I’ve been aware of the Social Engineering panels, talks, and villages at many conferences over the past few years. For some reason, be it the line to get in or conflicting schedules, I haven’t made it to one. Today was my day and I had a blast. The Social Engineering Panel at HOPE XIII is a great introduction to the dark(ish) art and a stroll through memory lane with some notables in the field.
Social Engineering (SE) is the pseudo-science of getting what you want by convincing people to share information, usually without them even knowing they’re doing so. This particular panel focused on over-the-phone SE and the four panel members began with a simple illustration. SE has changed over the years in large part because it is increasingly difficult to get a human on the phone. For about ten minutes an attempt was made to reach a person at Verizon, AT&T, and Spectrum Cable. With a two minute limit per phone number, all were fails.
But this didn’t derail the talk, which featured story time from Emmanuel Goldstein, Alexander J. Urbelis, Flyko, and Cheshire Catalyst. As phreakers back in the day, and tele-social engineers still, the stories were very entertaining. The panel was live streamed but doesn’t look like the video is available on demand yet so I’ll give you a quick and entertaining overview.
Where do you travel every day? Are there any subtle ploys to manipulate your behavior? Would you recognize them or are they just part of the location? Social engineering sometimes gets a bad rap (or is it rep?) in the mainstream, but the public-facing edge of that sword can keep order as it does in Japanese train stations. They employ a whirlwind of psychological methods to make the stations run like clockwork.
The scope of strategies ranges from the diabolical placement of speakers emitting high-frequency tones to discourage youthful loitering to the considerate installation of blue lights to deter suicides. Not every tactic is as enlightened as suicide prevention, sometimes, just changing the grating departure buzzer to a unique tune for each station goes a long way to relieving anxiety. Who wants to stand next to an anxious traveler who is just getting more and more sweaty? Listen below the break to hear what Tokyo subway tunes sound like.
In 1978, Tim Jenkin was a man living on borrowed time, and he knew it. A white South African in his late 20s, he had been born into the apartheid system of brutally enforced racial segregation. By his own admission, he didn’t even realize in his youth that apartheid existed — it was just a part of his world. But while traveling abroad in the early 1970s he began to see the injustice of the South African political system, and spurred on by what he learned, he became an activist in the anti-apartheid underground.
Intent on righting the wrongs he saw in his homeland, he embarked on a year of training in London. He returned to South Africa as a propaganda agent with the mission to spread anti-apartheid news and information to black South Africans. His group’s distribution method of choice was a leaflet bomb, which used a small explosive charge to disperse African National Congress propaganda in public places. Given that the ANC was a banned organization, and that they were setting off explosives in a public place, even though they only had a few grams of gunpowder, it was inevitable that Jenkin would be caught. He and cohort Steven Lee were arrested, tried and convicted; Jenkin was sentenced to 12 years in prison, while Lee got eight.
As Internet security has evolved it has gotten easier to lock your systems down. Many products come out of the box pre-configured to include decent security practices, and most of the popular online services have wised up about encryption and password storage. That’s not to say that things are perfect, but as the computer systems get tougher to crack, the bad guys will focus more on the unpatchable system in the mix — the human element.
History Repeats Itself
Ever since the days of the ancient Greeks, and probably before that, social engineering has been one option to get around your enemy’s defences. We all know the old tale of Ulysses using a giant wooden horse to trick the Trojans into allowing a small army into the city of Troy. They left the horse outside the city walls after a failed five-year siege, and the Trojans brought it in. Once inside the city walls a small army climbed out in the dead of night and captured the city.
How different is it to leave a USB flash drive loaded with malware around a large company’s car park, waiting for human curiosity to take over and an employee to plug the device into a computer hooked up to the corporate network? Both the wooden horse and the USB drive trick have one thing in common, humans are not perfect and make decisions which can be irrational. Continue reading “Social Engineering Is On The Rise: Protect Yourself Now”→
If you watch enough mainstream TV and movies, you might think that hacking into someone’s account requires a huge monitor, special software, and intricate hand gestures. The reality is way more boring. Because people tend to choose bad passwords, if you have time, you can task a computer with quietly brute-forcing the password. Then again, not everyone has a bad password and many systems will enforce a timeout after failed attempts or require two-factor authentication, so the brute force approach isn’t what it used to be.
Turns out the easiest way to get someone’s password is to ask them for it. Sure, a lot of people will say no, but you’d be surprised how many people will tell you. That number goes up dramatically when you make them think you are with the IT department or their Internet provider. That’s an example of social engineering. You can define that many ways, but in this case it boils down to getting people to give you what you want based on making them believe you are something you aren’t.
Everything Old…
We think of social engineering as something new, but really–like most cybercrime–it is just the movement of old-fashioned crime to the digital world. What got me thinking about this is a service from Amazon called “Mechanical Turk.”
That struck me as odd when I first heard it because for product marketing it is pretty bad unless you are selling turkey jerky or something. If you tell me “Amazon Simple Storage Service” I can probably guess what that might be. But what’s Mechanical Turk?
One of the biggest challenges for a company that holds invaluable data is protecting it. At first, this task would seem fairly straightforward. Keep the data on an encrypted server that’s only accessible via the internal network. The physical security of the server can be done with locks and other various degrees of physical security. One has to be thoughtful in how the security is structured, however. You need to allow authorized humans access to the data in order for the company to function, and there’s the rub. The skilled hacker is keenly aware of these people, and will use techniques under the envelope of Social Engineering along with her technical skills to gain access to your data.
Want to know how secure your house is? Lock yourself out. One of the best ways to test security is to try and break in. Large companies routinely hire hackers, known as penetration testers, to do just this. In this article, we’re going to dissect how a hired penetration tester was able to access data so valuable that it could have destroyed the company it belonged to.
The start of any hack involves information gathering. This is usually pretty easy for larger companies. Their website along with a few phone calls can reveal quite a bit of useful information. However, you can be assured that any company who has hired a pen tester has taken the necessary precautions to limit such information.
And such was the case for our hacker trying to gain access to the ACME Corp. servers. Her first target was the dumpsters – dumpster dives have been proven to unearth a trove of valuable information in the past. But the dumpsters were inside the complex, which was guarded by a contracted security firm. Through a bit of website snooping and a few phone calls, she was able to find out the department that was in charge of trash removal for the company. She then placed a phone call to this department. Using a social engineering (SE) technique known as pretexting, she pretended to be with a trash removal company and wanted to submit a quote to service their business. Using another SE technique called elicitation, she was able to find out:
that trash collection took place on Wednesdays and Thursdays
the total number of dumpsters
that there was a special dumpster for paper and technology trash
the name of the current waste removal company – Waster’s Management
the name of the employee in charge of the waste removal – [Christie Smith]
Dumpster Dive
Armed with this information, she went to the Waster’s Management website and grabbed their JPEG logo. Within a few days, she had a shirt and hat with the logo in her hands. She called the security department and said she was with Waster’s Management, and that [Christie Smith] had told her one of the dumpsters was damaged, and she needed to take a look at it before the next trash removal.
The next day, wearing the shirt and hat she had ordered online, she was given a badge from security and allowed access to the dumpsters. Now, any hacker worth her weight in PIC16F84’s already knows what dumpster she dove into. It didn’t take her long to walk away with several hard drives, a few USB drives and some useful documents. She was able to gain knowledge of an upcoming IT contract work, the name of the CFO, and the name of a server with some level of importance – prod23.
Hacking the Server
With some more SE, she was able to find out when the IT work was scheduled. It was after hours. She showed up a bit late and was able to walk right through the front door by claiming she worked for the IT contract company. She then shifted roles and pretended to be an employee. She approached one the real IT contract guys, and said she worked for the CFO, [Mr. Shiraz], and asked if he knew to be careful with the prod23 server. With more SE, she was able to find out the prod23 server was off-limits, encrypted, and only accessible by specific admins.
She was able to access an admin office, and it was there she would don her black hat. She booted the computer with BackTrack via USB and installed a key logger. She made an SSH tunnel to her personal server where she could dump the contents of the key logger, along with some other shells. Now, this is where things get interesting. She opened Virtual Box and used the computer’s hard drive as the boot medium. The VM booted the OS, and she hid all of the screen decorations to make it look like the target OS was running. The admin would log in without a clue, and our hacker would get their username and password through the key logger.
Once the login information came in, she was able to access the admin’s computer, and from there the prod23 server. You can imagine the look on the faces of the top executives for ACME Corp when our hacker handed them a copy of the keys to their kingdom.
Social engineering is human hacking, and a dark art in itself. Our hacker in this story would have never been able to even get close to the server if she did not have SE skills. No matter how secure you make something, so long as you allow humans access to it, it’s vulnerable to attack. And then it’s down to how well-trained your people are in repelling these kinds of intrusions.Just ask Target.
You can find the full story in the source below.
Sources
Social Engineering, The Art of Human Hacking, Chapter 8, by Christopher Hadnagy, ISBN-13: 860-1300286532
If we were to express an official view of the what these guys did once they hacked into a Target store’s PA system, we’d have to go with definitely uncool. However, it’s good to know that phone phreaking and good ol’ social engineering isn’t dead yet. Many of us got our start by playing with the systems around us.
Anyone could call into a Target store and request to be transferred to the PA’s extension code, which was the same everywhere. If the person transferring the call wasn’t quick on their feet, the caller would then be patched directly into the stores PA system. The kicker? Target had no way of stopping the PA until the caller hung-up. It’s the way the system was designed.
The hack itself is embarrassingly simple. The PA is attached to the in-store phone network. This is pretty standard. We’ve all seen a sales associate go up to phone in a store, dial a number, and make an announcement throughout the store. Where Target went wrong is improper separation of systems, and poorly thought out standardization.
The weakest link in security is always the people it’s designed for, not the one’s it’s designed to keep out. It’s a fun little prank, and hopefully Target has it sorted out now.
Within a few days, she had a shirt and hat with the logo in her hands. She called the security department and said she was with Waster’s Management, and that [Christie Smith] had told her one of the dumpsters was damaged, and she needed to take a look at it before the next trash removal.
