Work HistoryPublished Work - Resume in Word 6.0 - Resume in ASCII Text - Home - e-mail

How to be Anti-Social

by Randy Cook

03/31/02

Social Engineering is nothing more than lying to get what you want. It's a new name for a very old profession. Con artists have been fooling people for thousands of years. While the methods and tools may have evolved, one thing remains the same: very few victims are willing to report the crime.
 

 

In the Information Technology field, social engineering is a term used to describe the method used by hackers to fraudulently gain information which will aide them in their attempts to hack into your network. It is a widely used practice and one which nearly always yields useful information, even when used by the most inept hackers. The reason it is so often successful is due to fact that very few organizations have guidelines or training to prevent this kind of attack.
 

 

One of the reasons so few IT organizations have a policy regarding social engineering is that few admins or users are willing to admit they've been fooled. In many cases, they aren't even aware that it's happened! So, the incidents usually go unreported. In this whitepaper, I'll be using some real-life examples to demonstrate the techniques used by hackers. All of the examples are taken from actual events, however specific details have been changed to protect the confidentiality of the people involved.
 

 

Social engineering depends on the basic human tendency to trust fellow members of the same group. The hacker will immediately attempt to place themselves on the same side as their target. A good example of why can be found by listening to anyone who deals with people outside of your company. Your receptionist for example. Hang around the lobby and listen to the way they speak to a caller who is a fellow employee and how differently they speak to a caller who is a non-employee. For a real difference, listen to how they speak to a family member. The hacker's goal is to make the target believe they are dealing with a fellow group member. It could be a fellow employee or a counterpart at a partner company or someone offering assistance.
 

 

My first experience with social engineering was when I was working as a desktop support technician for an international manufacturing firm. I had only been on the job for a couple of days, so I thought it was kind of odd when the switchboard operator transferred a call to me from a user who'd specifically asked for me. The user said he was "Rick" in Sales calling from a hotel in London. He was preparing for a sales pitch and left the latest pricing figures in an e-mail in his inbox. He'd been given a loaner laptop from "Big Earl" the IS Manager, but it wasn't configured for international dialing. He asked me to give him the

information so he could dial-in using the 800 number. On the surface this sounded perfectly reasonable. Sales guy on the road, doesn't know how to configure a laptop, friends with Earl - no problem, right? The only thing was the connection was just to good to be an international call. He sounded like he was across the hallway, not across the ocean! I decided to stall while I got more info. "Gee, Rick, I'm kind of new here. I don't have any of the international dialing configs and I can't find the 800 number in my docs anywhere." Now "Rick" starts to pull out his big guns. "Look", he says "I've got a major pitch I have to give in less than one hour. I don't want to lose this sale because you don't know how to do your job. Now, I want access to my e-mail and I want it now! Do you want me to have my boss call Earl or Jessica?" Now I'm really suspicious. "Jessica" was the manager of HR up until the day before. It's not unusual that someone wouldn't know that she'd left the company recently, especially someone who travels frequently, but the way he was trying to punk me into doing what he asked made me very skeptical. I decided to play it safe. I asked him to give me his number so I could call him back in 5 minutes with the info. He said I wouldn't be able to reach him, since he had to leave immediately to get the meeting room downstairs ready for the meeting with the prospective clients. He said he'd be able to dial-in from the meeting room before the presentation. He apologized for losing his temper, explaining that he was under a tremendous amount of pressure to make this sale and thanked me for my help. He said he'd call back in 20 minutes. Before I'd even hung up I was sending out a 911 text page to my boss, "Dave". He called me immediately and I gave him the highlights. He said he'd check on a couple of things with Earl and the Sales dept. and call me right back. While I was waiting I called the receptionist who'd transferred the call to me. How, I asked her, did this Rick guy know my name? "Oh, he didn't ask for you by name. He said he'd been working with the "New Guy" in Technical Support but got disconnected. You're the newest guy in Tech Support so I figure it must have been you, right?" As soon as I hung up with her, Dave appeared in my cube. Earl never gave anyone a loaner laptop, there's no sales pitch in London and Rick in Sales is on vacation in Miami this week! I told him what the receptionist said. He ran off to his office to send out a broadcast e-mail warning all employees of suspicious phone calls and reminding everyone of what info is not to be discussed over the phone. He ran back to my cube and we waited for "Rick" to call back. By this time a small crowd of my fellow IT Support coworkers had gathered. We all nervously yammered out ideas on what to do when Rick called back. The ideas ranged from the absurd, such as give him the correct configs and trace the call, (Huh? Where were we? The Batcave?) to my favorite, give him the 800 number to the FBI's national hotline. Unfortunately, he never did.
 

 

This is a classic example of a social engineering hack. Let's use it as an example as we explore the standard techniques used by social engineering hackers.
 

 

First, a social engineering hack is launched in stages. Each stage is designed to acquire a piece of info which can be used to acquire more info. The ultimate goal is to acquire enough information to move on to a more traditional hack into your corporate network. Having a valid user account or even root access certainly makes that easier. The social engineer uses several techniques to acquire enough information to prepare for the next level of hack. I've broken down the common techniques into 3 stages. Naturally, these are not set in stone and every attack is as diverse as the attackers, but by splitting the basics up into three stages, we can see what the goals are and prepare a 3 tiered approach to preventing them.
 

 

Stage One - Recon

Often the telephone is the weapon of choice. There are 3 things which make the telephone so attractive to a hacker:

    When it rings, people answer. When was the last time you called a business phone and it wasn't answered by either a person or voice-mail?

    They only know what you tell them about yourself . It's easier to build the image you want them to have.

    If you need to bail all you need to do is break the connection. Caller ID is easily circumvented and many companies don't even have that ability.

However, before the first call is ever made, the hacker will often make attempts to gain info by acquiring physical documentation. One technique is called "Dumpster Diving". It's just what it sounds like. The hackers will wait until after hours and go through the garbage of the targeted company. Most anything found can be useful, but the most valued prizes are:

As an example of just how vulnerable one of my clients was to this form of information gathering, I decided to do a couple of dumpster dives of my own. After 3 nights spread out over a period of 10, I found an amazing amount of sensitive, proprietary information. In addition to the items I listed above, I discovered company financial records, user passwords and even the memo I'd e-mailed to the head of IT describing my concerns regarding security. I also discovered that many of the employees regularly brought more lunch to work than they could eat.

 
 

In our example above, all of the names "Rick" used were most likely found after a successful dumpster dive. In fact, we found out later that one of the overnight security guards had submitted an incident report several weeks prior regarding what he called "some homeless guys going through the trash." He'd chased them away and logged the report, but there was no procedure for forwarding the report to anyone within the company. Since there was "nothing of value" taken and no vandalism, the security supervisor had no reason to pass the report on to anyone else.
 

 
 
 

Stage Two - Who's Who?

Now armed with information which only a fellow employee would know, the hacker will begin the verification stage. Stage Two is usually about verifying the information gathered in Stage One and using it to gather even more useful information. Remember the ultimate goal here is to find a way to gain access to your computer network, so it's all about building a database of information. Every bit of information acquired will lead to other information and all of it can be useful. This is the stage which really exposes the power of your greatest asset or your biggest liability - The Gatekeeper. Every company has one. The Gatekeeper is the person or persons tasked with answering incoming calls and routing them to the correct destination. This may be your receptionist or message center or whoever routes calls for your Technical Support line. Whoever it is, they are an invaluable resource of information. I know in most of the companies I've worked with, the receptionist was the first person in and one of the last to leave every day. He or she knew everybody, what they did and where they were at any point in the day. They were often the central hub of information on personnel, including all the latest gossip.
 

 

At this stage, the hacker will often pretend to be a non-technical user asking for help. One method is to pretend to be the Gatekeeper's counterpart at another company. For example:
 

 

GateFaker: " Hi, I'm Tina, the receptionist with XYZ down the road from you. I hope your day is going better than mine. I just got a package that I think belongs to your HR Director. Is it still Jamie Peters? Okay, I'll make sure it gets to you guys - thanks! Oh, that reminds me. If you guys are using Printer Fixers, Inc. for your printer repair service, watch out for the new guy! He just moved here and he doesn't know where anything is! Oh, you switched to Printer Expert Repair? Really? Maybe we should too. Anyway, I'll see that Jamie's package gets to you. Thanks!"

In this example, the hacker verified the name of the HR Director and also found out that the target company is using a new repair service.
 

 

Keep in mind the goal of Stage 2 is to verify information to be used in the next stage. "Rick" from our example, used a similar conversation to prepare for his third stage attempt. It's important that the hacker knows they are using valid information such as the correct names and even nicknames and insider terms used by internal employees. For example, I once worked for a company which had a small, remote sales office which all the employees referred to as "Cricket's". It got it's name from the first manager who worked there, who went by the nickname "Cricket". Naturally, if someone called in, said they were calling from Cricket's and their network was down, they'd start out with a great deal of credibility since they were already speaking the way fellow employees would.
 

 

Another method used at this stage is to portray a user in need of technical assistance. By calling a corporate Technical Support line and convincing the technician they are a fellow employee who needs their help they can acquire valuable information which can be used in Stage 3. Since desktop support technicians often follow a standardized flowchart and use the same responses, the hacker can more easily pretend to be one of them in subsequent calls to users. "Rick" was most likely in Stage 2 when he called me. His goal at that point was to get information on how we're told to answer the phone, how we respond to network login problems and what our 800 dial-in number was. He was also exploring my level of administrative access. It seems to me he was working up to seeing if I could create temporary accounts, provide dial-in access or access user's e-mail. He would be able to use all of this information to be more convincing when he moves into Stage 3.
 

 

Stage 3 - Trust me, I'm here to help.
 

 

Now it all comes together. Seemingly unrelated bits of information, useless when separated, are joined to form a valuable toolbox for our hacker. In Stage 3, the hacker is attempting to gain access. Using the verified information gained previously, the goal is now to successfully portray someone who's authority won't be questioned.
 

 

Let's look at three real-life examples.
 

 

Example #1 - It's lunchtime and a man with a tool box and a printer toner cartridge approaches the receptionist. He introduces himself as "Todd" from Printer Expert Repair and hands her his business card. "My boss said Big Earl left us a voice-mail yesterday about Bay 3's label printer", he says " I didn't expect to have time before next week, but my last job was right down the road. Is it okay if I go take a quick look?"

The result: "Todd" collected several usernames and passwords, conveniently written down on sticky-notes and stuck to user's monitors. He even grabbed several back-up tapes which had been left out and marked for disposal by the Back-up admin.
 

 

Example #2 - The secretary of the CFO gets a call from "Todd" in Desktop Support. "Uh-oh", he says "You're not in London." When the secretary asks him what he means, he replies "Someone is dialing in to our network from the Walford office using your account. You just got back from there didn't you? Don't worry about a thing. I can fix it. I'll need you to log off so I can change your password. Your new password will be 'zippy1two'. Wait, since they're still logged on, I'll need your old password to kick them off and change it to the new one."

The result: "Todd" immediately logs on and uses her account to access highly confidential financial information. He even changes her password to "zippy1two" so as not to arouse her suspicion.
 

 

Example #3 - Hundreds of employees receive an e-mail from their Desktop Support dept. which instructs them to load the attached patch immediately to prevent the spread of "another outbreak of the Melissa Virus like we had last month."

The result: Dozens of users follow the instructions, which were sent by a hacker using a faked e-mail account which appeared to come from the company's Desktop Support. The "patch" was really a hacker app which collected a wide variety of data from the user's system and e-mailed it to the hacker's overseas e-mail address. Since a majority of the IT Dept. was attending an off-site training seminar, the bogus e-mail went undetected for nearly an entire day.
 

 

In all three examples, you can see how having valid data gained in Stages 1 and 2 and presenting it in a recognizable form in Stage 3 allowed hackers to gain unauthorized access. Now that we've explored what they look for and how they use it, let's look at how we can prevent this type of hack.
 

 

Stage 1

Stage 2

Stage 3

It's difficult to discuss the dangers of social engineering without mentioning the King of Social Engineers, Kevin Mitnick. If you're not familiar with his name, you should be. The atrocities committed by federal investigators and prosecutors in his case should terrify anyone in the information technology field. While he has been labeled by federal authorities and the media as a talented, but twisted, computer genius the truth is his technical skills are very ordinary. His true genius was in his ability to social engineer his way into virtually anywhere. In a rare public appearance two years ago during a symposium on security, he said,

"People are the weakest link. You can have the best technology, firewalls, intrusion-detection systems, biometric devices ... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything."
 

 

Write that down. Print it out. Memorize it. Hang it up someplace where everyone can see it.
 

 

Randy Cook, SCSA

http://www.rcook.com
 

Work HistoryPublished Work - Resume in Word 6.0 - Resume in ASCII Text - Home - e-mail