First-Person Account of a Social Engineering Attack

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

Hmm...

[The Zon (969911)]

You know, I was wondering why that guy needed my password to fix the copier.

Re:Hmm...

[by Anonymous Coward]

Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.

Re:Hmm...

[bcattwoo (737354)]

And ironically your insightful comment was modded funny.

Re:Hmm...

[dr_strang (32799)]

Are there ironic mod points? Because that would be ironic.

Re:Hmm...

[LordSnooty (853791)]

Yeah, but they cancel each other out.

Yikes! So much effort!

[moore.dustin (942289)]

I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.

I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

And why is it that way?

[blueZ3 (744446)]

Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.

Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?

Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!" :-)

Re:And why is it that way?

[Maxo-Texas (864189)]

Completely agree.

I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.

1) Change every 90 days (up from 60 at least. that was really bad).
2) no repeating letters or numbers
3) no letter or number in the same position as last password.
4) must have a number
5) not be a word in a dictionary
Starting password something like
YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)

Current password something like
secre1t
I have about 8 passwords.
And they are all on a yellow sticky on my desktop.

Re:And why is it that way?

[Beryllium Sphere(tm) (193358)]

My explanation of why you *should* write down your password [berylliumsphere.com]. Bruce Scheier has made the same point.

All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.

Re:

[AcidLacedPenguiN (835552)]

I don't know about anyone else but I feel I have the best password creation system. . . I go and look at half a dozen other employee's sticky notes then I bolt them up like Voltron to form my own superpassword.

negative vs positive

[theStorminMormon (883615)]

I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

-stormin

Re:Yikes! So much effort!

[Negadecimal (78403)]

I think a bank requires a little more awareness on the part of the staff than most offices.

That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.

Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.

Re:Yikes! So much effort!

[mallgood (964345)]

My question is why would you ever need to get into the vault? Really. Look at the world, almost nobody uses cash any more. There isn't a reason to. You swipe your card and the transaction is done. All it means is that - tap tap tap - a dozen key strokes later and you have a bunch of money transfered into an account of your liking. Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

Re:Yikes! So much effort!

[mrogers (85392)]

Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.

"Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"

Re:Yikes! So much effort!

[Solra Bizna (716281)]

Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

Or, transfer it into your own, separate account on the same bank, then use Log Modifier to change the destination account in the transaction record to someone you hate (or someone you're being paid to discredit), and Log Deleter to delete the record on your end. Disconnect before they trace you, and BOOM! Watch your Uplink rating smash through the roof...

You'll probably need a level 5 Firewall Disable (or Firewall Bypass) and version 3 of Decypher. And don't try to hack into the Uplink Corporation's bank; yours is the only account.

Wait, we are talking about Uplink, right?

-:sigma.SB

Re:

[rvw14 (733613)]

Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.

If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.

Re:

[markov_chain (202465)]

What gets me is that he was able to sniff the president's login and password off a LAN. Seems like they need to do some work on their intranet security.

Re:Yikes! So much effort!

[erpbridge (64037)]

Card printers with stripe encoders are fairly inexpensive. In 2000, picked one up for a previous employer for $400.

However, also being the guy who ran the prox card access system, I can tell you this: Prox cards are not easy to reprogram. They are usually hard coded with technology that resembles a primitive form of a RFID chip and small battery that only energizes when in the prescence of a mildly strong magnetic field (more than kitchen refrigerator magnets, but not as strong as the rare earth magnets you can buy for cheap), has a transmit range of 6 inches, and is attached to a antenna/induction coil loop that circles the length of the card about 5-10 loops.

Theres a reason you don't leave a prox card on top of a unchielded stereo speaker... Not only does the stripe become scrambled over time, but the battery, which is constantly in the range of the magnetic field, will stay energized and keep broadcasting the signal untill.... well, until its dead. Typical prox cards are specced for about 10-20 access per day, with a usable lifespan of 5 years.

Prox cards from HID (one of the biggest manufacturers of prox security equipment) are sold with a two-fold identifier: 4-digit site ID, and 6-digit card number. Yes, these are both printed on the card. Yes, HID keeps track of which company owns which site ID, so they can sell further stock in the future with the same site number...and also so they don't sell the same site number to someone else in the same region.

Prox reader controllers (a closet component that is what the readers are wired to, each controller capable of holding a token-style chain of 127 modules that can each control up to 8 doors on each module) are programmed to accept only a certain set of site ID's. They keep a local database, updated at regular intervals from the master controller, a server (anywhere from 15 mins to an hour) of what card numbers within each site are allowed to access a specific reader/door combo.

If the communications to the server is down, the controller tries to contact the nearest controllers it knows about (up to 255), which also keep the same database. If no redundundant communication to other controllers or to server is available either, the controller maintains its current memory and security settings for 72 hours from last communication. After that, no access is allowed at readers until communications are enabled again and a database synch is performed.

Of course, this info is all dated to 2002, for Andover Controls security systems... but is pretty much standard to all prox systems.

In the words of the Paranoia RPG

[Billosaur (927319)]

1. Stay alert
2. Trust no one
3. Keep your laser handy

Just Check!

[Thansal (999464)]

I need to call someone about what you're doing

Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.

If some one is poking around who I do not know I will check it with my boss.

Re:

[QuantumRiff (120817)]

You would, but would your minimum wage receptionist? How about the custodian that has keys to everywhere? Would they know that someone had called ahead of time? Or would they just assume someone in another department called, and let them in?

Would Biometric Security Devices Mitigate Sniffing

[w33t (978574)]

I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?

1 ream = 500 sheets

[by Anonymous Coward]

In this case I wrote his password on a ream of paper and tucked it under the machine.
That seems like an awful lot of effort, when you could just write it on one sheet. :)

Dont really need that.

[Lumpy (12016)]

$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.

Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.

Re:Dont really need that.

[shadwstalkr (111149)]

Why pay them? Just fill out an application and make a few extra bucks while you prepare for your big heist.

The copyer hole

[Anonymous Monkey (795756)]

At one point I worked for a copier repair company (Dispatcher, accountant/bookkeeper, & some computer stuff). Each month I got calls from people who fell victim to one of two scams.

1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)

2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.

Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.

The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.

Man I Wish...

[eno2001 (527078)]

...I could be a penetration tester. On Jenna Jameson. ;P

Re:Man I Wish...

[6Yankee (597075)]

If you ever do get the chance, just remember the basic rule of any pen test:

• Get permission first or you'll end up in a world of trouble. Given the likely circumstances of this particular test, I strongly recommend that you cover your ass.
• File a report afterwards, or your mark may never know you were in there - with this target, and especially with your particular toolset, such an outcome is especially likely. :P

Yes, I have mod points, but this seemed like more fun :)

Employees are not conditioned to be security aware

[simm1701 (835424)]

I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)

I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.

After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.

Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.

After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.

I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.

Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!

Re:Employees are not conditioned to be security aw

[jandrese (485)]

You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.

In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a

No DHCP!

[smooth wombat (796938)]

I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network.

At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.

Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.

ObSneakers

[Rob T Firefly (844560)]

"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"

True story.

[Maxo-Texas (864189)]

Friend of a friend got a job doing security audits for a major energy company here in houston.

1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

But that's the real world for you.

Re:

[earnest murderer (888716)]

So I am understanding that someone distributed his picture to thwart the security efforts of their own company?

Shit, I'd fire then sue them.

Re:

[dr_dank (472072)]

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

So they hire your friend to pen test their security and, rather than implement his findings, they made up a "wanted poster" and did nothing else? What was the point of hiring him in the first place?

Re:True story.

[Danny Rathjens (8471)]

Most nuclear power facilities are run by private companies, but a separate government organization is responsible for safety inspections. When a government inspector finds something wrong, the company involved can face massives fines.

I know a guy who was an inspector at our local nuclear power plant. He said that once he found a guard sleeping so he went and got the supervisor so it could be documented. On the way back, he said the supervisor was talking loudly and stomping his feet. Not surprisingly, the guy was awake when they reached him, and consequently, that supervisor saved the power company a couple hundred thousand dollars.

He did learn his lesson, and in later similar situations would only tell supervisors to come with him and not the reason. :)

Re:

[Joe Snipe (224958)]

what the hell is a man-trap?

Re:True story.

[Beryllium Sphere(tm) (193358)]

It's like an airlock: two doors in series, only one of which can open at a time. Crooks hate things that could slow down a getaway and if you implement your access check on someone in the middle with both doors locked, well, if they're a crook you've got them in custody.

Re:True story.

[Maxo-Texas (864189)]

And in this case, the airlock had a standard drop in tile false ceiling. The real concrete ceiling/floor of second story was 2' above the false ceiling.

He apparently reached up, grabbed the wall, pushed up the ceiling panel, and climbed up easily using the door handle to step on. It held him about 30 seconds.

teach employees?

[Lord Ender (156273)]

Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

It will never happen.

Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.

If you call them on it, people get upset.

[Animats (122034)]

Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.

They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.

Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.

That's what happens when you do it right. Annoys everybody.

Re:Look under your keyboard...

[DarthTaco (687646)]

thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!

Re:

[jacks0n (112153)]

moderator sarcasm

for the sake of clarity

[Gary W. Longsine (124661)]

Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.

Re:Backwords

[rthille (8526)]

Which is why you should bang your mistress in the back of the theater.

Re:

[by Anonymous Coward]

Yes it is lying, however its also quite a bit more than that.

Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.

As far as distinction in vocabulary and vernacular of language, that wou

Not news... but still useful

[Khomar (529552)]

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.

Re:

[onepoint (301486)]

think interesting was an understatement. I found it wonderful and should be sent to every VP. basic security is so rare.

I had a job on wall street many years ago. And I consistently caught people whom were trying to get info about our main frames or dumpster diving. I ended up putting a strict policy, and I was able to buy one heck of a schreader ( this THING was as big as a wide screen TV and could eat your hand if you were not careful).

I still do my transaction thier because the guy I left in charge was

perhaps I wasn't clear enough

[Gary W. Longsine (124661)]

This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.

Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.

Intel v. Randal Schwartz: Why Care? [mabuse.de]
Clearly, Randal was someone who should have kno

Re:

[imaginaryelf (862886)]

Mostly for ease of deployment. Assuming that everyone already has a VPN client for connecting from home or hotels, etc. Your users then don't have to do anything special like 802.1x for wireless but VPN for something else, and your administrators have one less variable to control.