Started my career in NY helping to run an ISP that went from 500 to 5000+ dial up and DSL customers in one yearDedicated a Shell Box called Unixbox for Mud and IRCStarted a consulting firm maintaing Novell and Apple networksSold it Started working for law enforcement doing forensics in NYC. Loved the corpesp hated the child pornBACO Bikers Against Child Abuse I will go out of my way defend children. Children are off limits Met a strange looking dude name Ralph E…and he told me he was an ethical computer hacker Explained what it was and I was hooked.Security engineer dealing with Encryption and pentesting/social engineeringCurrently I am Memphis TN with a start up doing iPhone/Android/tablet design
We went back on forth on this test. They wanted us to test customers or be attacked from a customers end. Online Banking/trading I convinced them also to allow us to attack the bank itself. Explained to them how taking over the internal network was the real threat. We choose the HR department because they said their document management system housed SSN and PMI. We had a 3 month attack window. They told me we could not visit the corp office and steal the servers. They didn’t say anything about attacking them when they were offsite.
This is for computers and human attacks. I am sure most of you know methods like this but just incase here is how it works. Example: If I hear that IronGeek is going to be out eating Tacos from 6-7 but he is going to leave $40,000 dollars in his room with and unlocked door. I might use this method to go eat tacos with him.
Google apps was going to be used to set up a polling/phising attack.
Googled a local bank here in Nashville. The great thing about bank mang and board mem they are mad old. The cant even turn on a computer. Create separate gmail accounts to hand over after the attack.Create linked in with pictures of them, kids, logos or pets. If they are on linkedin misspell their name upper mang will not connect with peeons. Then link them all together see what happens if nothing go company profile and linke with others.
Marketing and HR love followers they are paid to increase followers without knowing who they are…follow their followers trust. Personal accounts are always fun to follow because the complain about the company. In detail.Followed the Hash for the upcomming events and MIT recruitment weekend
Fan for the specific event. Setting up interviews via facebookfanpage and Email.
Never got to finish this attack because of what happened next.
The VP started twittering about a trip to Chicago. She was tweeting about the flight, the airline losing her luggage and how nice the weather was when she landed. Next she twittered for recommendations on where to get a new cell card for her laptop because the other one was in her lost luggage. She also started tweeting about a great sub shop called Jimmy Johns. The twitter was basically in these words, “I have fallen in love with a sandwich across the street from Best Buy. While waiting for them to install my cell card I ordered the gargantuan.” Well because twitter is in real time, I knew this would be a great opportunity for a social engineering attack. I google mapped all the Best Buy stores and street viewed to see which had a Jimmy Johns across the street. It was actually down a couple blocks..but I found it.Calling the store, I asked for the technician working on her machine. Thanked him for helping us out with her laptop and asked if he needed anything like an Administrator password? The technician said, “No, she already gave us the 2 passwords, xxxxx and xxxxxx.” I said, “Great! What card and firmware are you installing?” The technician answered the questions after 15 minutes of trying to find it on the CD. “Version 2.1.1″ Finally, I asked if he could do a huge favor, because we knew of a bug that would cause problems for her connecting to our VPN with that particular firmware, could he install an update? I will email you a 2.1.2_firmware.exe file, if you will install it then she will be all set and not call me later. The technician sympathized and agreed to help me out. We now had a back door to the HR department and I freed up a weekend from testing.
Using Information Gathering and how it can change your attack!
[bash]$ whoamiroot ISP Systems Administrator for 5000+ subscribers -Under attack 24/7 by IRC users Owner of computer consulting firm - 6 year -Under attack by other law firms NYC Forensics Investigator -Catch idiots and occasionally a smart one C|EH from Ralph E -This guy was sick Security Engineer for fortune 500 company in Chicago. -Loved it. CTO for RESOLUTE Games - iPhone/iPad/Android Dev -No Security for mobile platform
Linkedin Searched for VP levelemployeeswithoutlinkedinaccounts. Created 3 and linkedthemtogether - thisadds a little more trust. Joinedcommon groups Watched as all the employees, includingmost of HR connected
EX: Find People Create SEPERATE Gmailaccounts Createlinkedinaccounts Link together
I likeTurtles… No Turtles were harmed while performing this test.
Twitter Followed VP of Marketing Followed VP of HR FollowedDirector of IT Security (PersonalAccount) Followed Hash of manyevents Follow MIT Event hash
Facebook Createdfake MIT and RIT studentaccounts Became fans of HR Event Set up interview times – PDF resumes to come. StudentID’s and USB sticks to come.
Results of thisattack EPIC Fail! This shit never happens to me. Act of God? Still cant believe it.
Halt! HR Executivestarttwittering about a trip. Chicago, LostLuggage and lost Cellular Card BestBuy, JimmyJohns and Google Maps 2.1.2_firmware.exe – Seriously that just worked?
Prevention Think of Social Networking like any other system in/on your network. Allow not to allow. Monitoring the top level or all users just like email. Apply new rules and policies with HR. Training, for the love of God, training.