July 26, 2010, 12:26 PM — New social engineering techniques will be on full display at this week's Black Hat and DefCon events in Las Vegas. Some have already gained media attention, including a planned social engineering contest at DefCon.
Lesser-known but perhaps just as interesting will be the unveiling of a new social engineer toolkit at BSidesLasVegas.
In a talk called "The Social-Engineer Toolkit: Putting The Cool Back Into SE," Dave Kennedy, a pen testing specialist and regional security director for an international Fortune 1000 company, will unveil SET (Social Engineer Toolkit) v0.6 -- codename "Arnold Palmer," complete with new techniques designed to help pen testers find and address such weaknesses in their own company environments. It's an open-source kit that integrates with the Metasploit framework.
"It's getting harder to break in on the external perimeter and companies are getting better at application security, so the adaptation occurs towards our weakest link, the human element," Kennedy said.
Recent CSO articles point to just how bad the problem is getting. One such story noted how company executives tend to be the easiest social engineering targets, while in another example, security professionals became the victim in what was called the Robin Sage experiment.
During his talk, scheduled for 3 p.m. Wednesday at the 2810 resort -- site of all B-Sides talks July 28 and 29 -- Kennedy will demonstrate a variety of social engineering attacks, including one called TabNabbing. Here, the user visits a website and gets a "please wait" message. The victim switches to a different tab, which goes to a cloned site. The victim, thinking they've been logged off or hit the wrong tab, enters their information again. In the process, the bad guys are able to snag those credentials.
In a related social engineering technique, the user of the kit can clone a website and automatically rewrite the post parameters to allow them to intercept and harvest credentials. Here, the victim is redirected back to the original site to make it all seem less conspicuous.
Kennedy will also demonstrate the "Thomas Werth attack vector." Released at ShmooCon, this attack vector allows you to create a malicious Java Applet. When the user hits run the payload is executed on the victim's machine.