Social Engineer Toolkit Coming At BSidesLasVegas

New social engineering techniques will be on full display at this week’s Black Hat and DefCon events in Las Vegas. Some have already gained media attention, including a planned social engineering contest at DefCon.

Lesser-known but perhaps just as interesting will be the unveiling of a new social engineer toolkit at BSidesLasVegas.

In a talk called “The Social-Engineer Toolkit: Putting The Cool Back Into SE,” Dave Kennedy, a pen testing specialist and regional security director for an international Fortune 1000 company, will unveil SET (Social Engineer Toolkit) v0.6 — codename “Arnold Palmer,” complete with new techniques designed to help pen testers find and address such weaknesses in their own company environments. It’s an open-source kit that integrates with the Metasploit framework.

“It’s getting harder to break in on the external perimeter and companies are getting better at application security, so the adaptation occurs towards our weakest link, the human element,” Kennedy said.

[ Also see: Social engineering: The basics ]

Recent CSO articles point to just how bad the problem is getting. One such story noted how company executives tend to be the easiest social engineering targets, while in another example, security professionals became the victim in what was called the Robin Sage experiment.

During his talk, scheduled for 3 p.m. Wednesday at the 2810 resort — site of all B-Sides talks July 28 and 29 — Kennedy will demonstrate a variety of social engineering attacks, including one called TabNabbing. Here, the user visits a website and gets a “please wait” message. The victim switches to a different tab, which goes to a cloned site. The victim, thinking they’ve been logged off or hit the wrong tab, enters their information again. In the process, the bad guys are able to snag those credentials.

In a related social engineering technique, the user of the kit can clone a website and automatically rewrite the post parameters to allow them to intercept and harvest credentials. Here, the victim is redirected back to the original site to make it all seem less conspicuous.

Kennedy will also demonstrate the “Thomas Werth attack vector.” Released at ShmooCon, this attack vector allows you to create a malicious Java Applet. When the user hits run the payload is executed on the victim’s machine.

Going hand in hand with the social engineering focus will be presentations on social networking, the new best friend of attackers who rely on social engineering.

In one talk, Paul Judge, chief research officer at Barracuda and Dave Maynor, research scientist with Barracuda Labs and CTO/cofounder Errata Security, will discuss “The dark side of Twitter.”

Barracuda Labs has been collecting Twitter data for more than two years and has analyzed more than 20 million user accounts, Judge and Maynor said in an interview Friday. They’ll measure the Twitter “crime rate” from its inception in 2006to present day, and demonstrate how attackers respond rapidly to the large increases of users driven by celebrity attention on Twitter.

“We’ll also talk about the poisoning of URL shorteners and the proliferation of imposter profiles,” Judge said.

That talk is scheduled for 3 p.m. Wednesday, the same time as Kennedy’s presentation.