How to be Anti-Social
by Randy Cook
03/31/02
Social
Engineering is nothing more than lying to get what you want. It's a new
name for a very old profession. Con artists have been fooling people for
thousands of years. While the methods and tools may have evolved, one thing
remains the same: very few victims are willing to report the crime.
In
the Information Technology field, social engineering is a term used to
describe the method used by hackers to fraudulently gain information which
will aide them in their attempts to hack into your network. It is a widely
used practice and one which nearly always yields useful information, even
when used by the most inept hackers. The reason it is so often successful
is due to fact that very few organizations have guidelines or training
to prevent this kind of attack.
One
of the reasons so few IT organizations have a policy regarding social engineering
is that few admins or users are willing to admit they've been fooled. In
many cases, they aren't even aware that it's happened! So, the incidents
usually go unreported. In this whitepaper, I'll be using some real-life
examples to demonstrate the techniques used by hackers. All of the examples
are taken from actual events, however specific details have been changed
to protect the confidentiality of the people involved.
Social
engineering depends on the basic human tendency to trust fellow members
of the same group. The hacker will immediately attempt to place themselves
on the same side as their target. A good example of why can be found by
listening to anyone who deals with people outside of your company. Your
receptionist for example. Hang around the lobby and listen to the way they
speak to a caller who is a fellow employee and how differently they speak
to a caller who is a non-employee. For a real difference, listen to how
they speak to a family member. The hacker's goal is to make the target
believe they are dealing with a fellow group member. It could be a fellow
employee or a counterpart at a partner company or someone offering assistance.
My first experience with social engineering was when I was working as a desktop support technician for an international manufacturing firm. I had only been on the job for a couple of days, so I thought it was kind of odd when the switchboard operator transferred a call to me from a user who'd specifically asked for me. The user said he was "Rick" in Sales calling from a hotel in London. He was preparing for a sales pitch and left the latest pricing figures in an e-mail in his inbox. He'd been given a loaner laptop from "Big Earl" the IS Manager, but it wasn't configured for international dialing. He asked me to give him the
information
so he could dial-in using the 800 number. On the surface this sounded perfectly
reasonable. Sales guy on the road, doesn't know how to configure a laptop,
friends with Earl - no problem, right? The only thing was the connection
was just to good to be an international call. He sounded like he was across
the hallway, not across the ocean! I decided to stall while I got more
info. "Gee, Rick, I'm kind of new here. I don't have any of the international
dialing configs and I can't find the 800 number in my docs anywhere." Now
"Rick" starts to pull out his big guns. "Look", he says "I've got a major
pitch I have to give in less than one hour. I don't want to lose this sale
because you don't know how to do your job. Now, I want access to my e-mail
and I want it now! Do you want me to have my boss call Earl or Jessica?"
Now I'm really suspicious. "Jessica" was the manager of HR up until the
day before. It's not unusual that someone wouldn't know that she'd left
the company recently, especially someone who travels frequently, but the
way he was trying to punk me into doing what he asked made me very skeptical.
I decided to play it safe. I asked him to give me his number so I could
call him back in 5 minutes with the info. He said I wouldn't be able to
reach him, since he had to leave immediately to get the meeting room downstairs
ready for the meeting with the prospective clients. He said he'd be able
to dial-in from the meeting room before the presentation. He apologized
for losing his temper, explaining that he was under a tremendous amount
of pressure to make this sale and thanked me for my help. He said he'd
call back in 20 minutes. Before I'd even hung up I was sending out a 911
text page to my boss, "Dave". He called me immediately and I gave him the
highlights. He said he'd check on a couple of things with Earl and the
Sales dept. and call me right back. While I was waiting I called the receptionist
who'd transferred the call to me. How, I asked her, did this Rick guy know
my name? "Oh, he didn't ask for you by name. He said he'd been working
with the "New Guy" in Technical Support but got disconnected. You're the
newest guy in Tech Support so I figure it must have been you, right?" As
soon as I hung up with her, Dave appeared in my cube. Earl never gave anyone
a loaner laptop, there's no sales pitch in London and Rick in Sales is
on vacation in Miami this week! I told him what the receptionist said.
He ran off to his office to send out a broadcast e-mail warning all employees
of suspicious phone calls and reminding everyone of what info is not to
be discussed over the phone. He ran back to my cube and we waited for "Rick"
to call back. By this time a small crowd of my fellow IT Support coworkers
had gathered. We all nervously yammered out ideas on what to do when Rick
called back. The ideas ranged from the absurd, such as give him the correct
configs and trace the call, (Huh? Where were we? The Batcave?) to my favorite,
give him the 800 number to the FBI's national hotline. Unfortunately, he
never did.
This
is a classic example of a social engineering hack. Let's use it as an example
as we explore the standard techniques used by social engineering hackers.
First,
a social engineering hack is launched in stages. Each stage is designed
to acquire a piece of info which can be used to acquire more info. The
ultimate goal is to acquire enough information to move on to a more traditional
hack into your corporate network. Having a valid user account or even root
access certainly makes that easier. The social engineer uses several techniques
to acquire enough information to prepare for the next level of hack. I've
broken down the common techniques into 3 stages. Naturally, these are not
set in stone and every attack is as diverse as the attackers, but by splitting
the basics up into three stages, we can see what the goals are and prepare
a 3 tiered approach to preventing them.
Stage One - Recon
Often the telephone is the weapon of choice. There are 3 things which make the telephone so attractive to a hacker:
They only know what you tell them about yourself . It's easier to build the image you want them to have.
If you need to bail all you need to do is break the connection. Caller ID is easily circumvented and many companies don't even have that ability.
However, before the first call is ever made, the hacker will often make attempts to gain info by acquiring physical documentation. One technique is called "Dumpster Diving". It's just what it sounds like. The hackers will wait until after hours and go through the garbage of the targeted company. Most anything found can be useful, but the most valued prizes are:
Internal phone directories - They are used for getting the names, titles and locations of company personnel. Occasionally, I have seen internal phone directories list the after-hours technical support numbers or other private employee-only information. At the very least, an internal phone book gives a hacker the opportunity to drop names with confidence.
E-mails - It's hard to believe, but many people still print out e-mails. Whether it's because the users don't trust digital copies or just because they love the smell of toner, you would be surprised at how many company memos, schedules and network login procedures end up printed and tossed in the trash.
Discarded floppies - These are pure gold. While many companies have guidelines for the disposal of old hard-drives and back-up tapes, few monitor the disposal of floppies.
In
our example above, all of the names "Rick" used were most likely found
after a successful dumpster dive. In fact, we found out later that one
of the overnight security guards had submitted an incident report several
weeks prior regarding what he called "some homeless guys going through
the trash." He'd chased them away and logged the report, but there was
no procedure for forwarding the report to anyone within the company. Since
there was "nothing of value" taken and no vandalism, the security supervisor
had no reason to pass the report on to anyone else.
Stage Two - Who's Who?
Now
armed with information which only a fellow employee would know, the hacker
will begin the verification stage. Stage Two is usually about verifying
the information gathered in Stage One and using it to gather even more
useful information. Remember the ultimate goal here is to find a way to
gain access to your computer network, so it's all about building a database
of information. Every bit of information acquired will lead to other information
and all of it can be useful. This is the stage which really exposes the
power of your greatest asset or your biggest liability - The Gatekeeper.
Every company has one. The Gatekeeper is the person or persons tasked with
answering incoming calls and routing them to the correct destination. This
may be your receptionist or message center or whoever routes calls for
your Technical Support line. Whoever it is, they are an invaluable resource
of information. I know in most of the companies I've worked with, the receptionist
was the first person in and one of the last to leave every day. He or she
knew everybody, what they did and where they were at any point in the day.
They were often the central hub of information on personnel, including
all the latest gossip.
At
this stage, the hacker will often pretend to be a non-technical user asking
for help. One method is to pretend to be the Gatekeeper's counterpart at
another company. For example:
GateFaker: " Hi, I'm Tina, the receptionist with XYZ down the road from you. I hope your day is going better than mine. I just got a package that I think belongs to your HR Director. Is it still Jamie Peters? Okay, I'll make sure it gets to you guys - thanks! Oh, that reminds me. If you guys are using Printer Fixers, Inc. for your printer repair service, watch out for the new guy! He just moved here and he doesn't know where anything is! Oh, you switched to Printer Expert Repair? Really? Maybe we should too. Anyway, I'll see that Jamie's package gets to you. Thanks!"
In
this example, the hacker verified the name of the HR Director and also
found out that the target company is using a new repair service.
Keep
in mind the goal of Stage 2 is to verify information to be used in the
next stage. "Rick" from our example, used a similar conversation to prepare
for his third stage attempt. It's important that the hacker knows they
are using valid information such as the correct names and even nicknames
and insider terms used by internal employees. For example, I once worked
for a company which had a small, remote sales office which all the employees
referred to as "Cricket's". It got it's name from the first manager who
worked there, who went by the nickname "Cricket". Naturally, if someone
called in, said they were calling from Cricket's and their network was
down, they'd start out with a great deal of credibility since they were
already speaking the way fellow employees would.
Another
method used at this stage is to portray a user in need of technical assistance.
By calling a corporate Technical Support line and convincing the technician
they are a fellow employee who needs their help they can acquire valuable
information which can be used in Stage 3. Since desktop support technicians
often follow a standardized flowchart and use the same responses, the hacker
can more easily pretend to be one of them in subsequent calls to users.
"Rick" was most likely in Stage 2 when he called me. His goal at that point
was to get information on how we're told to answer the phone, how we respond
to network login problems and what our 800 dial-in number was. He was also
exploring my level of administrative access. It seems to me he was working
up to seeing if I could create temporary accounts, provide dial-in access
or access user's e-mail. He would be able to use all of this information
to be more convincing when he moves into Stage 3.
Stage
3 - Trust me, I'm here to help.
Now
it all comes together. Seemingly unrelated bits of information, useless
when separated, are joined to form a valuable toolbox for our hacker. In
Stage 3, the hacker is attempting to gain access. Using the verified information
gained previously, the goal is now to successfully portray someone who's
authority won't be questioned.
Let's
look at three real-life examples.
Example #1 - It's lunchtime and a man with a tool box and a printer toner cartridge approaches the receptionist. He introduces himself as "Todd" from Printer Expert Repair and hands her his business card. "My boss said Big Earl left us a voice-mail yesterday about Bay 3's label printer", he says " I didn't expect to have time before next week, but my last job was right down the road. Is it okay if I go take a quick look?"
The
result: "Todd" collected several usernames and passwords, conveniently
written down on sticky-notes and stuck to user's monitors. He even grabbed
several back-up tapes which had been left out and marked for disposal by
the Back-up admin.
Example #2 - The secretary of the CFO gets a call from "Todd" in Desktop Support. "Uh-oh", he says "You're not in London." When the secretary asks him what he means, he replies "Someone is dialing in to our network from the Walford office using your account. You just got back from there didn't you? Don't worry about a thing. I can fix it. I'll need you to log off so I can change your password. Your new password will be 'zippy1two'. Wait, since they're still logged on, I'll need your old password to kick them off and change it to the new one."
The
result: "Todd" immediately logs on and uses her account to access highly
confidential financial information. He even changes her password to "zippy1two"
so as not to arouse her suspicion.
Example #3 - Hundreds of employees receive an e-mail from their Desktop Support dept. which instructs them to load the attached patch immediately to prevent the spread of "another outbreak of the Melissa Virus like we had last month."
The
result: Dozens of users follow the instructions, which were sent by a hacker
using a faked e-mail account which appeared to come from the company's
Desktop Support. The "patch" was really a hacker app which collected a
wide variety of data from the user's system and e-mailed it to the hacker's
overseas e-mail address. Since a majority of the IT Dept. was attending
an off-site training seminar, the bogus e-mail went undetected for nearly
an entire day.
In
all three examples, you can see how having valid data gained in Stages
1 and 2 and presenting it in a recognizable form in Stage 3 allowed hackers
to gain unauthorized access. Now that we've explored what they look for
and how they use it, let's look at how we can prevent this type of hack.
Stage 1
Create a policy regarding the disposal of company information. Make sure that all phone directories, internal documentation and other sensitive printed material is shredded or kept out of public reach until it's collected by your waste disposal service. Include in this policy wording which points out the dangers of printing out e-mails and storing data on floppy disks and discourage employees from doing so. Meet with your janitorial staff and ask for their cooperation in making sure such items are not tossed in the trash.
If you have a security service, meet with them. Go over their procedures for observation and reporting. Make sure they understand that any attempt to access anything on company property, including the garbage, is to be considered theft and trespassing. Make sure all employees understand how to recognize unauthorized access to the premises and that all employees know how to report suspicious behavior.
Make sure all hard-drives, old back-up media and floppies are erased and destroyed before disposal. Even if the storage media has been erased, it's possible to recreate the data it once contained. However, if it's been smashed into tiny pieces, you can consider the data gone forever.
Set strict guidelines for passwords. No words found in a dictionary, no proper names and make sure they are changed frequently. Also, no sticky-notes! Advise users to write their passwords down on a piece of paper and keep it in their wallet.
Stage 2
Make sure all technical support personnel have a means for verifying a user's identity. This can be birthdays, home phone numbers, pager numbers - anything which maybe difficult for an outsider to have at hand.
In all cases, make sure employees take the extra step of getting the caller's phone number and calling them back.
Any unusual request or request for sensitive data such as internal phone numbers or passwords should be treated with suspicion and reported immediately.
Stage 3
Insure your users and tech personnel feel comfortable asking questions or submitting reports regarding suspicious calls. I know of many situations which went unreported because the people involved didn't know who to report it to or felt they would get in trouble if they did. This only makes the hacker's job easier and yours harder.
Monitor all security policies and encourage others to do the same. Walk through the building on a regular basis. Look for unattended laptops, systems left alone while logged in, sticky-notes, printed e-mails stuck to walls or left in printers.
Whenever an employee leaves on their own accord or is terminated, no matter how amiable the break up is, make sure they take nothing of value with them. No manuals, no software, no floppies, no documentation - nothing but their own personal items. This is especially important when the employee is from the It department. All of their accounts should be examined, disabled and any data which needs to be retained should be transferred to another user.
It's difficult to discuss the dangers of social engineering without mentioning the King of Social Engineers, Kevin Mitnick. If you're not familiar with his name, you should be. The atrocities committed by federal investigators and prosecutors in his case should terrify anyone in the information technology field. While he has been labeled by federal authorities and the media as a talented, but twisted, computer genius the truth is his technical skills are very ordinary. His true genius was in his ability to social engineer his way into virtually anywhere. In a rare public appearance two years ago during a symposium on security, he said,
"People
are the weakest link. You can have the best technology, firewalls, intrusion-detection
systems, biometric devices ... and somebody can call an unsuspecting employee.
That's all she wrote, baby. They got everything."
Write
that down. Print it out. Memorize it. Hang it up someplace where everyone
can see it.
Randy Cook, SCSA
http://www.rcook.com
Work History - Published Work - Resume in Word 6.0 - Resume in ASCII Text - Home - e-mail