• Episode 001 – Interrogation and Interview Tactics

The podcast, along with the rest of their site, is a really informative and discussion of social engineering beyond simply lying and immature tricks.  I’m looking forward to future episodes and I hope they move to a more frequent schedule!

From: drjohn.wlsn@gmail.com

Subject: Blog

Date: April 16, 2008 6:02:09 PM CDT

To: wesley@mcgrewsecurity.com

Dear Mr McGrew,

As a semi-regular reader of your blog, I noticed that your April 14 blog mentions that you and a colleague are putting on a capture the flag event. I have considered doing a similar event for my students. However considering time constraints, cost, and player level, I was curious about the logistics of the game. How long did it take you to design the game? How does scoring work? What tools do you introduce to the student? Where are flags hidden that keeps the game challenging but still at the student level?   

Dr John Wilson

This isn’t an unusual kind of email for me to receive.  I answer questions about my blog, my projects, lectures, and various other things on a daily basis.  While the email address is strange, it’s not really unusual for me to communicate with people who prefer their web mail accounts (especially Google) to their more “official” addresses.

This particular request, however, is not from a professor trying to spice up his security class.  It turns out to be a good attempt at a targeted attack.  I almost fell for it!  It arrived yesterday evening when I was feeling ill, running a slight fever, and wasn’t even considering the possibility of it being a ruse.  It’s a good thing that I made the decision to put off responding to all of my emails and other communications to this morning, because taking a closer look at it today made me realize that something could be up.

They did well choosing GMail.  Many other web email services attach the IP address of the web client to outbound emails, which would have likely given these students away.  They also did a good job of posing the questions in a way that asked for a lot of information that someone wanting to put on a CTF would want to know before getting to the heart of the matter (where the flags are).  In a way, their choice of a generic name worked well for them, in that it’s hard to Google, however it may have been a better idea to do some research and use the name of an actual security class professor at another university.  

It could have gone either way honestly!  In my response to the email, I asked that if it was a student team, that they identify themselves (they will be rewarded!).  ”Dr. Wilson” could have been legitimate, though, so I did provide some basic information about the game (that the students would already know) with the promise of following up after the game on Monday. 

Kudos to “Team 3″!

I gave the situation some thought, and I think I’m going to have to disagree with what seems to be the general consensus among internet users. I wrote up some of my thoughts and posted it, and I liked it enough that I’m adapting it into the blog post for today:

“What’s funny about this is it really exposes a lot of peer-to-peer filesharing advocates’ true position.

The services MediaDefender provide for copyright holders are designed to have a chilling effect on the filesharing of copyrighted content (they also do marketing via P2P, which is legal, and I think a pretty good use of P2P). So we have a company here that recognizes that there are legal and legitimate uses for P2P, and instead of being all “There should be legislation outlawing this”, they do the right thing and provide a technical solution to a technical problem for copyright holders. The fake files and information gathering tactics apply to situations where people are knowingly downloading content for which they have no rights. You’re not going to run into MediaDefender’s mechanisms downloading Linux ISOs and sharing independent music over P2P, like many advocates of P2P technology would have you believe they do.

It’s a neat solution. Gum up the infringing activities of P2P users while letting the protocols and those who don’t abuse them act freely. It’s a useful service for copyright holders. So what is the collective internet P2P geek reaction to them? It can be pretty much summed up as “Screw them, they deserved to get hacked, they are the devil”. Poking around a bit, I can’t really find a positive thing being said about them.

What it boils down is this: most of the people advocating peer-to-peer with the caveat of it being useful for legal content, really just want their copyright infringing uses to be safe under that blanket.”

This scam dates back to stealing AOL accounts in the mid-90s. Here’s some modern examples (obviously the technique has moved to a new media with little improvement):

• Hack A wow Account In 15 minutes
• Easy WoW account hack
• Hack Msn
• How To Hack Runescape
• Hack Steam Accounts 100% working no Scam

Certainly these will be gone after a while, but it’s easy to find more by searching for “hack account” on Youtube or Google Video. Very funny stuff. I suppose it works though? Does anyone know of anyone who’s fallen for this? Your “friend”, I’m sure .

Apparently, this reporter had turned down a press pass, which would identify her as a reporter to those she interacted with. Her plan seemed to be to catch people engaging in illegal activities as part of an undercover report on “hackers for hire”. She was outed on stage and escorted out, and followed to her car by a bunch of what appear to be dirty hackers with cameras .

Everyone knows that Defcon is when you put your illegal activities on hold for a weekend to party !

This is highly recommended reading!

HD Moore’s conference slides

Direct link to the slides (pdf).

Most security conscious people make use of their operating system’s “Lock Workstation”, “Lock Screen”, or similar locking functionality whenever they need to step away from their computer for a moment. It’s convenient, since all of your programs are still running and sitting there just like you left them, unlike having to start from a clean slate by logging out and back in. Some people may have picked up on using this security feature, due to an office culture of pranks (such as humorous wallpapers) pulled on those who leave their computers unattended. If your organization’s policy doesn’t put a damper on such pranks already, it can be an effective way (though not necessarily the best way ) to get people to lock their screens.

One important aspect of screen-locking that people don’t normally consider is the environment in which the screen will be unlocked. If you’re sitting at your desk working on a confidential document and someone walks into your office, you can minimize the document before they see it (if you can’t, rearrange your office!). However, if someone is already in your office, followed you in during a discussion, or is otherwise in viewing range of your screen when you sit down to unlock your session, it will be a race for you to minimize the sensitive data once you have unlocked, and the chances of a glimpse are much higher. This can be an even more serious issue, when it comes to laptops, where the situations they are locked and unlocked in may vary greatly as they are carried around (imagine a worst case scenario of it being unlocked while hooked up to a projector).

So what do you do? You make a habit of hitting the “show desktop” (or equivalent) button to minimize everything before locking your screen. Then, once you unlock, you can selectively bring applications back up from minimization, as the situation allows.

As the title advertises, it’s a little thing. However, it doesn’t take much time, it’s easy to explain to your users, and can prevent some cases of accidental disclosure.

To tide you over until then, I ran across this post, by HD Moore, on the Full-Disclosure list today:

[Full-disclosure] You shady bastards.

This is interesting for a couple reasons. One, it gets you thinking about the potential value ex-employee email addresses have to a company. The temptation to continue monitor incoming mail on these addresses is high. Is it legal? As you can tell by the discussion already on the list, it all depends on the agreements the employee has signed. Pretty soon you’ll start seeing clauses about post-employment on consent-to-monitoring agreements, if you haven’t already seen it.

Another reason this is interesting is that HDM pulled a neat, low-tech trick to verify that someone was reading mail to the address he was sending mail to. I’ve done this before, and it works fairly well . In a way it’s similar to the phish-baiting techniques that I’ve written about before on here. This is something you can add to your bag of tricks (also works well for other protocols: IM, IRC, etc.), and it’s something you can keep in mind when you’re given a link by someone in a situation like this.

The article’s in the new June issue of Playboy, and Mitnick has made it available on his site at : http://www.mitnicksecurity.com/images/Mitnick_Playboy_feature.pdf