One of the biggest challenges for a company that holds invaluable data is protecting it. At first, this task would seem fairly straightforward. Keep the data on an encrypted server that’s only accessible via the internal network. The physical security of the server can be done with locks and other various degrees of physical security. One has to be thoughtful in how the security is structured, however. You need to allow authorized humans access to the data in order for the company to function, and there’s the rub. The skilled hacker is keenly aware of these people, and will use techniques under the envelope of Social Engineering along with her technical skills to gain access to your data.
Want to know how secure your house is? Lock yourself out. One of the best ways to test security is to try and break in. Large companies routinely hire hackers, known as penetration testers, to do just this. In this article, we’re going to dissect how a hired penetration tester was able to access data so valuable that it could have destroyed the company it belonged to.
Information Gathering
The start of any hack involves information gathering. This is usually pretty easy for larger companies. Their website along with a few phone calls can reveal quite a bit of useful information. However, you can be assured that any company who has hired a pen tester has taken the necessary precautions to limit such information.
And such was the case for our hacker trying to gain access to the ACME Corp. servers. Her first target was the dumpsters – dumpster dives have been proven to unearth a trove of valuable information in the past. But the dumpsters were inside the complex, which was guarded by a contracted security firm. Through a bit of website snooping and a few phone calls, she was able to find out the department that was in charge of trash removal for the company. She then placed a phone call to this department. Using a social engineering (SE) technique known as pretexting, she pretended to be with a trash removal company and wanted to submit a quote to service their business. Using another SE technique called elicitation, she was able to find out:
- that trash collection took place on Wednesdays and Thursdays
- the total number of dumpsters
- that there was a special dumpster for paper and technology trash
- the name of the current waste removal company – Waster’s Management
- the name of the employee in charge of the waste removal – [Christie Smith]
Dumpster Dive
Armed with this information, she went to the Waster’s Management website and grabbed their JPEG logo. Within a few days, she had a shirt and hat with the logo in her hands. She called the security department and said she was with Waster’s Management, and that [Christie Smith] had told her one of the dumpsters was damaged, and she needed to take a look at it before the next trash removal.
The next day, wearing the shirt and hat she had ordered online, she was given a badge from security and allowed access to the dumpsters. Now, any hacker worth her weight in PIC16F84’s already knows what dumpster she dove into. It didn’t take her long to walk away with several hard drives, a few USB drives and some useful documents. She was able to gain knowledge of an upcoming IT contract work, the name of the CFO, and the name of a server with some level of importance – prod23.
Hacking the Server
With some more SE, she was able to find out when the IT work was scheduled. It was after hours. She showed up a bit late and was able to walk right through the front door by claiming she worked for the IT contract company. She then shifted roles and pretended to be an employee. She approached one the real IT contract guys, and said she worked for the CFO, [Mr. Shiraz], and asked if he knew to be careful with the prod23 server. With more SE, she was able to find out the prod23 server was off-limits, encrypted, and only accessible by specific admins.
She was able to access an admin office, and it was there she would don her black hat. She booted the computer with BackTrack via USB and installed a key logger. She made an SSH tunnel to her personal server where she could dump the contents of the key logger, along with some other shells. Now, this is where things get interesting. She opened Virtual Box and used the computer’s hard drive as the boot medium. The VM booted the OS, and she hid all of the screen decorations to make it look like the target OS was running. The admin would log in without a clue, and our hacker would get their username and password through the key logger.
Once the login information came in, she was able to access the admin’s computer, and from there the prod23 server. You can imagine the look on the faces of the top executives for ACME Corp when our hacker handed them a copy of the keys to their kingdom.
Social engineering is human hacking, and a dark art in itself. Our hacker in this story would have never been able to even get close to the server if she did not have SE skills. No matter how secure you make something, so long as you allow humans access to it, it’s vulnerable to attack. And then it’s down to how well-trained your people are in repelling these kinds of intrusions.Just ask Target.
You can find the full story in the source below.
Sources
Social Engineering, The Art of Human Hacking, Chapter 8, by Christopher Hadnagy, ISBN-13: 860-1300286532
I HIGHLY recommend the “Social Engineering, The Art of Human Hacking” I own it, have read it. And loved it. It is a excellent resource for those also who are in anything customer facing. Not only does it give you a better idea of the tactics (on that note, unmasking the social engineer is another excellent book) used by malicious actors, i have found it helps me as a HellDesk employee monumentally as it changes your perspective on person to person interactions. Especially when the user is refusing to click the “Allow Technician to take control” button.
Are you saying it’s a good thing when they do that? Or the book helped you get them to do that?
Depends on which side of the box you stand on :^) IRL i am a remote tech support operator for a large-ish company, providing excellent customer support to our employees both in house and out in the field. Now click the damned button and let me find the email you dropped in another folder!!!!
know your enemy. Know there tactics and know the move they are going to make before they make it.
Makes me think of simply walking into a building like you own it, can get you pretty far.
Just suiting up to look like the herd and follow the flow, most people will mind their own business and let you pass!
Then a little SE will enable you to go deeper!
That is so damn true, I’ve gotten into so many places just cause I act like I belong there, be confident, be polite, use a little humour and you’ed be amazed where it will get you. Also why the hell doesn’t this company shred everything in house before they dump it? Stupid.
If you wear a three-piece suit and carry a clipboard, not only do the employees not challenge you, but they try real hard to look busy while avoiding eye contact.
It really does.
It’s been a few years, but working events in vegas where you’re allowed to eat at the casino cafeteria (behind the walls) there were no checks, no need for badges. I could just pick any unmarked door, walk in, and wander the halls. Granted, I did have permission but no one stopped to ask. I’ve been tempted to do that when I go back on my own – the employee cafeteria food is free and excellent, but I’m too scared :o
In Vegas you were probably picked up by facial, flagged and then unflagged by security once they back traced to who you interacted with previously (and confirmed with them that you were not to be arrested). Just because no one stopped you does not mean that you were not being monitored. Vegas does not have the highest concentration of hidden security cameras in the world for no reason.
Security policy at our office says that if you see someone you don’t know that isn’t displaying their badge, you are to escort them to the front desk or report them to security. Honestly though, no one is ever going to do that. Too much social anxiety.
Of course our parent company also owns nuclear plants, so maybe other facilities take it more seriously.
Wonder if making it an event where every month they’d send someone in without a badge to wander until caught. At which point the employee who brought them to the front would get a reward. In that way, employees would expect that the person being “caught” would just be an actor.
russdill – I like that Russ. Sounds plausible. However, your standard psychopath operative inserting to a physical site for SE thinks on his feet and can fake people out and act like a mentalist. Getting by minimal security “security guards” is child’s play: Wait until the morning employee rush to the front door. Usually they don’t force each person to badge swipe and you can piggy back with a good looking fake badge (do your homework recon). Walk in like you own he place and late for a meeting. Dress like one of the sales people or executives with a attache case – looking at your watch as if you don’t want any bulls** from some minimum wage rent a cop. If you get collared say you just started yesterday and your boss hasn’t processed your paperwork yet. DON’T PULL OUT THE FAKE BADGE! Be prepared to know department manager names and positions. Make sure the name you give the guard is someone who is out on vaca, sick, or out of town. Don’t be a jerk. If all else fails fake illness and make for your car (or taxi or bus) to bug out quick! Your plates should be temporarily MIA (or wrong) so they can’t call Local LEO.
When in corridors and some nosy employee challenges you just tell them you are the Xerox Repairman and forgot your badge. Tell them your working on another floor but are down here looking for your partner for help with a machine. Know what type of photocopiers they REALLY have like Konica, Xerox, Cannon, etc. Let them see the tools in your attache case. Or you can be the OTIS elevator guy, Carrier HVAC, Coke vending machine guy, NEVER fall for the old trick: “Oh you work for Bob Jones up on ten?” – there is no Bob Jones on ten. “No. Who’s Bob Jones? I just started yesterday and I’m not processed yet. Sally Rogers hired me but she’s out today.” And make sure she really is. Download that Google Play app that makes your cell phone ring on command (a timer). “Oh hi Sally… yes I’m heading there now but some guy is holding me up… OK I’m leaving right now Sally.” “Dude! really? I’ve got to go before Sally has an aneurysm…good job though! Keep up the good work!” – LEAVE THE BUILDING NOW AND THANK YOUR LUCKY STARS THAT SHE/HE DIDN’T SUMMON SECURITY!
DON’T TRY THIS AT HOME UNLESS YOU ARE A HOUDINI!
“One of the biggest challenges for a company that holds invaluable data is protecting it”
Very well said.
Plenty of huge companies don’t even bother encrypting it, if it’s customer data at least.
A recent posting on FB asks you to add your place of birth and repeat the message. SE at its best since place of birth is frequently a security question for online sites.
Many so called “security questions” can be figured by researching the target person, making them weak security. I usually see them used on top of what should be a higher security measure, like controlling the email a message will be sent to.
Security questions also seem to be designed for normal people, making them a major annoyance for us geeks who don’t fit the mold.
When a website account setup asks you what your school mascot is, your answer should always be: kT7#ua@5z
Yup, I use pwgen for security questions as each one is really just another password. It’d be interesting if I have to read one back over the phone one day.
My favorite color? First pet’s name?
head -c 50 /dev/random | tr -dc ‘a-zA-Z0-9’
@Elliot Williams
Nice trick, I used to like this:
$ dd if=/dev/random bs=32 count=1 2>/dev/null | xxd -c 32 -u -ps
E7A004D57AF6CC56E6E2126D1CE7E37A46A5E3D32E7E70D1E557419EB7BE8CC6
But now I use this:
$ dd if=/dev/urandom bs=12 count=1 | base64 | sed -e ‘s:/:-:g’
EIY-PEBOXJ+IsT+F
My mothers maiden name – EIY-PEBOXJ+IsT+F
My first pet – Z8p-M+QSI8vbdmIw
Yes, I’ve had to do that for a “memorable word” when sorting out an issue with a debit card. I stuck to just upper case letters, but still it was fun to try and recite over the telephone.
Ohh, and on the topic of password generators:
$ dd if=/dev/urandom bs=6 count=3 | base64
3+0 records in
3+0 records out
18 bytes (18 B) copied, 8.9248e-05 s, 202 kB/s
6Fh9UFggO+j/dgWdcATLlkU+
Seriously, these days with newspapers archives online, just find the birth announcement. Birthdate, birthplace, middle name, hospital, parents names, mother’s maiden name, etc.
Do newspapers still do birth announcements? Do people bother sending them in?
People often don’t name their baby for a week or two after the birth, so the announcement might just be “baby girl”.
That said, if Facebook add “mother’s maiden name” to people’s profiles you’ve probably got everything you need on there. Plenty of people have thousands of “friends”, I’m sure they’re not picky about who be”friend”s them, so even if their profile is private, it doesn’t take much.
Maybe they should start teaching computer security at school. It’s something everyone needs to know, now nearly everybody’s on the Internet. Would be a lot more use than teaching them bloody Microsoft Word.
Greenaum – Yes sometimes especially in small town papers they still do publish birth announcements. Here in USA our SSA recently decided to block the US Death Index from publication for any American (of any age) who died less than 10 years ago. So now you can’t make any “false flags” (i.e. bogus documents) like that American cartoon King of the Hill character “RUSTY SHACKELFORD” aka Dale Gribble: https://www.youtube.com/watch?v=S580EX1nnYU (looked up birth announcements then a death certificate on that same baby then use that as your new identity – doesn’t work any more – that was old school identity theft).
SPOOK 101: “False flags” – Despite popular American parlance this jaded spook-esque phrase is commonly misused as meaning something else. The other phrase is “false flag operation” which means something entirely different. A false-flag-maker is called a “cobbler” – a guy who makes you new walking shoes for a huge price-tag?.
Pretty sure using a “false flag” means pretending to be somebody else, some other faction, when carrying out some controversial action. Like blowing up a building, and pretending to be some group, so the group gets the blame and the negative public opinion. The US government, among others, are often accused of false-flag actions.
A flag is something you fly to prove your identity or alliegance, like on a ship. Makes more sense than for it meaning false documents, documents aren’t flags!
“Nee”, properly with an accent, is French for “born”, so yup it’s often used for maiden names.
As for Drumpf, his false name is probably the least-worst thing about him. Very, very depressing when you’re pondering the intelligence of the average person, and the shortcomings of democracy.
In the UK “trump” is a child’s word for “fart”. And his wife was called “Ivana Trump”. The sort of name you’d normally read in some peurile joke in a comic.
Greenaum – You are correct but the expression in the unwritten spy-parlance is “false flag operation”. However, when a spook needs an emergency extraction from in-country and he has no passport and no access to his country’s handlers, he needs to locate a “cobbler” for “false flags”. A cobbler is an expert in false documents and passports (flags) – IOW a forger. These guys are very expensive because the cobbler is taking great risk in providing this very illegal and highly technical service. The public got enamored with the phrase “false flag” after seeing it used in a Hollywood movies or in a spy book or something. It’s all unofficial and not really something well known by normal people.
A fake identity is known in the spy trade as a “false flag”. Used to be you could make your own documents with a printer and a laminater. These days though, ID’s have magnetic strips, holograms, and infrared water marks. You need a pro. Source: Michael Wilson (Consulting Producer USANETWORK TV Show – Burn Notice) – Mike was a N.O.C.officer for C.I.A. Nat’l Clandestine Service.
Re: Donald J. Drumpf – Yes I know that his nom de plume is the least of us YANKS problem with him. Despite this American cartoon characters similarity to Mr. Drumpf [http://tinyurl. com/z7foq36], I feel his (and our) Waterloo will be by this human cartoon character [http://tinyurl. com/qf835db]
http://upload.wikimedia.org/wikipedia/en/a/a9/ScroogeFirst.jpg
Trump kind of plays this Scrooge McDuck role in our society that’s kind of fun. He is a comical cartoon but in flesh and bone. He is a showman through and through, representing an entertaining but ultimately destructive mix of greed, blind ambition, and self-importance. He is a symbol of what our culture prefers to pretend is the status quo of a free society. Source Penn Jillette (American magician and con-artist)
In Wikipedia maiden names are prefixed with the phrase “nee”. In Spanish culture (Spain) the males list mostly all their ancestral surnames including matrilineal maiden names. Of course Christopher Columbus (aka CristĂłbal ColĂłn) only listed his fake name and fake Italian ancestry. He was actually a Aragonian Spaniard but could have never gotten funding from the Queen if he told the truth. (Source: Dr. Estelle Irizarry – Georgetown Univ)
Kinda’ reminds me of our presumptive Republican POTUS candidate who’s trying to hide (or obfuscate) his German roots and real German surname. I still can’t understand how a POTUS candidate can use a pseudonym to run on. Does he have to revert to his real name before he takes the oath of office on 7 January 2017??? Inquiring minds want to know! :-D
Coincidence?: Alois Schicklgruber changed his name on 7 January 1877 to Hiedler. Then his son (future infamous dictator) used a different pronunciation of that name much like how Mr. Drumpf is now using Trump as his fake surname. Con-artists like fake names.
That job seems to have been outsourced to “social media” these days, but yes, it’s still published by someone.
One method to thwart SE is to setup a global policy for all employees who deal with outside vendors or contractors on the phone or face-to-face (1st contact). In the military sensitive operations can be protected by a CHALLENGE phrase. If the caller is suspect you can challenge him/her to recite the challenge phrase. This is something you send to all of your AUTHORIZED vendors or contractors to know by heart when calling visiting any employee of your company for the 1st time.. Your security dept sends out a new phrase by postal mailing list every month or sooner. Strangers will not know the phrase when you say “Challenge”. Inside-jobbers who used to have the phrase before they were fired or quit obviously wont have the new phrase next week or next month. And obviously don’t give out any sensitive information to 1st contact strangers.True story: I called GE Healthcare in NJ to see what their new mailing address in Boston was: “I can not confirm nor deny that information sir…” WTF? Your fricking new postal mailing address???
The USSS POTUS Protection uses colored lapel pins. Each morning briefing the team leader says which color is up that day for the pins (they have multiple colors on the edges). Everybody complies or else. And if you are on the comm or a telephone you damn well better know what color is up that day. You can only know if you were at the briefing or you can see the pin on an agent’s lapel. Not sure they are always visible either. I think they only flash them on challenge. Not sure about that..
One method to get into a system is pretty sneaky and companies need to really stop their employees from doing this: Some sneak leaves a CD, floppy, USB thumb drive in a public area or on a conference table or somewhere conspicuous. They label it with something too tempting like EXECUTIVE PAYROLL, TOP-SECRET, PORN… etc and they have loaded it with an auto execute program that some how compromises your workstation, this from the INSIDE of the Company’s INTRANET.
NEVER STICK ANY FOREIGN MEDIA IN YOUR WORKSTATION! It doesn’t matter if you have the latest AV software or even if your the IT Security guy. However, if you have a totally segregated sacrificial lamb PC in your test lab that you don’t mind totally reformatting and reloading the OS every now and again – knock yourself out. Just quarantine that machine and lock it up so NOBODY uses it for anything. Stick a sniffer on it to see what it does on a standalone LAN that goes nowhere you set up for it..
…
You walk into reception, and inconspicuously drop a hardwood bowl filled with USB sticks in a prominent location. Ideally about an hour before lunch and each USB stick should have the companies logo printed on it and the corporate propaganda phrase on the back. For example:
Google – Don’t be evil.
The National Lottery – It could be you.
Nike – Just do it.
Diesel – Be Stupid.
IMAX – Think big.
Adidas – Impossible is nothing.
MacDonald – I’m loving it.
I would predict that the bowl will be empty when everyone exits the building and the sticks will be in computers directly after lunch. I would bet that security and reception would be the first to grab some followed by any marketing people.
And if you want a file that people will click on, stick “You have won 100 dollars” in the filename.
I’ve seen some companies, with access to sensitive data, automatically alert security on non authorized USB devices being inserted into any PC. Just a short message – the IP address, computer serial number, asset tag and the VID and HID of the inserted device.
Truth – You’re devious dude! :-)
I’m not devious at all, I just believe in knowing as much as you can, because you can not stop something if you do not know it exists.
Truth – I feel ya’ bro… It’s just a bit of “honor among thieves” as they say. :-)
That was a nice plan the President had, til you RUINED it! Nice work, blabbermouth!
Greenaum – That ain’t nothing. They have a lot of tricks up their sneaky sleeves. Wait until you see what your Her Majesty The Queen does for her personal protection! https://www.youtube.com/watch?v=1AS-dCdYZbo (Timestamp 04:50 will blow your mind what you see Her Majesty (really her too) do with her new personal protector)… :-)
I once has a chat with somebody in Notepad on an open VNC server and to my surprise I later read about it in this book. What is the chance for that in percentage? Totally made my day!
Never read that book. Would like to. Was there anything in it about how a bunch of overt employees at a infamous US federal agency hacked the mainframe and created a covert method to do Intranet based chat sessions with each other? BTW 4 were fired others got reprimands: http://www.nytimes.com/2000/12/01/technology/01WIRE-CIA.html
Great book! The article read like deja vu, until I read the end and realized where it was from!!
Oh, I was hoping this was about body mods.
Does anyone know if anyone has tried:
1. Subdermal bone conduction mic/earbud as a bluetooth headset that charges wirelessly and has reed switches for buttons that you switch with subdermal magnets?
2. Transdermal heat sinks, potentially with an air conditioner attached for cooling off in the summer.
3. Subdermal multi-output RFID or NFC for use in RFID/NFC locks? (Or as a ring. This one can be a ring.)
Extremely off topic comment, but I’ll bite.
1. Would you really want this? Bone conduction has pretty lousy sound quality for music, so it would would only be useful for phone calls. And personally I don’t think I’d want a microphone permanently attached to my body.
2. Aside from the obvious surgical-wound-with-metal-sticking-out issues, the warmest temperatures outside might be higher than your core temp and are almost certainly hotter than your skin temperature. Your body already has built-in water cooling!
3. There are people with RFID implants, and there are many, many wearables that are capable of this. Also check out the Java Ring. Not NFC, but it’s physically secure, can do challenge-response and was created decades ago.
google for elon musk’s recent talk about neural laces ..
A Chinese company sells a good workaround for what your looking for on http://www.wish.com They have this tiny earbud flesh colored earbud BlueTooth. Not exactly what your looking for but it is small and can hide behind long hair.
Go to Wish. com and type this in to their search engine. “Mini Wireless Bluetooth 4.0 Stereo In-Ear Headset Earphone Earpiece Universal ”
http://oi66.tinypic.com/s13loj.jpg
NFC implant that works with smartphones/etc: https://dangerousthings.com/shop/xnt-ntag216-2x12mm-glass-tag/
Any update on Arduinoman? I want to see the rest of the story.
I’m writing the next installment now. Stay tuned!
The response to a call claiming to be from a trash company saying so-and-so said there’s a problem with a dumpster should be met with “Please hold.” then calling so-and-so to confirm. When that comes back negatory, if the crook is still on the line, make the appointment then call internal security, perhaps police too so they’re waiting.
Someone calls out of the blue to offer some service to the company? Either “We are fine with our current provider.” or “Please submit printed bids to…” Doesn’t matter what the service is, no other provider of the service has any need to know any specifics of your current arrangement.
Never ever just believe what someone calling in says someone else at the company told them, not without confirmation from that someone else, or without appointment confirmation in an internal access only database. That precaution will nix a lot of SE security penetration attempts.
One part of SE is like ‘cold reading’ that ‘psychics’ do, observation and leading questions to get you to provide useful information. Easiest cure for that is to know they want as much of all kinds of information as they can get – then very firmly give them nothing.
Galane – Right! Don’t follow them down their rabbit holes. “Oh my brother-in-law works for your trash service! His name is Rube Goldberg. He is the Vice President of sales.” “Uhhh… yeah Rube I met him yesterday… [weak nervous laugh]…” – [click dialtone]
Now, in most cases this would work and be great but society isnt built to comply when required. For a moment however let us pretend we live in a perfect world where our employees do as they are told. In this world how would one infiltrate this organisation?
Step one (and its going to be a long tedious process) : Befriend an employee, whether through social network or IRL. The point is you connect with this individual (s).
Step two: everyone at some point talks about work. Complain about your own and eventually they might want to relate. While doing this gain access to all of their network capable devices and all forms of storage medium.
Step Three: Still gathering information at this point check out all publicly accessible data on the company. Seek out information on the building (previous owners) Finding out where access cables run, where their utilities are routed. Stuff like that can come in handy depending on which angle u go after. (you know a wire tap)
Step four: employee(s) that you have befriended will at some point insert one of those infected devices into a machine or part of the network ( you know cause they need this file to work on later, or they took it to the I.T guy to have it checked because the companies IT guy is also their personal technician as well)
too tired to conitnue im crashing
You could copy their badge from here or all of their access codes, you monitor their behavior and u mimic it later. no biometrics at the office? PERFECT!
There is always an angle or openning — There is no perfect securty because there are no perfect lies.
Half asleep while writing this so i cut it short and only focused up to step four but you get the picture a good SE will take his or her time
Most cases they would have strong level of knowledge of networking and then a computer science background including programming and database concepts. Most people who consider themselves hackers know common security exploits from researching them and generally will be using programs someone else has wrote to try to accomplish goals.
Nice Information Buddy,Any New Update