RSSColumns is Vegas Bound Baby!

| July 20, 2012 Logo

20 years.  Hard to believe, but Defcon has been around for 2 decades.  And Black Hat has been doing its thing for 15 years and continues to buck the conference trend and grow in attendance each year.  These two security conferences are some of the pace setting events for our industry.  For the last few years, the crew at Social-Engineer have been a part of these events, and this year is no different. As you may know, we have 2 arms of our organization. is the free web portal that strives to achieve “Security Through Education” not only with our core crew but also with many excellent contributors. is our commercial arm offering social engineering services (such as penetration tests) and training.  Here are some of the events, happenings and schedule for us during the annual pilgrimage to Vegas.

Continue Reading

Video Review: Cobalt Strike Penetration Testing Software

| June 29, 2012


By Ryan Linn 

Cobalt Strike is the latest tool that Raphael Mudge (@Armitagehacker) has released at to help penetration testers optimize their workflow and pen testing tasks.  Cobalt Strike is a commercially supported version of Armitage, Cyber Attack Management for Metasploit, with a whole slew of new features added to aid in social engineering attacks, phishing, and targeted exploitation.  As described on their own site:

"Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates malware infected files from a powerful graphical user interface that encourages collaboration and reports all activity."

Stay with us after the break as we examine more details of this new software package, thoughts on how it might fit into your arsenal of tools and also an exclusive video by Ryan Linn offering a first look at Cobalt Strike to all EH-Netters.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Linn}

Continue Reading

Nonverbal Human Hacking

| June 18, 2012

Nonverbal Human Hacking - Lie To Me Microexpressions

Many fans of the newsletter will remember a couple years ago when I launched some research.  I wrote about the study and the use of nonverbal communications and labeled it NLH.  Over the last couple of years I have been working on deepening and broadening that research and feel that the title limited my studies.  Moving to a more general definition like “nonverbal human hacking” takes away the stigma and connection to NLP that made many view this area as something more mystical and not science-based research.

The fact of the matter is that social engineering is nothing new.  From some of the oldest stories recorded in mankind’s history until today, social engineering has been used.  Despite the advancement in technology the same principles work when it comes to “hacking the human OS.”

As an ardent student of the sciences and arts that make up social engineering, I am always trying to learn how to adapt certain studies from other professionals into social engineering as a whole.  As you most likely have heard, we have interviewed radio hosts, psychologist, law enforcement officials, dating experts, scientists and others to try and understand what each of those fields has to offer a social engineer.

Continue Reading

An Insider’s Look at the Social-Engineer.Org SE CtF at DEFCON

| May 25, 2012

By Chris Hadnagy

dc-18-logo_smsq.pngI want you to picture this scene:  It is a warm day in sunny Maryland, my phone rings.  I answer it.

Me – “Chris speaking…”
Voice – “Hello Sir, this is Special Agent Smith (name changed) from the FBI, I would like to speak to you about this social engineering contest…”
Me – “Nice Dave, not falling for it.  Good try sucker!”
Voice – “Sir, I already mentioned my name is Special Agent Smith, not Dave.  It is important that we…
Me – “Blah, Blah Blah.. right Dave.  You are always trying to get me.  Nice one, almost sounds real.  Later loser…”
Moments after the phone was hung up it rings again…
Me – “Hello?”
Voice – “I would ask that you listen sir and do not hang up.  Call me back at this number… And ask for Special Agent Smith.”

This was the birth of the very first Social-Engineer.Org’s Social Engineering Capture the Flag Contest (SE CtF) at DEFCON over 2 years ago.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Hadnagy}

Continue Reading

Bringing the Unsexy Back: The Process of Selling SE Penetration Tests

| April 27, 2012

Selling SE - Bill Gates Sexy Pose

For the past few months, I’ve brought you articles on launching your career as a social engineer, the psychology and history behind hacking humans and even some scams you can pull on your clients for their own good.  As wonderful as it is to talk about the methods, the tricks and the sexy stories of social engineering pwnage, we need to take a step back and discuss the business end of this spectrum.

Yes, I said it… business side.  After all, most of us reading this article either are in IT/Security or want to be.  So how can one sell SE penetration tests?  How can you scope it?  Price it? And what do you give the client at the end of the engagement? All of these are good questions for budding professional social engineers, and thus the topic of this month’s column, the process of selling and delivering a social engineering penetration test.

Continue Reading

Scam Your Clients for Their Own Good

| March 26, 2012

Scam Your Clients for Their Own Good - Pic

As a professional social engineer, it is beneficial to study the methods of scamming that the bad guys have used in the past, compare it to modern tactics and see what can be learned.  Experts have agreed that the motivation for most scams is greed.  Although that is true, it is also found that fame, attention or just the need to maliciously hurt and steal from others are strong motivators for scamming people.  This month, let’s analyze some old scams, compare them to a modern-day equivalent and see what we can learn as Social Engineering Pentesters to ethically scam your clients.

Although scams have been around since the dawn of man, this one from 1812 is notable.  A Philadelphia man name Charles Redheffer claimed that he invented a perpetual motion machine, a theoretical device that, after only one initial input of power, will perpetually continue to generate energy.  Even though such a machine would break the laws of thermodynamics, his claim was supposedly backed up by an actual working device.  His next desire was to secure government funding to “build a larger version”.  He actually got the money and built a new machine, but he then fled the city when inspectors found that he had hidden the real power source.  Undeterred, he tried the same scam in New York City but was again caught when the inspectors removed a wall of the machine to reveal an old man eating a sandwich and turning a crank.  This machine can still be seen today in the Franklin Institute of Philadelphia.  In analyzing this scam we can see some basic principles at play here.

Continue Reading

Look Mom, I’m a Thespian: How to Use Acting Skills as a Social Engineer

| February 24, 2012

masks.jpgChris Hadnagy

Social Engineering is a complex beast.  It is not simply lying or telling someone a deceitful story to get them to give over their passwords.  Social Engineering (SE) is defined, well at least by me, as any act that influences a person to take an action that may or may not be against their best interest.  With that definition in mind there are many different principles that influence SE and the skills needed both physically and psychologically.

The concept behind this column is to provide the tools, techniques and direction to the readers that would like to either incorporate more SE into their current work or to become a full-time social engineer. I would like to take this month’s article to talk about at least one of the psychological principles involved in SE that should be considered foundational and required. It makes a huge difference in your ability to be successful.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Hadnagy}

Continue Reading

Interview: Smart Grid Security Expert Justin Searle

| February 20, 2012

searle_pic.pngWith the changing landscape of warfare away from nation-states only utilizing conventional means to the addition of mobile rogue outfits utilizing cyber-attacks, not only countries but also organizations of all shapes and sizes now need to concern themselves with a new threat. Slowly but surely, the real vulnerability to the power grid is starting to grab the attention of both the public and private sectors. Along with that comes more media attention and in turn pressure to make sure these systems don’t come crashing down affecting hundreds of millions citizens dependent on today’s modern conveniences.

With the need to secure such systems also comes the need for expertise and education. Enter Justin Searle, Managing Partner at UtiliSec.  UtiliSec provides security consulting services to utilities and vendors in the energy sector.  Some of the services offered include security assessments, guidance on regulatory issues like the NERC CIPs, participation in standards work and security training services. So who better to interview in order to shine a light on some of the many aspects of this burgeoning field of security? Here’s several questions to get us all up to speed.

twitter-icon.png delicious.png

Discuss in Forums {mos_smf_discuss:Editor-In-Chief}

Continue Reading