Thursday, September 22. 2011
social engineering - a practical example Posted by sqall in security at 21:09
Do you know these photobook services, where you can create your own photobook online and let it be sent to a local store? Well, my girlfriend has used this service a week ago and the photobook was sent to a local store (a german chain of stores called DM). I was in the city and she texted me her costumer and job number. When I was at the store I searched through all the packets of photobooks and finally find hers. On the package her name, her job number and her costumer number was written. I went to the cashier and wanted to pay for it when she asks me to show her the order form.
What now? I didn't want to go home and get the form for her so I have to try it with some discussing
I told her polite and friendly that this photobook is obviously not for me but for my girlfriend and she is away from town for the next two weeks and she texted me her costumer and job number so I get it for her. I showed the cashier the text message on my mobile phone with the name of my girlfriend on the top and she sold me the photobook.
Well I didn't lie with the "my girlfriend is away from town the next two weeks" thing but the order form was lying on my desk at home.
This is a great practical example for social engineering. The names, job and costumer numbers were written on the packages of the photobooks. I could grab any of them, send myself a text message on my mobile phone and change the addressbook entry with my own number to the name on the photobook. Then I can say something like this to the cashier "This photobook isn't for me. My brother sent me his costumer and job number so I can get it for him." and show him the text message. I would say 99% of the cashiers would sell you the package with the photobook.
The text message is a very important thing. I think that a lot of cashier wouldn't sell you the photobook without the text message. It's a little bit like Chrisopher Hadnagy has written in his book "Social Engineering - The Art Of Human Exploiting". He wrote a great story with a business card in it and that it's easier to make other people believe you when have something written that supports your story. In his case I think it was a TSA employee that let him pass the security check with his IT stuff because he had shown a business card that said that he is an IT security auditor.
What do we learn through these stories? You should always have a business card with you that tells people who you are (or who you wanted to be ) and never order photobooks with really private stuff in it
Monday, September 12. 2011
Idea: Replication service for IPs to ... Posted by sqall in security at 19:39
The only thing that's keeping me working in this exam phase at the moment is this picture.
... but now the interesting stuff and not about me
On the rides by train I used the time to relax and code a little bit. Some months ago I had an idea about an decentralized Client/Server model which exchanges data of IP-addresses which should be blocked by the server. It's like the spamhaus block lists for eMail servers, only that they should be replicated over the network without any master. The principle is like Microsoft's Active Directory.
The whole idea came when I was rewriting this spam IP blocking script (article is in german). Some friends of mine who are administrating servers used it for finding and blocking spam sending hosts. Some of their servers has a lot of more spam eMail traffic and so they got a great anti spam list in no time. We exchange our blocking lists and the amount of incoming spam was going down. Then I ask myself "wouldn't it be great when our servers do this by their selves?". And the answer is "yes, it would" . So I thought about how it could be done and I realized that no one of us would give the others the master service, when it was written in a normal client/server model. But a replication service in which every of our hosts are trusted and every host has the same rights, that would be something else.
The IP-addresses to block could perhaps be created by scripts like the spam IP blocking script I mentioned before. Something like the ossec project uses to get the IPs to block. Yet I haven't finished any details about how it works. I've only written the basic threaded TCP Server in python so far. But I'm grateful for any idea and help I can get
« previous page (Page 1 of 1, totaling 2 entries) next page »