Ethical Hacking: Social EngineeringBy Mike Danseglio
Watch these Ethical Hacking videos, and you’ll understand skills like network sniffing, social engineering, hijacking, and more. With these tactics of ethical hacking you’ll learn security techniques through the mind of an attacker.
It’s really interesting to consider that people are typically the least important expenditure in a security process. Let’s say your company spends $50,000 this year on security. I would say $49,998 of it is going towards technology such as new VPN servers, new firewalls, new proxies or new virus scanners. Those are great bits of technology but they almost always leave out human security, human education, and making users aware and administrators aware of what security means and how to defend against it. Well, that’s interesting because with ethical hacking we’re looking for the easiest way to compromise assets, the easiest way to break into a network and the easiest way to penetrate an environment. If administrators are spending all this money on technical controls: encryption and VPN, and all that fun stuff, but they’re spending no money on people, and then people are probably going to be the weakest link. They’re going to be the ones that we can approach and hopefully compromise.
Bringing strength against weakness really means bringing our attack against folks that don’t know that there is security vulnerability and have not had any controls implemented on them. Human nature is a bit of exploit here because people generally want to be helpful, they want to be kind. How often do you walk into a building where someone holds the door open for you or where the receptionist pops open the door for you and unlocks it?
Nobody really thinks, “wow, that person that just walked by is an attacker.” They think, “wow, that person that just walked by had their hands full or they had soup, or they were on the phone and were very unhappy.” Therefore, they think I should be a little bit courteous and a little respectful. That’s a great thing about human nature, but security wise that’s a horrible compromise.
People as Targets
As an ethical hacker it’s an easily exploitable vulnerability. People typically don’t think they’re a target. I hear constantly, the “no one would attack my system, or no one is interested in compromising my company, or no one would ever just dream of walking into my building or walking into my data center, so I’m not going to worry so much about it.” And, “I have all these great security controls or security isn’t my problem; therefore I don’t need to really think about it or worry about it.”
Those are great things for an ethical hacker. This means that people are letting their guard down and it means that we’re going to be able to conduct some exploits. In addition,, there’s a trend towards social networking in the last few years, certainly with Facebook and Twitter, Flickr and Picasa for pictures.
Social networking and work computing have blended together. Therefore, people tend to think that when they’re at work that it is like they’re at home on their computer. When they’re at home they’re at work on the computer. This stuff gets blended in so they don’t really consider “should I do this kind of thing on a computer? Should I not do this kind of thing on a computer at work? Is it OK to do this at home but not at work?” Peoples’ minds simply have not wrapped around that yet.
Another beautiful aspect of social engineering, and one that I really appreciate, is that if you ask someone to open a door for you, or hold open a door or give you access to something, if you perform some type of social engineering attack, almost always, there’s no trace of the attack. If it’s unsuccessful, the response might be “no, I can’t let you in, I’m really sorry, you’ll need to go back all the way to your car in the pouring cold rain,” (because I live in Seattle).
OK so, one in a hundred times that will happen and if it happens, the response by me is darn, OK, and I walk out of the building. There’s no trace of the attack, there’s no one that’s going to report to security, “wow, somebody wanted to get in and I told him he had to get his badge, and he went and got his badge.” Well, they didn’t wait for me and I certainly never went back or didn’t go back at that point where that person was, so there’s no trace of the attack ever happening. That’s fantastic.
In addition to that, based on human nature, no one wants to raise their hand and say “I was the way that this attack succeeded. I was the conduit for this attack.” So, when some type of successful attack takes place and administration and network security, police, maybe law enforcement are looking for evidence they’re looking for witnesses. No one wants to raise their hand and say “Yes, I let that person into the building by accident. Was that wrong?” It just doesn’t happen, so people will avoid taking the blame; again, great for an ethical hacker, because there’s virtually no trace.
Strength Against Weakness
I’ve already briefly mentioned how social engineering is bringing strength against weakness. It’s bringing your security strength and your knowledge of penetration tests, and your ability to manipulate people against their weakness. It’s not so much that they’re weak, per se; it’s that they don’t think about security, defending, or that what they’re doing is a compromise. So, strength against weakness is the surest way to success here.
I can’t stress enough that there’s an exceptionally high rate of success across government, private industry, public sector stuff, and any kind of enterprise you can imagine, whether it’s technology, pharmaceutical, healthcare, service industry or anything like that. It really is pretty universal that social engineering, with very, very few exceptions, is more successful, certainly, than most technical forms of attack.
However, it does often require you physically be close to manipulated. But that changes as well with all kinds of different technologies and approaches, as you’ll see in some of the videos coming up.
Social engineering can also be very stealthy and very simple. Keep it simple; keep it easy. You’ll see in the videos that some of the social engineering attacks that I conduct are trivial in their engineering, and, if you think about them, you’ll probably realize how successful they’ll be in your environment.
Once again, this is unlikely to be reported. As I mentioned previously, most targets of social engineering do not want to report, “Hey, I was stupid and I let somebody in the building” or “Hey, someone talked me out of my password, and now they’re attacking the network. And, whoops, I’m real sorry about that, would you please fire me and sue me for all the damages?” Yeah, that doesn’t really happen and its not so common. So, that kind of attack simply goes unreported. The only evidence, typically, is in the mind of the one person that got compromised.
As an ethical hacker, it’s my responsibility to ensure that that doesn’t happen in the future by reporting it properly. But, then again, getting down to the agreement that we have in writing before any ethical hacking attack begins, you want to know, do you name people by name or do you generalize? “I asked five people for the password and three people gave it to me.” “Fred, from sales, gave me this information” or “Jane, from engineering, provided access in this way or that way”.
You need to understand what your parameters are to understand how to report it. But, certainly, that kind of thing is going to come up. You are, as an ethical hacker, going to have to report success of social engineering attacks, because you’re going to be successful. If you attempt it, you’re going to be successful at it.
For social engineering methodologies, oftentimes it’s as simple as identifying a “mark”, (which is the target of your social engineering attack), foot printing them to make sure they are the people you want to attack or manipulate, and then actually conducting your social engineering attack without leaving a trace.
An Example of Social Engineering
For example, if I wanted to understand how data disposal worked at a company, I would identify the person that is responsible for system decommissioning, maybe in the IT department or maybe in the facilities department. I would identify them, either through calling reception or asking them, just point blank, “hey, who deals with getting rid of old computers?”, or looking around on Facebook or Twitter for different people in different departments and starting to put together an idea of who does that. It comes on kind of early on in the foot printing process.
Once I have that person and once I understand either which department or which individual, I’m going to go ahead and make a phone call, perhaps a phone call without caller ID or with a spoofed caller ID, that says, “Hey, I’d like to quote on this. I’d like to bid. I’ve got a new company that does great work at cheap prices, can you tell me what kind of needs you have?”
Usually, the kind of needs they have will be exactly what they’re doing today. “Oh, well, our needs are we have about ten hard drives a month that need to get disposed and we need to do it this way, and that way. They have to be picked up by an armed security guard, and we need a certificate that they’re actually destroyed properly. And, right now, we use company XYZ and they charge us this much, and they pick up every third Thursday”. “Great, thanks for all that information, I’ll get you a quote immediately”.
Will I get them a quote? No. But I’m going to sure show up at the wrong time on the wrong day and pick up those hard drives. And will anyone want to report, “Hey, I gave the hard drives to somebody who looked official, but I don’t know if he was”. Or, when the real company shows up, is that mark going to say, “I gave the hard drives to the wrong person on the wrong day”? Probably not. It’ll probably be more along the lines of, “Oh, we don’t have any hard drives to go this month”.
Great. Now I’ve essentially attacked without a trace.
I have three videos for you to watch that are all really interesting examples of social engineering attacks. There’s the shoulder surfing attack, which is just like it sounds, just watching somebody over their shoulder, the found treasure, someone finding something and thinking “that’s pretty exciting”, and a combination of a few different attacks. The shoulder surfing attack is one of my favorites; it’s a denial of service and reverse social engineering attack, which I’ll explain.
First I will explain the shoulder surfing attack. Shoulder surfing is the concept of simply looking over someone’s shoulder in a way so that they don’t see me; just standing behind someone and looking over their shoulder.
In this example, you’re going to see a guy named Chris who is sitting in the kitchen, and I simply walk up behind him and have a bite to eat while he’s logging in and doing some authentication stuff on his laptop.
Man: Oh, hey Chris.
Chris: Hey, how’s it going?
Man: Going all right.
Chris: Good. See you later, man.
Man: Hey, take it easy.
Well, I hope you found that interesting. It’s actually more common than you might expect. The second one here is a super, super simple, yet super effective, attack. In this attack, what I’m doing is sitting outside on a kind of a warm, sunny day. I look like a kind of business dude and I leave behind something, a USB drive in particular, and I just leave that on the bench.
Someone happens by, sits down on the bench, sees the USB drive, doesn’t know what’s on it or whether it could be super-secret information: could be nothing; could be an asset that they might want; could be celebrity photos or something like that; could be worth money; could be worth information.
So, they take that back to their desk and pop it in their machine. And how much did that cost me? Well, the USB drive was free at a conference and my time and energy was pretty inexpensive.
And, in this case, I actually had a lovely virus on the USB drive where Lisa popped it into her machine and boom! It’s infecting the network. Did she know that until she popped it in? No. Would she have put in a USB drive if I had handed it to her and said “Please, go back to your desk and put this in your machine?” Probably not. But she did this way.
Denial of Service Attack
And then, finally, a more complicated attack, but, actually, a far more effective attack. In this video, you’re going to see a couple of different things. There are a few phases to this, so I want to explain it before you watch the video.
What I’m going to be doing here is, first, I’m going to build the need, or build some concern, around network predictability or network accessibility.
I’m going to make a phone call, and I’m going to tell this user, “Hey, your network may go down, may not go down. I am tech support, and if you have any problems with your network today, here is my number. Give me a buzz”.
I’ll make it sound like it’s probably not going to happen, but I’m going to make sure he writes down my phone number. It’s going to be an untraceable phone number, cell phone number, Skype phone number, VoIP phone number or something like that.
Then, at some point during the day, I’m going to conduct a denial of service attack against that network connection. I’m going to make this user not have access to the Internet for a small amount of time. Great, that’s cool.
Now he is going to call me. That’s the beauty of this attack. Is he’s going to actually call me while I’m conducting a denial of service attack, and say “Hey, I can’t get to the Internet. What’s going on? You need to fix my problem.”
Then, I’m going to play him a little bit. I’m going to artificially delay the resolution. I’m going to slow things down. I’m going to make him more frustrated. He’s in a hurry; he’s got a compelling need. I don’t really care and I’m going to let him know it with my voice.
And, over, and over, and over again, I’m going to ask for just a little bit of data and just a little bit of help so he can work with me a little bit. Then I’m going to, finally, when he gets really desperate and really eager for the resolution, spring on him that I need his password in order to simulate what’s going on and actually resolve the issue.
Once I have his password I stop his denial of service attack and he can get on the network. Fantastic! Everybody’s happy. He’s probably not going to remember that this happened, or, if he remembers, he’ll just remember that it got fixed; he won’t remember giving me his password.
I’ll then wait a little while and, almost certainly, just be able to log into the network, either remotely, locally or anything like that, with this username and password.
I’ll attack someone that I believe is going to be easily compromised because I don’t need to attack a domain administrator, network administrator, security manager or someone like that. They’re going to be a little bit more aware of this type of attack, and a little bit more on their guard.
Who I attack doesn’t matter to me at all. As long as I have some user credential I can get into the network and start my further attacks and start building off that abscess. I hope you enjoy this video.
Miles: Corporate accounts, this is Miles, how can I help you?
Mike: Hi, Miles. My name is Mike and I’m with tech support, how are you doing today?
Miles: I’m doing well, how are you, Mike?
Mike: I’m doing fine, thanks. I’m actually doing technical on your Internet connection today. I’m doing a couple of upgrades and changes. I will try to minimize the impact as much as I possibly can, but I wanted to ask before I got started, are you a heavy Internet user at work? Would any connection problems affect you?
Miles: Yes, absolutely, I’m on the Internet all day, that’s basically what my whole job is. So, if that goes down, we’re going to have a big problem. We need to minimize that as much as possible.
Mike: All right, well, I will ensure that your connection stays up as much as possible with zero down time. In the unlikely event, though, that there is any downtime, that you have problems connecting, you might want to try hitting F5 a couple of times and refreshing your connection. If that doesn’t work, I’d like you to take down my cell phone number, that way you can call me immediately if there’s any trouble. Does that sound alright?
Miles: OK, now, what department did you say you were from again?
Mike: I’m actually from technical support, but for the Internet connection that your company uses. I work in a large data center down in Southern California.
Miles: Oh, OK. Now, what is that number again?
Mike: My direct cell phone number is 425 882 8080.
Miles: OK, that’s 425 882 8080?
Mike: Exactly. And my name is Mike. Give me a call if you have any trouble at all today.
Miles: OK, will do, Mike. Alright, thanks a lot.
Mike: Have a great day, Miles.
Miles: You, too.
Mike: This is Mike with tech support.
Miles: Hi Mike, you called me earlier and said that there’s a chance that the Internet might go down here?
Mike: And it definitely just did. And I really need to get back on. And you are…?
Miles: Miles. We talked earlier.
Mike: Oh, right, right, Miles. Let me take a quick peek.
Mike: Actually, your connection should be fine, why don’t you hit F5 a couple times.
Miles: No, that doesn’t work.
Mike: All right, give me just one more moment. You said you logged in with what username again?
Miles: Just Miles.
Mike: OK. Try again; hit F5 a few more times.
Miles: No, it’s still not working. Come on, you have to be able to fix this, this is ridiculous.
Mike: OK, Miles, I can do some more tests. You said you used Miles as a log in name. What’s your password?
Miles: It’s KevinBacon4.
Mike: KevinBacon4. One more moment.
Mike: All right, I’ve done a few more things, why don’t you give it another try?
Miles: Huh. I think it’s actually working.
About the Author
Mike Danseglio has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world. Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.
Author's Website: http://www.nextdirectiontech.com/