To The Last Tribe Consulting

As a member of InfraGard, I was invited to the Great Lakes 2010 InfraGard Conference; this year’s theme was “Securing the Next Decade.”

I thought I would share a couple thoughts that I picked up throughout the day.

One of the first sessions was a series of presentations by the Detroit FBI Cyber Squad.  Hearing, (directly from the FBI), how the FBI is dealing with electronic threats was very enlightening.  Something that one of the agents  (Brian Concannon) said, caught my attention.  He said something to the effect that, “the solution for cybercrime is not better blocking of attacks, but being able to find, apprehend, and deal with the perpetrators themselves.”  I do not hear these kind of statements very often, as most of us are just trying to keep our heads above water when it comes to cyber threats.

Another of the special agents presented on his niche, which was Intellectual Property theft.  It was very interesting to see things like copyright infringement on movies and music, from the FBI’s perspective–how they really are in a no-win situation: companies are upset at them for not working faster/protecting better,  and the consumers themselves see it as a victim-less crime, and give excuses such as, “The recording industry is ripping us off! We deserve music cheaper!,” or “It’s just a copy! I wasn’t even planning on buying the album anyways!”  In other words, perception management is a key factor in the FBI’s prevention arsenal.

Most of the other presentations dealt with how the different government departments (DHS, FBI, etc) could better collaborate with the private sector, specifically in the area of detecting and dealing with cyber-crime.

Overall, I thought it was a very productive conference, that got me thinking in some new areas of I.T. Security.

-Josh

I have no idea who Greg, developer of the Penny Stock Secret is, or whether or not he really is a millionaire, but I do know one thing for sure:  They really need to obfuscate their javascript better.

So the idea of PennyStockSecret.com is that after ‘Greg”, “studied all the investment theories, consulted financial advisors and spent extraordinary amounts of time at his computer,” he found the “keys that bring stock market success.”

And for only a one time fee of $97, you can be in on his success!  How?

Well, “More than just identifying the best stocks to buy, we tell you exactly when to sell them too.” They do this through subscribing you to a newsletter that will alert you when you should buy and sell.

But wait, there is a catch!  There are only Insert Random Number Here spots on the newsletter list available!

Wait, what?

Yes, if you view the source, you can see that all the Javascript does is generate a random number for how many spots are available.

What is sad is that I’m sure they are bilking quite a few people out of their cash.  Why?

Wizard’s First Rule.

-Josh

As I mentioned in my previous post, I am currently working on some original research dealing with Social Engineering.  For background, I have been reading some of the few books on social engineering.  One of them, Hacking the Human, by Ian Mann, has been fantastic.  One of the areas of research he goes into is some basic principles on using Neuro-Lingustic Programming to profile a target.

Neuro-Lingustic Programming (NLP) was first developed by Richard Bandler and John Grinder, as a form of psychological therapy.  They felt there was a  ”…theoretical connection between neurological processes (‘neuro’), language (‘linguistic’), and behavioral patterns that have been learned through experience (‘programming’), and that can be organised to achieve specific goals in life.” (Wikipedia)

One aspect of NLP that Mann brought out was the idea of observing eye movements to indicate current thought processes.  For example, the idea that as one talks to themselves, their eyes drift bottom-right.

The following is a diagram of the different possible locations:

I found a great video that showcases this.

(Used with Permission)

I found this to be a very interesting concept–So I decided to test it out for myself.  I asked the same questions as the above video to a friend, while videoing him answering.  Interestingly, I got the same results, though not quite as pronounced as the above video.

To bring this back to Social Engineering: Mann saw this as a powerful tool to add to his repertoire for face to face social engineering attacks–being able to get clues to the current thought process of the target–even being able to tell, with a high percentage of accuracy, if the target is lying! (Mann, Hacking the Human)

Just another exploitable vulnerability in the being that is the called the Human.

-Josh