Be a Professional Social Engineer!!!

Social Engineering....

Social Engineering….

This article is about the introduction of social engineering.
Mostly we are not familiar with the term Social Engineering. Hope this article will give u some basic ideas about SE’ing .
Social Engineering is a process, a tactic or a strategy to gain access to private information or to public events. One needs to be skilled when he does social engineering. It is a practice which one interrupts other personal activity on the web. Usually it involves tricking other people to break normal security procedures. One does social engineering to obtain confidential information by manipulating users. It has something to do with the computer security. It’s a kind of invasion that involves tricking other people to break normal security procedures.

Social Engineering definitions:
“Social Engineering is the online criminals can use sophisticated technology to try to gain access to your company, or they can use something simpler and more insidious.”
Wiki:” Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information.”

Many consider social Engineering to be the greatest risk to Security.
Many people are afraid of it, or they feel they will never be able to accomplish a successful social engineering test.
However, every time u try to get someone to do something i.e. in your interest, you are engaging in social engineering.
Eg: From Children trying to get a toy from their parents to adults trying to land a job or score the big promotion all are form of Social Engineering.

Social Engineering is both incredibly complex and amazingly simple. It includes positive form of communication such as parents, therapists, children, spouse and others.
Hackers utilize Social Engineering many times because human weakness factor is so much easier to penetrate than the network weakness.
Hackers win mostly in battle because they are not limited by time or lack of motivation.

A True Story
“ One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they “lost” their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO’s voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
In this case, the strangers were network consultants performing a security audit for the CFO without any other employees’ knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner’s Guide, based on an actual workplace experience with a previous employer.)

While reading about SE’ing i came across these sites.

google dork

may be same

Anti-Phishing Working Group Phishing Archive

FTC Consumer Alert: 12 Scams Most Likely To Arrive Via Bulk Email

FTC Consumer Alert: How Not to Get Hooked by a ‘Phishing’ Scam

Recognize and avoid fraudulent email to Microsoft customers

United States Secret Service Advance Fee Fraud Advisory

US-CERT Cyber Security Tip ST04-007: Reducing Spam

US-CERT Cyber Security Tip ST04-010: Using Caution with Email Attachments

US-CERT Technical Cyber Security Alert TA05-189A: Targeted Trojan Email Attacks


kevin mitnick

One of the most discussions about SE’ing is“Is Social Engineering legal?”Will have some basic details about this in the next blog.

So you think you are secured??? The answer is now or never…

So you have encrypted all your files & stuff with an encryption tool thinking that you are secured…

But ask yourself these three questions…
1. Can you count your password on your fingers?
2. When was the last time you changed your password?
3. Have you ever felt that someone is still able to access the data?
4. Did I say three questions? 😀 😀

Think of this situation that a guy next door is able to brute force your password with some cracking tool… Yea’ what you read is right… There are plenty of open source tools which can brute force your password within seconds (milliseconds if you are very poor at naming you password 😛 ). The awareness of hacking and hacking tools is growing rapidly and even a naive computer user can also be able to download and try these tools.

I think this is one thousandth time you are reading this sentence (or probably more if you are regularly visiting eBay & Amazon). 😉
“Please use a password that contains lower case, upper case, symbols and numbers”

I know that it’s very embarrassing to type a password which contains numbers, upper and lower case alphabet and some freaky symbols. Of course the only concern we people have is that typing such passwords takes 2 or 3 seconds more than the regular ones. Well I am not saying that passwords like ajB83#&%(gs&$J^&(^+*(, shfiu(&87ad$%%$^KGauau* will help you (as they really seem like a Russian cursing at me) and it’s impossible to remember (even though you remember, it takes at least 30 attempts to type correctly). 😀

But you could create some random passwords from your personal life situations or your experiences like “My first breakup is on 14th February 1991” and convert it into a password like “My1stPlaN3” . And obviously it is very easy to remember if we try linking up to the situation instead of remembering password itself.

Nerds outside say that “We recognize the importance of a password only when someone steals our data…” 😉 A password is like toothbrush. Seems funny but rather perfect resemblance. The longer you use them the more chances that you are gonna get effected. So I recommend that it’s a very good practice if we change our passwords frequently (and tooth brush too.) 😉

There is a quote of my own… “At any given point of time, Hackers are better than Developers”. So whatever developers try good, hackers try better. We must not give them a chance to take a shot on our password and we must be best at choosing passwords.

So well now coming to the topic (Oh! What?? Am I not reading the topic till now? 😛 )

One of the least bothered areas in the security world is file encryption. “TrueCrypt” is the best opensource tool developed for the sole encryption purpose. “TrueCrypt” uses a unique way of encrypting files by combining more than two encryption algorithms and giving a hash key as an input to this encryption algorithm which is generated by a toughest-to-crack hashing algorithms.

Research says that there are some brute-forcing tools which can scan up to a billion passwords a second (if I am not wrong). Of course there is no exemption that the TrueCrypt’s password can’t be cracked. There are many incidents where some hackers bypassed this TrueCrypt because of poor passwords used by the end-users.

Tools like TrueCrypt are extremely good at securing data but on one condition. That is using a good password (having all the conditions listed above) and which is more than 20 in length. The only small contribution we have to do is to provide a good, complex (and a memorable) password to this TrueCrypt and then everything is set. And a kudos that you are one of the guys who got secured with your data.

The hash key generated by this TrueCrypt and a complex password specified by the user is such a complex thing to crack that it take a light year to bypass the system even by the combination of a best bruteforcing tool and a high-end super computer designed till date.

Happy Passwording!!! & Happy Encrypting!!!

FixNix take on Encryption
this is one of the open source encryption product I’ve bet upon for implementation across a corporate network.

Today while exploring to implement this for a personal usage of a high profile client through one of my friend, came across umpteen number of free/open source, commercial tools for the same.

Having said that, people are claiming they’re able to break even
such tools in the underground security/forensic networks.

    GENERAL ENCRYPTION TOOLS (email encryption)

Full-disk encryption (FDE) is encryption at the hardware level. FDE works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn’t have the key to “undo” the conversion. Without the proper authentication key, even if the hard drive is removed and placed in another machine, the data remains inaccessible. FDE can be installed on a computing device at the time of manufacturing or it can be added later on by installing a special software driver.

Encryption is a process of encoding information so that it cannot be accessed by others unless they have the key needed to decode it. Encryption is usually used to protect highly sensitive documents, but it’s also a good way to stop people from looking at your personal stuff.

Primary encryption utility categories

Why use categories here? To bring a little order to the large catalog of encryption utility reviews at this site. This particular review article is limited to “drive encryption” utilities. See related categories below.

Encryption utilities that encrypt files/folders directly: These utilitiees encrypt discrete files and/or folders directly, in contrast to utilities that encrypt and store files in volumes (archives, i.e., container files). File-based utilities may operate in batch mode or in on-the-fly mode.
Virtual-drive encryption utilities create volumes (encrypted containers/archives) which can be mounted in the file-system as virtual drives, complete with drive letters, e.g. “V:”. These drives can contain both files and folders. The computer’s file system can read, write and create documents in real time, directly in cleartext. Virtual-drive utilities operate in on-the-fly mode.
Full-drive encryption utilities – the utilities reviewed in this article – encrypt entire storage devices, e.g., hard-drives, drive partitions and USB drives. Some of the utilities in this category can also encrypt the drive that the operating system itself is installed on.
Client-side encryption utilities for the cloud: A newly emerged category. These utilities encrypt files before they are uploaded to cloud sync/storage locations. The files are encrypted in transit and while at rest in the cloud. Cloud encryption utilities employ various forms of virtualization to present cleartext client-side, and they operate in on-the-fly mode.
Cautionary Notes Operating systems are messy: Echos of your personal data — swap files, temp files, hibernation files, erased files, browser artifacts, etc — are likely to remain on any computer that you use to access the data. It is a trivial task to extract those echos.For example, when you encrypt and compress files, clear-text versions that existed before you compress/encrypt the file or clear-text copies that are created after you decrypt/decompress it remain on your hard drive. Unless you purge — not just delete — those clear-text files. 😦

The fact that an encryption program “works” does not mean that it is secure. New encryption utilities often appear after someone reads up on applied cryptography, selects or devises an algorithm – maybe even a reliable open source one – implements a user interface, tests the program to make sure it works, and thinks he’s done. He’s not. Such a program is almost certain to harbor fatal flaws.

“Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw. Too many products are merely buzzword compliant; they use secure cryptography, but they are not secure.” –Bruce Schneier, in Security Pitfalls in Cryptography

Further advice about how to use encryption are discussed in Encryption is Not Enough, including what you need to do beyond encryption to be sure your private data is not lost or exposed.