42spt Posted November 4, 2011 Share Posted November 4, 2011 "Millions for defense, but not one cent for education!" The spt project is a small step toward securing the mind as opposed to securing computers. Millions are spent safeguarding information systems, but under trained and susceptible minds then operate them. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done. spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability. If the project sounds interesting to you, please consider taking a look at it. Demo it (read-only mode), download it and use it yourself. We are looking for all feedback and ideas as we take the next steps on the project. Please feel free to contact us via replies to this thread, or via the contact form on our project web site. http://www.sptoolkit.com/ Thanks! Quote Link to comment Share on other sites More sharing options...
Morfir Posted November 5, 2011 Share Posted November 5, 2011 It's an interesting idea, are you going to develop it open source? My main question is once you do identify the "weakest" link, what are you going to do with him? Educate him? Fire him, in a corporate world? How does one patch the human vulnerability. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted November 5, 2011 Share Posted November 5, 2011 (edited) My main question is once you do identify the "weakest" link, what are you going to do with him? Educate him? Fire him, in a corporate world? How does one patch the human vulnerability. Firing its not something an employer should do, if they want their staffs to understand and know how to handle such situation, the employer should train and expose them to real world cases, that's the only way they can succeed. Firing them off, would be considered a discrimination. Edited November 5, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
42spt Posted November 5, 2011 Author Share Posted November 5, 2011 @Morfir: The project is open source and we intend for it to always be open source. We've been inspired by many other great open source tools (BT, SET, Metasploit, etc.) and felt there was a place for something simpler and more along the lines of where we're going with the spt. As to the the follow-up after finding out who the weakest link is, education is the next natural step we see. In future releases we have plans to integrate training into the spt so you can go from identification to reporting to training in an intelligent manner. @Infiltrator: You've said it exactly, the spt was developed to be used as that tool to expose employees in a SAFE fashion to phishing efforts to see what happens. Thanks both for the comments. Quote Link to comment Share on other sites More sharing options...
Morfir Posted November 5, 2011 Share Posted November 5, 2011 In future releases we have plans to integrate training into the spt so you can go from identification to reporting to training in an intelligent manner. Sounds good, it's an interesting idea to focus on the human vuln. Usually people develop software to safeguard them from having to deal with things like phishing. I'll try it out a little bit later. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 12, 2011 Share Posted November 12, 2011 I gave it a brief test run this morning. It's a good idea, good concept and I like how it's database driven, but I think it needs more different attack vectors. You can email the bogus links, but those emails are probably going to end up in a spam folder to whoever they're sent to. Sorry to be so critical, but in a real life pen test I don't see many people changing their bank password or their webmail password from an email from an unknown address. If you could somehow incorporate email header spoofing into the attack (it'd be original too) then I think the success rates will rise. Or if you could add a spear-phishing attack vector. Phishing reports are down 50% in the first half of 2011 from 2010 so I think people are finally realizing not to click links in emails. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted November 12, 2011 Share Posted November 12, 2011 Umm... Have you all not heard of the Social Engineering Toolkit by David Kennedy? http://www.secmaniac.com/ is his website. S.E.T. is included with Backtrack 5 and he has updated about once a week. Quote Link to comment Share on other sites More sharing options...
42spt Posted November 13, 2011 Author Share Posted November 13, 2011 @bobbyb1980: We are definitely to be adding features over times. The project is still very new so it certainly many not show its full potential yet. The usage for spear phishing is certainly possible I think, just some simple modifications to the templates to "personalize" the attack for the target. Thanks for the suggestion. I'm not sure yet what the feasibility is of full header spoofing, but we know it gets done all the time by the bad guys. That might find it's way into the project at some time. Thanks for your comments. @Mr-Protocol: We are very much aware of the SET and its uses. We are certainly not trying to replicate or replace SET, but instead we're trying to offer a simpler alternative that can be used by those who might not have the technical knowledge required to really use SET and BackTrack correctly. That's why we chose the word "simple" as the first in the title. Thanks for taking the time to read and reply. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted November 14, 2011 Share Posted November 14, 2011 S.E.T. is menu based step by step, pretty simple to use :P Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 15, 2011 Share Posted November 15, 2011 I don't think the usage for spear phishing is realistic with something like this. SET claims to have spear phishing but it isn't much more than an automated emailer. People use the term "spear phishing" so loosely, I don't think theres a real definition for it besides a personalized attack, and your program is based on automation and it's near impossible to automate personalization. I also think the day is near where phishing will be protected by the browser with reverse DNS lookups, same thing for emails (hence why I said most major email providers aren't vulnerable to this attack). Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 16, 2011 Share Posted November 16, 2011 This thought crossed my mind this morning also. You should add a Javascript prompt to prompt the user to run a Java application as part of the test. I think that in the wild this type of attack is much more destructive and common than simple phishing ones. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted November 16, 2011 Share Posted November 16, 2011 bobby, S.E.T. has a java attack vector and many other attack vectors. If you have only used the spear phishing then you should explore it more. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted November 16, 2011 Share Posted November 16, 2011 Yeah I know, I'm a huge SET fan. Just thought this guys program could kind of pentest to try to prevent the Java applet attack, but then again short of installing no script in your browser how can you even stop the java applet attack? Quote Link to comment Share on other sites More sharing options...
42spt Posted November 19, 2011 Author Share Posted November 19, 2011 @bobbyb1980: I'm not sure at the current time that we'd add something like you've described as that gets away from the intent of the spt as a whole which is to evaluate the security of the human. @all: We're certainly not trying to compete with any other tool out there, especially SET. We're big fans of SET and its integration within BackTrack overall. I think the "market" is certainly large enough though for more than one tool, even more so given that each will have its own unique use cases and features over time. Phishing by itself, I'd argue, is plenty dangerous enough and not on the decline. Read into the recent Delta phishing emails that were sent out. Fall for the email (and not even that well composed as compared to what it was supposed to look like) and you're the proud recipient of shiny new rootkit that starts phoning home in less than 10 seconds. We did a fair bit of analysis on this one and it seems to be the natural progression of most of these attacks today: get the target to click that link and download malicious code for phase 2 of the attack, whatever that might be. We do appreciate the feedback from everyone on this project. Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.