Social Engineering: 3 Examples of Human Hacking

Chris Hadnagy gets paid to fool people, and he's gotten pretty good at it over the years. A co-founder of social-engineering.org and author of Social Engineering: The Art of Human Hacking, Hadnagy has been using manipulation tactics for more than a decade to show clients how criminals get inside information.
Hadnagy outlines three memorable stories of social engineering tests that he's included in his new book (you can also read a short excerpt), and points out what organizations can learn from these results.
The Overconfident CEO
In one case study, Hadnagy outlines how he was hired as an SE auditor to gain access to the servers of a printing company which had some proprietary processes and vendors that competitors were after. In a phone meeting with Hadnagy's business partner, the CEO informed him that "hacking him would be next to impossible" because he "guarded his secrets with his life."
"He was the guy who was never going to fall for this," said Hadnagy. "He was thinking someone would probably call and ask for his password and he was ready for an approach like that."
Also see: Social engineering: The basics
After some information gathering, Hadnagy found the locations of servers, IP addresses, email addresses, phone numbers, physical addresses, mail servers, employee names and titles, and much more. But the real prize of knowledge came when Hadnagy managed to learn the CEO had a family member that had battled cancer, and lived. As a result, he was interested and involved in cancer fundraising and research. Through Facebook, he was also able to get other personal details about the CEO, such as his favorite restaurant and sports team.
Armed with the information, he was ready to strike. He called the CEO and posed as a fundraiser from a cancer charity the CEO had dealt with in the past. He informed him they were offering a prize drawing in exchange for donations--and the prizes included tickets to a game played by his favorite sports team, as well as gift certificates to several restaurants, including his favorite spot.
The CEO bit, and agreed to let Hadnagy send him a PDF with more information on the fund drive. He even managed to get the CEO to tell him which version of Adobe reader he was running because, he told the CEO "I want to make sure I'm sending you a PDF you can read." Soon after he sent the PDF, the CEO opened it, installing a shell that allowed Hadnagy to access his machine.
When Hadnagy and his partner reported back to the company about their success with breaching the CEO's computer, the CEO was understandably angry, said Hadnagy.
"He felt it was unfair we used something like that, but this is how the world works," said Hadnagy. "A malicious hacker would not think twice about using that information against him."
Takeaway 1: No information, regardless of its personal or emotional nature, is off limits for a social engineer seeking to do harm
Takeaway 2: It is often the person who thinks he is most secure who poses the biggest vulnerability. One security consultant recently told CSO that executives are the easiest social engineering targets.
The theme-park scandal
The target in this next case study was a theme park client that was concerned about potential compromise of its ticketing system. The computers used to check-in patrons also contained links to servers, client information and financial records. The client was concerned that if a check-in computer was compromised, a serious data breach might occur.
Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a new type of PDF-reading software, which he wanted the park to try through a trial offer. He asked what version they were currently using, got the information easily, and was ready for step two.
The next phase required on-site social engineering, and Hadnagy used his family in order to ensure success. Heading up to one of the ticket windows with his wife and child in tow, he asked one of the employees if they might use their computer to open a file from his email. The email contained a pdf attachment for a coupon that would give them discount admission.
"The whole thing could have gone south if she said 'No, sorry, can't do that,'" explained Hadnagy. "But looking like a dad, with a kid anxious to get into the park, pulls at the heart strings."
The employee agreed, and the park's computer system was quickly compromised by Hadnagy's bad PDF. Within minutes, Hadnagy's partner was texting him to let him know he was 'in' and 'gathering information for their report.'
Also read
Hadnagy also points out that while the park's employee policy states that they should not open attachments from unknown sources (even a customer needing help), there were no rules in place to actually enforce it.
"People are willing to go to great lengths to help others out," said Hadnagy.
Takeaway 3: Security policy is only as good as it is enforcement
Takeaway 4: Criminals will often play to an employee's good nature and desire to be helpful
The hacker is hacked
Hadnagy gives a third example showing how social engineering was used for defensive purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network computing) server, a server that allows control of other machines on the network.
He was documenting the find with the VNC session open when, suddenly, in the background, a mouse began to move across the screen. John new it was a red flag because at the time of day this was happening, no user would be connected to the network for a legitimate reason. He suspected an intruder was on the network.
Taking a chance, John opened Notepad and began chatting with the intruder, posing as a 'n00b' hacker, someone who is new and unskilled.
"He thought 'How can I get more information from this guy and be more valuable to my client?'" said Hadnagy. "John played to the guy's ego by trying to pretend he was a newbie who wanted to learn more from a master hacker."
John asked the hacker several questions, pretending to be a younger person who wanted to learn some tricks of the hacking trade and who wanted to keep in touch with another hacker. By the time the chat was over, he had the intruder's email, contact information--and even a picture of him. He reported the information back to his client, and the problem of easy access to the system was also fixed.
Hadnagy also points out that John learned through his conversation with the hacker that the hacker had not really been 'targeting' the company who he had hacked, he had just been out looking around for something easy to compromise and found that open system quite easily.
Takeaway 5: Social engineering can be part of an organization's defense strategy
Takeaway 6: Criminals will often go for the low-hanging fruit. Anyone can be a target if security is low.
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

Nokia CEO: Apple, Google Beating Us in Smartphone War

In a blunt and detailed analysis of Nokia, the company's new chief executive told employees that Apple's iPhone and Google's Android phones have left his company in the dust. Nokia, still the world's largest phone manufacturer by volume, has seen its smartphone market share eroded over the past few years by rising stars such as the iPhone and the Android army.

Nokia chief executive Stephen Elop wrote in a memo leaked by Engadget that "the first iPhone [was] shipping in 2007, and we still don't have a product that is close to that experience. Android came on the scene just over two years ago, and this week they took our leadership position in smartphone volumes. Unbelievable."
Chasing The Wrong Strategy
Elop, who was named Nokia's president and CEO in September, identified in a 1,300-word memo the main problems the company is facing, "while competitors poured flames on our market share." "We fell behind, we missed big trends, and we lost time. At that time, we thought we were making the right decisions; but, with the benefit of hindsight, we now find ourselves years behind," Elop wrote.
The Nokia CEO recognized Apple's iPhone was a game changer: "Apple demonstrated that if designed well, consumers would buy a high-priced phone with a great experience and developers would build applications. They changed the game, and today, Apple owns the high-end range."
At the same time, Google is cutting deep into Nokia's former strengths, Elop notes: "Android came in at the high-end, they are now winning the mid-range, and quickly they are going downstream to phones under $135. Google has become a gravitational force, drawing much of the industry's innovation to its core."
The Wake-Up Call

The problem with Nokia is that it doesn't bring enough innovation to the market, according to Elop: "We thought MeeGo would be a platform for winning high-end smartphones. However, at this rate, by the end of 2011, we might have only one MeeGo product in the market." Symbian, the mid-range platform, "has proven to be noncompetitive in leading markets like North America" too.
In a stark warning, or just clear vision of the future, Elop wrote of Nokia that "if we continue like before, we will get further and further behind, while our competitors advance further and further ahead. [...] And the truly perplexing aspect is that we're not even fighting with the right weapons. [...] Nokia, our platform is burning," Elop warned.
Where Do We Go From Here
Elop is expected to announce a new strategy on Feb. 11, in a "huge effort to transform our company." While no official details have been yet made available, it is rumored that Elop, a former Microsoft executive, would put the new Windows Phone 7 operating system on a new breed of Nokia devices.
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

LG seeks to block PlayStation 3, Bravia TV imports

LG seeks to block PlayStation 3, Bravia TV imports

LG Electronics is seeking to block imports of the Sony PlayStation 3, according to a report.
Bloomberg reported Tuesday that LG has filed a complaint with the U.S. International Trade Commission to block imports of the PlayStation 3 as well as certain Sony Bravia televisions.
LG's suit can be seen as a response to one Sony filed in late December; in it, Sony claimed that several LG phones infringe Sony's patents. They the LG Quantum, the new Windows Phone 7 device available on AT&T, as well as the Cosmos, Accolade, Encore, enV Touch, Fathom, Glance, GU295, Lotus Elite, LX370, Neon, Remarq, Rumor Touch, VL600, Vu Plus, and Xenon.
Sony said it wants the ITC or the court to stop LG from importing, selling, marketing, advertising, or demonstrating the infringing devices in the U.S., the same request that LG made of the agency.
LG had not confirmed that it had filed a complaint at press time.
LG also filed civil suits against Sony in federal court in California, making similar claims, Bloomberg reported.
Geek.com suggested that the recently-hacked Playstation 3 could be pulled off store shelves while the dispute was hammered out, and then re-shipped with new hardware that eliminated the hack.
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

HP TouchPad vs. Motorola Xoom vs. iPad: How They Stack Up

These three big tablets may look the same, but they have some important hardware and software differences.
By Daniel Ionescu

Apple iPad with Wi-Fi + 3G 16GB
To look at them, there's not much difference between the HP TouchPad announced Wednesday, Motorola's Xoom (arriving later this month), and the Apple iPad. But if you look beyond the roughly 10-inch touchscreens, you'll find some significant differences.

In physical size and weight, the TouchPad is nearly identical to the iPad; its screen size (9.7 inches) and resolution (1024 by 768 pixels) match the iPad's specs, too. The Motorola Xoom has a slightly larger screen (10.1 inches) and resolution (1280 by 800 pixels), making it a bit bigger, though just as heavy. Together, the three tablets represent the top end of modern tablet computers. See how they compare at a glance by clicking on the chart at the side.
The TouchPad runs on a speedy dual-core Snapdragon processor from Qualcomm. The Xoom is also dual-core, with an Nvidia Tegra 2 chip. Only the iPad runs on a single-core (Apple-customized) A4 processor. The iPad also has the least amount of RAM (256MB), while the TouchPad and Xoom run on four times more memory (1GB). The speedier processors should help the tablets open and run apps faster, while more RAM aids in multitasking (both improvements take a toll on battery life, however).
Although the TouchPad will come in 16GB and 32GB versions, the Xoom will come in just one 32GB version. The iPad also has a 64GB version. Only the Xoom offers expandable storage via an SD Card slot.
Initially the TouchPad will support only Wi-Fi connections, with a 3G version to come later. Motorola is taking the opposite approach with the Xoom, which will initially launch only in a 3G version, with a Wi-Fi-only version to follow. The iPad comes in both Wi-Fi and 3G models. Motorola says the Xoom will work with Verizon's network, while the iPad works on AT&T's network out of the box.
The TouchPad has only a front-facing camera for video calling. The Xoom will have two cameras (one on the back and one on the front), and the iPad has none. The iPad also lacks stereo speakers and a gyroscope.
Other perks from the iPad competitors: The TouchPad can charge wirelessly with a separate accessory, and the Xoom can output HD video.
But the biggest differentiator between the tablets will be their OSs.

HP's TouchPadThe HP TouchPad will be the first tablet running WebOS, the operating system that HP acquired in its purchase of Palm last year. The TouchPad will employ the same card-stack metaphor for organizing apps found on Palm smartphones. That interface looks even more at home on the larger screen of a tablet. Right now we've heard few details about changes to the OS for the tablet, and reviewers got no hands-on time with it.
Android 3.0 ("Honeycomb") on the Motorola Xoom is also new. The OS, specifically designed for tablets, brings several new interface elements previously unseen on Android smartphones (for more, see an in-depth tour of Honeycomb).
Lastly, iOS on the iPad (due for an upgrade soon) is familiar to anyone who has used an iPhone or iPod Touch.
Because of its massive head start, the iPad has the most apps available for it (over 60,000 at this writing). Presumably, only a small selection of programs will be available for the TouchPad and Xoom at their respective launches. Of course, both will likely be able to run apps designed for WebOS or Android smartphones, but experience with the iPad has shown that running smartphone apps on a tablet is generally unsatisfying.

Motorola XoomPerhaps the most important unanswered question is how much these new tablets will cost. You can buy an iPad for as little as $499. Early rumors are that the Xoom may start at $799 (ouch!), and HP didn't give any information about price at its Wednesday event.
Finally, let's not forget that the iPad is a year old, and it's due for a refresh any time now. This means that by the time the TouchPad and Xoom arrive on the market, they will have to fight not only the old iPad (which may remain on sale at an even lower price) but also a freshly revamped iPad 2.
Which big tablet are you thinking of buying? A TouchPad, a Xoom, an iPad? Or will you wait for the iPad 2? Sound off in the comments.
SUBSCRIBE TO BLOG BY: EMAIL

: ">FEED

Google and Facebook tried to buy Twitter

Executives from Facebook, Google and other companies have held talks with Twitter about a possible purchase of the microblogging service, bringing its estimated value to around 10 billion dollars, according to the Wall Street Journal.
The value is high for a company whose revenues were only $ 45 million last year, posted a loss, and estimated that revenue this year will be between 100 million and 110 million, said the newspaper.
Despite what appears to be an overvaluation, Twitter executives said they had no interest in selling.
They believe they can transform a company Twitter 100 billion dollars, the newspaper said. This is one reason why Twitter has hired engineers and other employees recently, and a new team of executives, including CEO Dick Costolo, ex-Google.
The newspaper did not say whether any formal offer would be imminent.
Twitter is a popular microblogging site where people post short messages, or tweets, up to 140 characters about what they are doing, thinking or anything else. The site has become a useful tool for professionals in entertainment and sports personalities to keep fans informed about where they are and their opinions on popular topics.
Companies are using Twitter to announce new products and innovations, and the 175 million registered users on the site disseminate useful, as the traffic situation, to their followers.
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

Facebook mulls $1 bln employee share sale: Report

SAN FRANCISCO: Facebook may let its employees sell up to $1 billion of their shares to institutional investors at a price that values the company at about $60 billion, an influential industry blog reported.

Facebook is pondering the move after entertaining approaches from a number of major institutions interested in investing in the world's largest social network, the All Things Digital technology blog cited sources as saying on Thursday.

That valuation would surpass previous measures. Last month, the company founded by Mark Zuckerberg in a Harvard dorm room raised $1.5 billion of financing in a round led by Goldman Sachs, which valued it at $50 billion.

Facebook, whose online service counts more than a half a billion users worldwide, is expected to possibly go public around 2012.

A Facebook spokesman declined to comment. Investors have been eager to buy shares of Facebook before then and have gone to private exchanges, where shareholders like venture capitalists and former employees have put some of their stock up for sale.

Facebook tightly restricts current employees from selling their shares on private exchanges, making it difficult for them to cash in on the company's success.

In 2009, Facebook arranged for Russian investment firm Digital Sky Technologies to purchase at least $100 million of common shares from its employees. DST was also part of the deal led by Goldman Sachs in January.

Last year, Facebook overtook Google Inc to become the most visited website in the United States, according to online analytics firm Experian Hitwise .

The company is generating profits at a faster-than-expected rate, according to a document distributed by Goldman Sachs last month.

Facebook is among several fast-growing privately held Web companies, including Twitter , Zynga and Groupon , that investors have been anxious to buy into ahead of potential public listings.

But liquidity on private exchanges has been low and since Facebook so far has not been forced to publicly report its earnings there is little transparency for investors.

SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

Chinese hackers target oil companies: US computer security firm

Chinese hackers target oil companies: US computer security firm
WASHINGTON: Hackers from China have penetrated computer networks of global oil companies, stealing financial documents on bidding plans and other confidential information, a US computer security firm said Thursday.

"Starting in November 2009, coordinated covert and targeted cyberattacks have been conducted against global oil, energy, and petrochemical companies," the Santa Clara, California-based McAfee said in a report.

In addition to attacking company computers, the hackers struck "individuals and executives in Kazakhstan, Taiwan, Greece, and the United States to acquire proprietary and highly confidential information," McAfee said.

"Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding," McAfee said.

The industrial espionage charges are the latest leveled against hackers in China, which was accused in a report by the US-China Economic and Security Review Commission last year of waging massive attacks on US computer systems.

McAfee did not identify any of the companies targeted by the hackers but it said all of the evidence pointed to them being based in China.

"We have identified the tools, techniques, and network activities used in these continuing attacks -- which we have dubbed Night Dragon -- as originating primarily in China." McAfee said.

Hacking tools "widely available on the Chinese underground" were used to break into a company's intranet and obtain access to sensitive desktops and servers, it said.

"They proceeded to connect to other machines (targeting executives) and exfiltrating email archives and other sensitive documents," McAfee said.

The computer security firm said "many actors" took part in the attacks but it had identified an individual in Heze City, Shandong Province, who provided the "crucial (command and control) infrastructure to the attackers."

"Although we don't believe this individual is the mastermind behind these attacks, it is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," it said.

McAfee said "all of the identified data exfiltration activity occurred from Beijing-based IP addresses and operated inside the victim companies weekdays from 9:00 am to 5:00 pm Beijing time."

This suggests, it said, "that the involved individuals were 'company men' working on a regular job, rather than freelance or unprofessional hackers."

"Although it is possible that all of these indicators are an elaborate red-herring operation designed to pin the blame for the attacks on Chinese hackers, we believe this to be highly unlikely," McAfee said. "We have strong evidence suggesting that the attackers were based in China."

In January 2010, Google said it had been the target of cyberattacks originating in China which included attempts to access the email accounts of Chinese human rights activists around the world.

China has denied involvement in the December 2009 cyberattacks which Google said also targeted more than 20 other companies and led the Internet giant to halt censorship of its search engine in China.

According to US diplomatic files obtained and published by WikiLeaks, the United States believes that China's leadership directed the hacking campaign into computers of Google and Western governments.

In one cable, the US embassy in Beijing said it learned from "a Chinese contact" that the Politburo had led years of hacking into computers of the United States, its allies and Tibet's spiritual leader the Dalai Lama.

SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

Bing Searches More Accurate Than Google's, Study Finds

Microsoft's search engine Bing, and even Yahoo, are providing users with more accurate searches than their rival Google, according to a report out this week.
Bing and Yahoo, which is now using Microsoft's Bing search technology, had the highest search success rates last month, reported Experian Hitwise , an Internet monitoring firm. More than 81% of searches on their sites led users to visit a Web site.
However, Google , the dominant player in the search market, wasn't as successful with its January searches.
According to Experian Hitwise, Google had a 65% success rate.
Google did not respond to a request for a reaction to the study.
"In my business and personal searching, I feel like I'm seeing less on-point results and more garbage, even on pretty specific queries," said Dan Olds, an analyst with The Gabriel Consulting Group. "Search success is a big deal for both advertisers and users. This same study also pointed out a significant increase in multi-word, more complex searches. To me, this means that users are looking for more specific results."
Olds said the search engine that delivers the most accurate results will win over users in the long run. That's good news for Microsoft , which has been chasing Google from a long distance ever since Bing was released.
Even if Google's results haven't been as accurate, it's still the highly dominant search engine in the market.
Experian Hitwise also reported that Google accounted for 67.95% of all U.S. searches in January. Bing-powered searches, which encompasses Bing and Yahoo , accounted for 27.44%. Yahoo alone came in at 14.62%, while Bing had 12.81%.
"If the inaccurate searches are a trend and not an isolated result, then this does point to the need for Google to improve on its search success," Olds said. "In the short term, it gives Microsoft a great angle they can use to tout Bing vs. Google to advertisers."
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

Apple may be developing cheaper iPhone

Apple Inc. is working on new versions of the iPhone that are aimed at slowing the advance of competing handsets based on Google Inc.'s Android software, according to people who have been briefed on the plans.
One version would be cheaper and smaller than the most recent iPhone, said a person who has seen a prototype and asked not to be identified because the plans haven't been made public. Apple also is developing technology that makes it easier to use the iPhone on multiple wireless networks, two people said.
Chief Executive Officer Steve Jobs, who remains involved in strategic decisions while on medical leave, wants to narrow the price gap that has made phones running Android more popular than iPhones. Google's share of the global smart-phone market more than tripled to nearly 33 percent in the fourth quarter, eclipsing Apple's 16 percent, according to Canalys.
Apple has considered selling the new iPhone for about $200, without obligating users to sign a two-year service contract, said the person who has seen it. Android phones are available at a range of prices at AT&T Inc., Verizon Wireless and other carriers, and typically are sold with agreements that include a fee for broken contracts. The iPhone 4, sold by AT&T and Verizon Wireless, costs $200 to $300 with a contract.
Natalie Kerris, a spokeswoman for Apple, declined to comment.
While Apple planned to unveil the device near midyear, the introduction may be delayed or scrapped, the person said. Few Apple employees know the details of the project, the person said. Apple often works on products that do not get released.
The prototype was about one-third smaller than the iPhone 4, said the person, who saw it last year.
Apple can sell it at a low price mainly because the smart phone will use a processor, display and other components similar to those used in the current model, rather than pricier, more advanced parts that will be in the next iPhone, the person said. Component prices typically drop over time.
Apple is also working on a dual-mode phone, two people said. This device would be able to work with the world's two main wireless standards - the global system for mobile communications, used by AT&T and overseas carriers including Vodafone Group PLC, and code division multiple access, used by Verizon Wireless. It is not known whether Apple will include this capability in the cheaper iPhone.
Apple is working on a technology called a Universal SIM, which would let iPhone users toggle between GSM networks without having to switch the SIM cards that associate a phone with a network, according to one person. This would help cut the cost of distributing and managing millions of SIM cards.
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED

Yahoo follows News Corp, announces Livestand 'magazine' for tablets

Yahoo on Thursday announced that it will soon debut a new magazine-style method of digital content delivery especially aimed at touchscreen mobile devices like tablets and smartphones called Livestand.
"Publishers and advertisers must expand their content to [phones and tablets] to stay in front of consumers," said Blake Irving, Executive Vice President and Chief Product officer at Yahoo. "We see an opportunity to provide publishers and advertisers with a pipeline for fresh and active content and to help them reach and engage their most valuable audiences." Irving says Livestand will debut in the first half of 2011, and it will make Yahoo's sports, news, and finanical content available, as well as Flickr, omg!, and the Yahoo! Contributor Network as iPad and Android tablet apps.
While service and software providers are opting for HTML5 and rich web applications instead of releasing standalone mobile apps, it appears that media companies are sticking with apps. Yahoo is following companies such as Flipboard, Catalogs.com, and News Corp, who have released "magazines" for tablets.
"With Livestand, we're using ad formats that evoke the emotion of TV advertising with a highly-visual magazine-like experience. And they're combined with the effectiveness of an Internet ad that's data-rich, actionable, even location aware," Irving said on Thursday.
For the last six years, Yahoo has unveiled dozens of different ways for users to access Yahoo content on mobile devices. In 2006, it launched Yahoo Go which eventually evolved into Yahoo Mobile in 2009. In 2008, it launched onePlace, a mobile app for organizing and sharing web content, and oneConnect for managing contacts and social network content. At the same time, it's released apps for iOS, BlackBerry, Android, and Windows Phones covering the gamut of its services. More recently, it's unveiled Yahoo Entertainment, Sketch-a-Search, and Sportacular specifically for iPad.
There's no doubt Yahoo's got a strong grasp of the importance of a mobile presence, but creating a magazine for tablets has not proven to be a panacea for all content providers.
News Corp. recently took the "tablet magazine" approach with its iPad app called The Daily, and while it received passing marks from some reviewers, others completely trashed it. The Telegraph went so far as to call it "a complete failure of imagination."
SUBSCRIBE TO BLOG BY: EMAIL
: ">FEED