To The Last Tribe Consulting

As I alluded to in a past post, I have been working on my GCIH Gold paper for the past 6 months.  Well, I submitted it last month, and just found out that it has been accepted/passed!  This means that I now have my GCIH Gold certification.  I will be working on my GSEC Gold certification next.

As for the paper itself, I decided to do original research on social engineering on social networks–specifically, on the amount of information that people give up on the “harmless” quizzes they take on social networks like Facebook.

Below is the abstract:  (You can find the paper online here)

-Josh

I have no idea who Greg, developer of the Penny Stock Secret is, or whether or not he really is a millionaire, but I do know one thing for sure:  They really need to obfuscate their javascript better.

So the idea of PennyStockSecret.com is that after ‘Greg”, “studied all the investment theories, consulted financial advisors and spent extraordinary amounts of time at his computer,” he found the “keys that bring stock market success.”

And for only a one time fee of $97, you can be in on his success!  How?

Well, “More than just identifying the best stocks to buy, we tell you exactly when to sell them too.” They do this through subscribing you to a newsletter that will alert you when you should buy and sell.

But wait, there is a catch!  There are only Insert Random Number Here spots on the newsletter list available!

Wait, what?

Yes, if you view the source, you can see that all the Javascript does is generate a random number for how many spots are available.

What is sad is that I’m sure they are bilking quite a few people out of their cash.  Why?

Wizard’s First Rule.

-Josh

As I mentioned in my previous post, I am currently working on some original research dealing with Social Engineering.  For background, I have been reading some of the few books on social engineering.  One of them, Hacking the Human, by Ian Mann, has been fantastic.  One of the areas of research he goes into is some basic principles on using Neuro-Lingustic Programming to profile a target.

Neuro-Lingustic Programming (NLP) was first developed by Richard Bandler and John Grinder, as a form of psychological therapy.  They felt there was a  ”…theoretical connection between neurological processes (‘neuro’), language (‘linguistic’), and behavioral patterns that have been learned through experience (‘programming’), and that can be organised to achieve specific goals in life.” (Wikipedia)

One aspect of NLP that Mann brought out was the idea of observing eye movements to indicate current thought processes.  For example, the idea that as one talks to themselves, their eyes drift bottom-right.

The following is a diagram of the different possible locations:

I found a great video that showcases this.

(Used with Permission)

I found this to be a very interesting concept–So I decided to test it out for myself.  I asked the same questions as the above video to a friend, while videoing him answering.  Interestingly, I got the same results, though not quite as pronounced as the above video.

To bring this back to Social Engineering: Mann saw this as a powerful tool to add to his repertoire for face to face social engineering attacks–being able to get clues to the current thought process of the target–even being able to tell, with a high percentage of accuracy, if the target is lying! (Mann, Hacking the Human)

Just another exploitable vulnerability in the being that is the called the Human.

-Josh