing communication more difficult since most digital messages leave a digital fingerprint as well as usually transmitted over nonsecure sources. My team has demonstrated how hackers can steal data in transit using man-in-the-middle attacks with tools like the Pine Apple (more HERE), BeEF (more HERE), and compromising mobile devices to pull up old text messages and e-mails.

How can you protect your communication? Best practice is investing in multifactor authentication to trusted systems, VPN technology for communication outside of a secure network, data loss prevention monitoring what data is permitted to leave a secure network, internal network security products and host based security to stop key loggers and other threats. Communication solutions should offer a mix of confidentiality (protecting the information), integrity (can’t modify the message), availability, authenticity (message is genuine) and non-repudiation (guarantee sent and received).

Meeting best practice typically requires investments in multiple technologies however what about the average user looking to send a sensitive message? There are methods to send messages securely using free tools. One option is using a secure e-mail solution. Hushmail offers free PGP-encrypted e-mail and file storage. If you look at the image below, you will see the checkbox for encrypting the outgoing message as well as how Hushmail enforces a strong passphrase promoting secure e-mail standards. The downside of Hushmail is it doesn’t offer some of the flashy features other e-mail services include such as chat or customizable backgrounds.

Screen Shot 2012 12 26 at 7.46.40 PM Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

Setting up a Hushmail account

Screen Shot 2012 12 26 at 7.47.54 PM1 Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

 Sending Encrypted E-mails Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

7 Comments

Filed under Data Loss Prevention, General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 18, 2012

Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Most Security solutions leverage a combination of signature and behavior based technology (more HERE). This worked in the past however today these solutions are not good enough regardless if you layer multiple products that are built upon similar scanning methods. There are many ways to bypass point Security products such as throttling behavior and masking the known fingerprint of the attack code. A example of a technique used to hide malware from popular Anti-Virus packages is leveraging Dynamic Obfuscation software. Screen Shot 2012 12 10 at 9.53.38 AM Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Obfuscation software was designed to protect source code from piracy by making the original code more complicated to read while retaining functionality. There are commercial obfuscation software packages available for programmers looking to hide their source code which is also obtainable for malware developers. This is bad for anti-virus vendors responsible for developing methods to fingerprint malicious code.

Malware producers can make things even more difficult for Anti-Virus vendors by adding dynamic elements that randomizes malicious code and encryption keys on the fly. For example, a victim accessing a malicious website could see a different variation of the same exploit each session. Dynamic obfuscation provides an endless number of variants making it almost impossible for signature based Security to identify the threat.

There are dozens of examples for commercial Java obfuscator packages. Some common packages are Zelix KlassMaster, Dash-O, ProGuard, Smokescreen, Thicket and Allitori. Popular penetration toolsets such as Metasploit also include malware obfuscating modules such as the VoMM module. Research on VoMM from a few years ago can be found HERE .

Screen Shot 2012 12 10 at 1.16.37 PM Beating Signature Based Security – Dynamic Software That Obfuscates MalwareScreen Shot 2012 12 10 at 1.26.46 PM Beating Signature Based Security – Dynamic Software That Obfuscates Malware

Examples of Java Obfuscation Software Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Internet Defense, Penetration / Hacking, Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 14, 2012

Cool Tool: BeEF – Browser Exploitation Framework On BackTrack 5

BeEF5 Cool Tool: BeEF Browser Exploitation Framework On BackTrack 5

There are many cool penetration applications that should be included in your hacking arsenal such as one of our favorites known as BeEF. BeEF (short for The Browser Exploitation Framework) is a browser based exploit package that “hooks” one or more browsers as beachheads for launching attacks. A user can be hooked by accessing a url and continue to see typical web usage while the attacker has access to the user’s session. BeEF bypasses network security appliances and host based anti-virus applications by targeting vulnerabilities found in common browsers such as Internet Explorer and Firefox. BeEF is included with the latest BackTrack 5 r3 and can be found at beefproject.com

BeEF12 Cool Tool: BeEF Browser Exploitation Framework On BackTrack 5

Backtrack Prep

Before you setup BeEF, we need to do a few house keeping items on Backtrack. First you may want to disable the firewall to prevent blocking the BeEF services. We are doing this for our lab however this step is optional.

Open up a terminal window and type the following commands:

IPTABLES -F
IPTABLES -X
IPTABLES -t nat -F
IPTABLES -t nat -X
IPTABLES -t mangle -F
IPTABLES -t mangle -X
IPTABLES -P INPUT ACCEPT
IPTABLES -P FORWARD ACCEPT
IPTABLES -P OUTPUT ACCEPT

To setup BeEF in BackTrack 5, you can run a script found HERE. One you run the script and updates, run BeEF from the backtrack 5 application list to see the management GUI IP and hook URL. When you access the management interface via a web browser, you log in with the default “beef” credentials to see the main dashboard.

BeEF 1 Cool Tool: BeEF Browser Exploitation Framework On BackTrack 5Launching After Updates

BeEF 2 Cool Tool: BeEF Browser Exploitation Framework On BackTrack 5The Main Dashboard

BeEF3 3 Cool Tool: BeEF Browser Exploitation Framework On BackTrack 5Dashboard and Hook IP Addresses. Shows BeEF server is running Continue reading

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under General Security, Penetration / Hacking