Social-Engineer Newsletter Vol 08 – Issue 100

 

Vol 08 Issue 100
January 2018

In This Issue

  • What Has Happened with Social Engineering in the Past 8 Years?
  • Social-Engineer News
  • Upcoming classes

As a member of the newsletter you have the option to OPT-IN for special offers. You can click here to do that.



The 2017 SECTF report is now available for download. You can get all the details from Def Con 25 and Derbycon 7 by downloading your free copy of the report here:
https://www.social-engineer.org/event-updates/defcon-updates/2017-sectf-report/

You can also listen to the S-E team breakdown all of the details from the 2017 SECTF report webinar. It is available to listen and download here:
https://www.social-engineer.org/resources/watch-live-recording-sectf-results/


Do you like FREE Stuff?

How about the first chapter of ALL OF Chris Hadnagy’s Best Selling Books

If you do, you can register to get the first chapter completely free just go over to http://www.social-engineer.com to download now!


To contribute your ideas or writing send an email to contribute@social-engineer.org


If you want to listen to our past podcasts hit up our Podcasts Page and download the latest episodes.


Our good friends at CSI Tech just put their RAM ANALYSIS COURSE ONLINE – FINALLY.

The course is designed for Hi-Tech Crime Units and other digital investigators who want to leverage RAM to acquire evidence or intelligence which may be difficult or even impossible to acquire from disk. The course does not focus on the complex structures and technology behind how RAM works but rather how an investigator can extract what they need for an investigation quickly and simply.

Interested in this course? Enter the code SEORG and get an amazing 15% off!
http://www.csitech.co.uk/training/online-ram-analysis-for-investigators/


The team at Social-Engineer, LLC proudly uses:


A Special Thanks to:

The EFF for supporting freedom of speech

Keep Up With Us

Friend on FacebookFacebook
Follow on TwitterTwitter

What Has Happened with Social Engineering in the Last 8 Years?

 

When I actually started thinking about this issue of the newsletter, I was shocked… this is issue 100. Wait. This is ISSUE 100!!!!! That is 8.3 years of newsletters. I could literally reminisce for hours about all the topics, research, and people we’ve spoken with and read about for those issues.

So much has changed. The topics, style, and writing ability, as well as our maturity, professionalism, design, and so much more. Our team dynamic has changed, and we even said goodbye to Michele just this month.

However, one thing has never changed – the newsletter stuck to its roots. When I started it, I wanted a free resource that could be used by people and companies globally as a part of their security program. Over the last 8 years we have had fortune 500 and larger banks, insurance companies, manufacturing companies and others reach out and ask if they can use our newsletters in their internal training.

All this is well and good, but let’s not spend the one time I come out of my hole to write issue 100 talking about how awesome the newsletter is, right? What has changed over the years in the world of social engineering?

Change is Everywhere

When I first started this, eight years ago, we would scrape the internet for stories about hacking involving social engineering. To help jog my memory, I went back to the early blogs on SEORG. It took a couple of pages before I found this story about how we can use a $26 piece of software to grab information from military drones. But, then I found this great post from Dec 2009 about how AOL was hacked using some new technique called “spear phishing” and pretexts over the phone.

Jump forward eight years, and we have dozens of stories collected daily about hacks involving phishing, vishing, SMiShing and impersonation. I would say that is the first major is two fold. First, we are noticing social engineering more thanks to the media and press it has received as a legit vector over the last eight years. But also it is being used so much than it was eight years ago, heck, even 2-3 years ago. With the prevalence of its use, it begs the question – why?

Why Such an Increase in Social Engineering?

This is a hard question to answer. When I look at social engineering as a whole, or the act of getting someone to agree to take an action that may or may not be in their best interest, attackers are manipulating the decision-making processes of their targets more so than before. Does this mean that attackers have all taken courses in psychology and become expert communicators? I do not believe so.

I think it is more about HOW we, as the human race, communicate. According to Internet World Stats, in June 2008 there were 1,463,000,000 internet users. That number represented 21.6% of the earth’s population.

Jump forward to June 2017, and we are at 3,885,000,000 or 51.7% of the earth’s population now on the Internet. Yes, a staggering 30.1% increase in just 9 years. Think about this too, in 2008:

  • LinkedIn was 8 years old
  • Facebook was only 4 years old
  • YouTube was only 3 years old
  • Twitter was only 1.5 years old
  • Instagram was not even born yet (for another 2 years)
  • Just to name a few

In 2008, Facebook had 145 million users. And, this year they hit 1.86 billion users.

The numbers are staggering. And all this points to one thing – we communicate over the web. We live on the Internet. We talk in memes and GIFs. We learned to say a lot in 140 characters. And, we became a culture of people who don’t care about our most intimate details being viewed by complete strangers.

With all of this, attackers saw the unique opportunity to utilize this new culture as a primo way to attack, and win.

Shikata Ga Nai

Not only is that the name of my favorite shellcode encoder (back in the day, when I used those things), it is also a Japanese phrase that can be translated to, “it cannot be helped” or, “there is no hope”.

Though this feels like it could apply to social engineering; I jest, there is hope. The answer, though, is not what you would expect. I am not going to tell you to unplug, run to the hills to make moonshine, and listen to Bruce Hornsby like Dave’s kin. No, as a civilized gentleman, I will give you just two tips to avoid being the next victim:

  1. Stay informed. You cannot possibly defend from an attack that you do not know exists. Yes, this sounds self-serving, but podcasts like the SEPodcast, newsletters like this one, our blogs and others like Security Weekly, the TrustedSec folks, etc. can help you stay in tune with what is going on. There are some really amazing people on Twitter that can help you stay attuned, too. People like:

 

  1. Make good decisions. Yes, just like your mom used to tell you, I am telling you the same. Make good decisions. Decide what you will put on social media, and what you won’t. If you decide to post everything, then realize it is now out there for anyone to see. Do NOT make the silly mistake of saying, “Well, no one would care about me.” Maybe that is true, but do you have good clients? Or a rich relative? Or an attractive mate? Well, all of these things can be what the attacker wants to know, and they may use you to get it.

Now What?

While I cannot detail how, exactly, this will look in 8 years, I can tell you what is next in this coming year. Social engineering is not going away. We will see more vishing attacks and the return of SMS attacks again. The more vulnerabilities in mobile apps we see make this a prime field for attack, as will an increasing reliance on new technologies. We will keep you updated along the way!

Stay vigilant folks. Thank you for a great 8 years!

Till next time,

Written By: Chris ‘loganWHD’ Hadnagy

As part of the newsletter group, you will be the first to receive special offers to services and products by Social-Engineer.Com.


 

The post Social-Engineer Newsletter Vol 08 – Issue 100 appeared first on Security Through Education.



*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by SEORG. Read the original post at: https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-100/