Archive for the ‘social engineering’ Category

On Facebook’s social authentication

Tuesday, February 15th, 2011

Recently Facebook added security controls to protect its users against unauthorised access:

http://blog.facebook.com/blog.php?post=486790652130

It was about time to employ SSL in order to protect the passwords, but the use of “social authentication” creates a false sense of security:

1. CAPTCHA are supposed to distinguish between a machine and a human, not a hacker and a human. Perhaps we should emphasize that hackers are human! Watch out Facebook, you will get Greenpeace on your tail, hackers are not animals :-p

2. The complexity of breaking the social CAPTCHA is linear, or at least it is definitely not exponential. Following point 1 above, a human hacker maintains enough cognitive skills to gather enough information to “break” the challenge. Besides, the person’s characteristics, ethnic background traits etc. form a side channel that help us eliminate some answers (for example from the pictures below the person is less likely to be Nick Wilkerson, Tim Kuper, David Starling) and the probability distribution is not uniform.

USB attack vectors: Can they be thwarted by disabling autorun?

Tuesday, January 25th, 2011

The answer is no.

In our work “On the detection of pod slurping attacks” we raised the security issues by having autorun enabled in Windows, but we underestimated the 0-day attack incorporated in stuxnet malware:

Social-Engineer Toolkit

Thursday, January 6th, 2011

- Number of Internet users in 2010: 2 billion (approx., Internet World Stats)

- What percentage of the above users are security aware? 1%? 5%? 30%? FIFTY % ? (doubt it). There still remains at least ONE BILLION security illiterate users (citizens). Lots of opportunities for exploitation, unfortunately…

So how about a framework with a primary goal to exploit the user’s security unawareness? Well, here is is:

The Social Engineering Framework


Copyright © 2017 Information Security and Incident Response Research Unit. All Rights Reserved.
No computers were harmed in the 0.376 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.