The Dark Arts: Hacking Humans

One of the biggest challenges for a company that holds invaluable data is protecting it. At first, this task would seem fairly straightforward. Keep the data on an encrypted server that’s only accessible via the internal network. The physical security of the server can be done with locks and other various degrees of physical security. One has to be thoughtful in how the security is structured, however. You need to allow authorized humans access to the data in order for the company to function, and there’s the rub. The skilled hacker is keenly aware of these people, and will use techniques under the envelope of Social Engineering along with her technical skills to gain access to your data.

Want to know how secure your house is? Lock yourself out. One of the best ways to test security is to try and break in. Large companies routinely hire hackers, known as penetration testers, to do just this. In this article, we’re going to dissect how a hired penetration tester was able to access data so valuable that it could have destroyed the company it belonged to.

Information Gathering

se_02
Source

The start of any hack involves information gathering. This is usually pretty easy for larger companies. Their website along with a few phone calls can reveal quite a bit of useful information. However, you can be assured that any company who has hired a pen tester has taken the necessary precautions to limit such information.

And such was the case for our hacker trying to gain access to the ACME Corp. servers. Her first target was the dumpsters – dumpster dives have been proven to unearth a trove of valuable information in the past. But the dumpsters were inside the complex, which was guarded by a contracted security firm. Through a bit of website snooping and a few phone calls, she was able to find out the department that was in charge of trash removal for the company. She then placed a phone call to this department. Using a social engineering (SE) technique known as pretexting, she pretended to be with a trash removal company and wanted to submit a quote to service their business. Using another SE technique called elicitation, she was able to find out:

  • that trash collection took place on Wednesdays and Thursdays
  • the total number of dumpsters
  • that there was a special dumpster for paper and technology trash
  • the name of the current waste removal company – Waster’s Management
  • the name of the employee in charge of the waste removal – [Christie Smith]

Dumpster Dive

Armed with this information, she went to the Waster’s Management website and grabbed their JPEG logo. se_01Within a few days, she had a shirt and hat with the logo in her hands. She called the security department and said she was with Waster’s Management, and that [Christie Smith] had told her one of the dumpsters was damaged, and she needed to take a look at it before the next trash removal.

The next day, wearing the shirt and hat she had ordered online, she was given a badge from security and allowed access to the dumpsters. Now, any hacker worth her weight in PIC16F84’s already knows what dumpster she dove into. It didn’t take her long to walk away with several hard drives, a few USB drives and some useful documents. She was able to gain knowledge of an upcoming IT contract work, the name of the CFO, and the name of a server with some level of importance – prod23.

Hacking the Server

With some more SE, she was able to find out when the IT work was scheduled. It was after hours. She showed up a bit late and was able to walk right through the front door by claiming she worked for the IT contract company. She then shifted roles and pretended to be an employee. She approached one the real IT contract guys, and said she worked for the CFO, [Mr. Shiraz], and asked if he knew to be careful with the prod23 server. With more SE, she was able to find out the prod23 server was off-limits, encrypted, and only accessible by specific admins.

se_03
Source

She was able to access an admin office, and it was there she would don her black hat. She booted the computer with BackTrack via USB and installed a key logger. She made an SSH tunnel to her personal server where she could dump the contents of the key logger, along with some other shells. Now, this is where things get interesting. She opened Virtual Box and used the computer’s hard drive as the boot medium. The VM booted the OS, and she hid all of the screen decorations to make it look like the target OS was running. The admin would log in without a clue, and our hacker would get their username and password through the key logger.

Once the login information came in, she was able to access the admin’s computer, and from there the prod23 server. You can imagine the look on the faces of the top executives for ACME Corp when our hacker handed them a copy of the keys to their kingdom.

Social engineering is human hacking, and a dark art in itself. Our hacker in this story would have never been able to even get close to the server if she did not have SE skills. No matter how secure you make something, so long as you allow humans access to it, it’s vulnerable to attack. And then it’s down to how well-trained your people are in repelling these kinds of intrusions.Just ask Target.

You can find the full story in the source below.

Sources

Social Engineering, The Art of Human Hacking, Chapter 8, by Christopher Hadnagy, ISBN-13: 860-1300286532

53 thoughts on “The Dark Arts: Hacking Humans

  1. I HIGHLY recommend the “Social Engineering, The Art of Human Hacking” I own it, have read it. And loved it. It is a excellent resource for those also who are in anything customer facing. Not only does it give you a better idea of the tactics (on that note, unmasking the social engineer is another excellent book) used by malicious actors, i have found it helps me as a HellDesk employee monumentally as it changes your perspective on person to person interactions. Especially when the user is refusing to click the “Allow Technician to take control” button.

      1. Depends on which side of the box you stand on :^) IRL i am a remote tech support operator for a large-ish company, providing excellent customer support to our employees both in house and out in the field. Now click the damned button and let me find the email you dropped in another folder!!!!

  2. Makes me think of simply walking into a building like you own it, can get you pretty far.
    Just suiting up to look like the herd and follow the flow, most people will mind their own business and let you pass!

    Then a little SE will enable you to go deeper!

    1. That is so damn true, I’ve gotten into so many places just cause I act like I belong there, be confident, be polite, use a little humour and you’ed be amazed where it will get you. Also why the hell doesn’t this company shred everything in house before they dump it? Stupid.

      1. If you wear a three-piece suit and carry a clipboard, not only do the employees not challenge you, but they try real hard to look busy while avoiding eye contact.

    2. It really does.
      It’s been a few years, but working events in vegas where you’re allowed to eat at the casino cafeteria (behind the walls) there were no checks, no need for badges. I could just pick any unmarked door, walk in, and wander the halls. Granted, I did have permission but no one stopped to ask. I’ve been tempted to do that when I go back on my own – the employee cafeteria food is free and excellent, but I’m too scared :o

      1. In Vegas you were probably picked up by facial, flagged and then unflagged by security once they back traced to who you interacted with previously (and confirmed with them that you were not to be arrested). Just because no one stopped you does not mean that you were not being monitored. Vegas does not have the highest concentration of hidden security cameras in the world for no reason.

    3. Security policy at our office says that if you see someone you don’t know that isn’t displaying their badge, you are to escort them to the front desk or report them to security. Honestly though, no one is ever going to do that. Too much social anxiety.

      Of course our parent company also owns nuclear plants, so maybe other facilities take it more seriously.

      1. Wonder if making it an event where every month they’d send someone in without a badge to wander until caught. At which point the employee who brought them to the front would get a reward. In that way, employees would expect that the person being “caught” would just be an actor.

        1. russdill – I like that Russ. Sounds plausible. However, your standard psychopath operative inserting to a physical site for SE thinks on his feet and can fake people out and act like a mentalist. Getting by minimal security “security guards” is child’s play: Wait until the morning employee rush to the front door. Usually they don’t force each person to badge swipe and you can piggy back with a good looking fake badge (do your homework recon). Walk in like you own he place and late for a meeting. Dress like one of the sales people or executives with a attache case – looking at your watch as if you don’t want any bulls** from some minimum wage rent a cop. If you get collared say you just started yesterday and your boss hasn’t processed your paperwork yet. DON’T PULL OUT THE FAKE BADGE! Be prepared to know department manager names and positions. Make sure the name you give the guard is someone who is out on vaca, sick, or out of town. Don’t be a jerk. If all else fails fake illness and make for your car (or taxi or bus) to bug out quick! Your plates should be temporarily MIA (or wrong) so they can’t call Local LEO.

          When in corridors and some nosy employee challenges you just tell them you are the Xerox Repairman and forgot your badge. Tell them your working on another floor but are down here looking for your partner for help with a machine. Know what type of photocopiers they REALLY have like Konica, Xerox, Cannon, etc. Let them see the tools in your attache case. Or you can be the OTIS elevator guy, Carrier HVAC, Coke vending machine guy, NEVER fall for the old trick: “Oh you work for Bob Jones up on ten?” – there is no Bob Jones on ten. “No. Who’s Bob Jones? I just started yesterday and I’m not processed yet. Sally Rogers hired me but she’s out today.” And make sure she really is. Download that Google Play app that makes your cell phone ring on command (a timer). “Oh hi Sally… yes I’m heading there now but some guy is holding me up… OK I’m leaving right now Sally.” “Dude! really? I’ve got to go before Sally has an aneurysm…good job though! Keep up the good work!” – LEAVE THE BUILDING NOW AND THANK YOUR LUCKY STARS THAT SHE/HE DIDN’T SUMMON SECURITY!

          DON’T TRY THIS AT HOME UNLESS YOU ARE A HOUDINI!

    1. Many so called “security questions” can be figured by researching the target person, making them weak security. I usually see them used on top of what should be a higher security measure, like controlling the email a message will be sent to.

      Security questions also seem to be designed for normal people, making them a major annoyance for us geeks who don’t fit the mold.

          1. @Elliot Williams
            Nice trick, I used to like this:
            $ dd if=/dev/random bs=32 count=1 2>/dev/null | xxd -c 32 -u -ps
            E7A004D57AF6CC56E6E2126D1CE7E37A46A5E3D32E7E70D1E557419EB7BE8CC6
            But now I use this:
            $ dd if=/dev/urandom bs=12 count=1 | base64 | sed -e ‘s:/:-:g’
            EIY-PEBOXJ+IsT+F

            My mothers maiden name – EIY-PEBOXJ+IsT+F
            My first pet – Z8p-M+QSI8vbdmIw

    2. Seriously, these days with newspapers archives online, just find the birth announcement. Birthdate, birthplace, middle name, hospital, parents names, mother’s maiden name, etc.

      1. Do newspapers still do birth announcements? Do people bother sending them in?

        People often don’t name their baby for a week or two after the birth, so the announcement might just be “baby girl”.

        That said, if Facebook add “mother’s maiden name” to people’s profiles you’ve probably got everything you need on there. Plenty of people have thousands of “friends”, I’m sure they’re not picky about who be”friend”s them, so even if their profile is private, it doesn’t take much.

        Maybe they should start teaching computer security at school. It’s something everyone needs to know, now nearly everybody’s on the Internet. Would be a lot more use than teaching them bloody Microsoft Word.

        1. Greenaum – Yes sometimes especially in small town papers they still do publish birth announcements. Here in USA our SSA recently decided to block the US Death Index from publication for any American (of any age) who died less than 10 years ago. So now you can’t make any “false flags” (i.e. bogus documents) like that American cartoon King of the Hill character “RUSTY SHACKELFORD” aka Dale Gribble: https://www.youtube.com/watch?v=S580EX1nnYU (looked up birth announcements then a death certificate on that same baby then use that as your new identity – doesn’t work any more – that was old school identity theft).

          SPOOK 101: “False flags” – Despite popular American parlance this jaded spook-esque phrase is commonly misused as meaning something else. The other phrase is “false flag operation” which means something entirely different. A false-flag-maker is called a “cobbler” – a guy who makes you new walking shoes for a huge price-tag?.

          1. Pretty sure using a “false flag” means pretending to be somebody else, some other faction, when carrying out some controversial action. Like blowing up a building, and pretending to be some group, so the group gets the blame and the negative public opinion. The US government, among others, are often accused of false-flag actions.

            A flag is something you fly to prove your identity or alliegance, like on a ship. Makes more sense than for it meaning false documents, documents aren’t flags!

            “Nee”, properly with an accent, is French for “born”, so yup it’s often used for maiden names.

            As for Drumpf, his false name is probably the least-worst thing about him. Very, very depressing when you’re pondering the intelligence of the average person, and the shortcomings of democracy.

            In the UK “trump” is a child’s word for “fart”. And his wife was called “Ivana Trump”. The sort of name you’d normally read in some peurile joke in a comic.

          2. Greenaum – You are correct but the expression in the unwritten spy-parlance is “false flag operation”. However, when a spook needs an emergency extraction from in-country and he has no passport and no access to his country’s handlers, he needs to locate a “cobbler” for “false flags”. A cobbler is an expert in false documents and passports (flags) – IOW a forger. These guys are very expensive because the cobbler is taking great risk in providing this very illegal and highly technical service. The public got enamored with the phrase “false flag” after seeing it used in a Hollywood movies or in a spy book or something. It’s all unofficial and not really something well known by normal people.

            A fake identity is known in the spy trade as a “false flag”. Used to be you could make your own documents with a printer and a laminater. These days though, ID’s have magnetic strips, holograms, and infrared water marks. You need a pro. Source: Michael Wilson (Consulting Producer USANETWORK TV Show – Burn Notice) – Mike was a N.O.C.officer for C.I.A. Nat’l Clandestine Service.

            Re: Donald J. Drumpf – Yes I know that his nom de plume is the least of us YANKS problem with him. Despite this American cartoon characters similarity to Mr. Drumpf [http://tinyurl. com/z7foq36], I feel his (and our) Waterloo will be by this human cartoon character [http://tinyurl. com/qf835db]

            http://upload.wikimedia.org/wikipedia/en/a/a9/ScroogeFirst.jpg

            Trump kind of plays this Scrooge McDuck role in our society that’s kind of fun. He is a comical cartoon but in flesh and bone. He is a showman through and through, representing an entertaining but ultimately destructive mix of greed, blind ambition, and self-importance. He is a symbol of what our culture prefers to pretend is the status quo of a free society. Source Penn Jillette (American magician and con-artist)

        2. In Wikipedia maiden names are prefixed with the phrase “nee”. In Spanish culture (Spain) the males list mostly all their ancestral surnames including matrilineal maiden names. Of course Christopher Columbus (aka Cristóbal Colón) only listed his fake name and fake Italian ancestry. He was actually a Aragonian Spaniard but could have never gotten funding from the Queen if he told the truth. (Source: Dr. Estelle Irizarry – Georgetown Univ)

          Kinda’ reminds me of our presumptive Republican POTUS candidate who’s trying to hide (or obfuscate) his German roots and real German surname. I still can’t understand how a POTUS candidate can use a pseudonym to run on. Does he have to revert to his real name before he takes the oath of office on 7 January 2017??? Inquiring minds want to know! :-D

          Coincidence?: Alois Schicklgruber changed his name on 7 January 1877 to Hiedler. Then his son (future infamous dictator) used a different pronunciation of that name much like how Mr. Drumpf is now using Trump as his fake surname. Con-artists like fake names.

  3. One method to thwart SE is to setup a global policy for all employees who deal with outside vendors or contractors on the phone or face-to-face (1st contact). In the military sensitive operations can be protected by a CHALLENGE phrase. If the caller is suspect you can challenge him/her to recite the challenge phrase. This is something you send to all of your AUTHORIZED vendors or contractors to know by heart when calling visiting any employee of your company for the 1st time.. Your security dept sends out a new phrase by postal mailing list every month or sooner. Strangers will not know the phrase when you say “Challenge”. Inside-jobbers who used to have the phrase before they were fired or quit obviously wont have the new phrase next week or next month. And obviously don’t give out any sensitive information to 1st contact strangers.True story: I called GE Healthcare in NJ to see what their new mailing address in Boston was: “I can not confirm nor deny that information sir…” WTF? Your fricking new postal mailing address???

    The USSS POTUS Protection uses colored lapel pins. Each morning briefing the team leader says which color is up that day for the pins (they have multiple colors on the edges). Everybody complies or else. And if you are on the comm or a telephone you damn well better know what color is up that day. You can only know if you were at the briefing or you can see the pin on an agent’s lapel. Not sure they are always visible either. I think they only flash them on challenge. Not sure about that..

    One method to get into a system is pretty sneaky and companies need to really stop their employees from doing this: Some sneak leaves a CD, floppy, USB thumb drive in a public area or on a conference table or somewhere conspicuous. They label it with something too tempting like EXECUTIVE PAYROLL, TOP-SECRET, PORN… etc and they have loaded it with an auto execute program that some how compromises your workstation, this from the INSIDE of the Company’s INTRANET.

    NEVER STICK ANY FOREIGN MEDIA IN YOUR WORKSTATION! It doesn’t matter if you have the latest AV software or even if your the IT Security guy. However, if you have a totally segregated sacrificial lamb PC in your test lab that you don’t mind totally reformatting and reloading the OS every now and again – knock yourself out. Just quarantine that machine and lock it up so NOBODY uses it for anything. Stick a sniffer on it to see what it does on a standalone LAN that goes nowhere you set up for it..

    1. You walk into reception, and inconspicuously drop a hardwood bowl filled with USB sticks in a prominent location. Ideally about an hour before lunch and each USB stick should have the companies logo printed on it and the corporate propaganda phrase on the back. For example:
      Google – Don’t be evil.
      The National Lottery – It could be you.
      Nike – Just do it.
      Diesel – Be Stupid.
      IMAX – Think big.
      Adidas – Impossible is nothing.
      MacDonald – I’m loving it.

      I would predict that the bowl will be empty when everyone exits the building and the sticks will be in computers directly after lunch. I would bet that security and reception would be the first to grab some followed by any marketing people.

      And if you want a file that people will click on, stick “You have won 100 dollars” in the filename.

    2. I’ve seen some companies, with access to sensitive data, automatically alert security on non authorized USB devices being inserted into any PC. Just a short message – the IP address, computer serial number, asset tag and the VID and HID of the inserted device.

  4. Oh, I was hoping this was about body mods.

    Does anyone know if anyone has tried:
    1. Subdermal bone conduction mic/earbud as a bluetooth headset that charges wirelessly and has reed switches for buttons that you switch with subdermal magnets?
    2. Transdermal heat sinks, potentially with an air conditioner attached for cooling off in the summer.
    3. Subdermal multi-output RFID or NFC for use in RFID/NFC locks? (Or as a ring. This one can be a ring.)

    1. Extremely off topic comment, but I’ll bite.
      1. Would you really want this? Bone conduction has pretty lousy sound quality for music, so it would would only be useful for phone calls. And personally I don’t think I’d want a microphone permanently attached to my body.
      2. Aside from the obvious surgical-wound-with-metal-sticking-out issues, the warmest temperatures outside might be higher than your core temp and are almost certainly hotter than your skin temperature. Your body already has built-in water cooling!
      3. There are people with RFID implants, and there are many, many wearables that are capable of this. Also check out the Java Ring. Not NFC, but it’s physically secure, can do challenge-response and was created decades ago.

  5. The response to a call claiming to be from a trash company saying so-and-so said there’s a problem with a dumpster should be met with “Please hold.” then calling so-and-so to confirm. When that comes back negatory, if the crook is still on the line, make the appointment then call internal security, perhaps police too so they’re waiting.

    Someone calls out of the blue to offer some service to the company? Either “We are fine with our current provider.” or “Please submit printed bids to…” Doesn’t matter what the service is, no other provider of the service has any need to know any specifics of your current arrangement.

    Never ever just believe what someone calling in says someone else at the company told them, not without confirmation from that someone else, or without appointment confirmation in an internal access only database. That precaution will nix a lot of SE security penetration attempts.

    One part of SE is like ‘cold reading’ that ‘psychics’ do, observation and leading questions to get you to provide useful information. Easiest cure for that is to know they want as much of all kinds of information as they can get – then very firmly give them nothing.

    1. Galane – Right! Don’t follow them down their rabbit holes. “Oh my brother-in-law works for your trash service! His name is Rube Goldberg. He is the Vice President of sales.” “Uhhh… yeah Rube I met him yesterday… [weak nervous laugh]…” – [click dialtone]

    2. Now, in most cases this would work and be great but society isnt built to comply when required. For a moment however let us pretend we live in a perfect world where our employees do as they are told. In this world how would one infiltrate this organisation?

      Step one (and its going to be a long tedious process) : Befriend an employee, whether through social network or IRL. The point is you connect with this individual (s).

      Step two: everyone at some point talks about work. Complain about your own and eventually they might want to relate. While doing this gain access to all of their network capable devices and all forms of storage medium.

      Step Three: Still gathering information at this point check out all publicly accessible data on the company. Seek out information on the building (previous owners) Finding out where access cables run, where their utilities are routed. Stuff like that can come in handy depending on which angle u go after. (you know a wire tap)

      Step four: employee(s) that you have befriended will at some point insert one of those infected devices into a machine or part of the network ( you know cause they need this file to work on later, or they took it to the I.T guy to have it checked because the companies IT guy is also their personal technician as well)

      too tired to conitnue im crashing

      You could copy their badge from here or all of their access codes, you monitor their behavior and u mimic it later. no biometrics at the office? PERFECT!

      There is always an angle or openning — There is no perfect securty because there are no perfect lies.
      Half asleep while writing this so i cut it short and only focused up to step four but you get the picture a good SE will take his or her time

  6. Most cases they would have strong level of knowledge of networking and then a computer science background including programming and database concepts. Most people who consider themselves hackers know common security exploits from researching them and generally will be using programs someone else has wrote to try to accomplish goals.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.