First-Person Account of a Social Engineering Attack

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

Not quite news

[otacon]

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

Yikes! So much effort!

[moore.dustin]

I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.

I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

Just Check!

[Thansal]

I need to call someone about what you're doing

Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.

If some one is poking around who I do not know I will check it with my boss.

For the love of all things holy

[noewun]

Can we please stop calling it "social engineering"? It's called lying. Saying 'social engineering' instead of 'lying' or 'scamming' sounds way to self-important to me, like people who ask, "would you like a beverage?" instead of "want something to drink?". If you're that socially uncomfortable, pop a couple Xanax before talking to me. Or anyone. Or leaving your house.

This rant brought to you by my cold, Adobe InDesign and my idiot clients.

Dont really need that.

[Lumpy]

$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.

Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.

Re:Hmm

[Anonymous Coward]

All back-end systems and PCs of all branches of that bank are connected to a single gigantic hub. In addition, all employees are constantly login and log from those systems using only non-encrypted protocols. The guy just had to plug his laptop and fire up his sniffer. Easy. Took him seconds.

for the sake of clarity

[Gary W. Longsine]

Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.

Not news... but still useful

[Khomar]

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.

Re:Just Check!

[QuantumRiff]

You would, but would your minimum wage receptionist? How about the custodian that has keys to everywhere? Would they know that someone had called ahead of time? Or would they just assume someone in another department called, and let them in?

And why is it that way?

[blueZ3]

Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.

Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?

Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!" :-)

negative vs positive

[theStorminMormon]

I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

-stormin

Re:Yikes! So much effort!

[mallgood]

My question is why would you ever need to get into the vault? Really. Look at the world, almost nobody uses cash any more. There isn't a reason to. You swipe your card and the transaction is done. All it means is that - tap tap tap - a dozen key strokes later and you have a bunch of money transfered into an account of your liking. Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

teach employees?

[Lord Ender]

Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

It will never happen.

Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.

Re:For the love of all things holy

[Anonymous Coward]

Yes it is lying, however its also quite a bit more than that.

Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.

As far as distinction in vocabulary and vernacular of language, that would just gloss over any doubts the unwilling participant might have in most cases. Try that tactic against the wrong sort, and you will easily out yourself as an imposter.

neowun, have you actually manipulated people for fun, profit, or other? If not, you should try it sometime. It will give you a better sense of the spectrum that is 'social awareness' i.e., common sense.

Re:Yikes! So much effort!

[rvw14]

Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.

If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.

Re:Amazing!

[jacks0n]

moderator sarcasm

perhaps I wasn't clear enough

[Gary W. Longsine]

This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.

Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.

Intel v. Randal Schwartz: Why Care? [mabuse.de]
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --

Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.

There, that should be clear enough.

Re:Mac Addresses are easily faked

[imaginaryelf]

Mostly for ease of deployment. Assuming that everyone already has a VPN client for connecting from home or hotels, etc. Your users then don't have to do anything special like 802.1x for wireless but VPN for something else, and your administrators have one less variable to control.

Re:Hmm

[dave562]

A lot of things could be done, but unfortunately the reality of the situation 95% of the time is that IT staffs are so overburdened that they don't have time to activate all of the nifty little, wouldn't it be cool features that are out there. Sure you could impliment a managed switch, but then every time a NIC fails, or a workstation fails, you need to go reprogram the switch. It becomes just another thing to do on a task list that is already too long to begin with.

I'm not super knowledgable in the area of man in the middle attacks, but I'm pretty sure that he could just unplug the copier, plug in his laptop, and then spoof the MAC address on the copier. From there he just poisons the arp cache on the switch and voila, snifferic pwnz0rz.

Re:Employees are not conditioned to be security aw

[jandrese]

You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.

In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a pain in the rear to find the right person at the other company who could verify that the technician you have is supposed to be there now, not to mention the cleaning staff and all of the other people who need access to your building. You could escort them, but most companies don't have enough dedicated security guards or people without work to do to watch over the guy for 2 hours while he works on some machinery. Even if they do, most of the people at your local bank would have no idea that what he's doing is actually sniffing passwords off of the network, not working on the copier. This guy went to plenty of trouble to make himself look like a copier repairman, he could have easily set up a "diagnostic" program on his laptop and plugged it into the copier's network port (when in actuality he's plugging the network cable into his laptop), and sniff passwords for some time.

That said: How much danger is his knowledge of the passwords? Obviously it isn't good, but what does that actually get you in the bank? Access to the printers and network shares? Without knowing the bank's IT setup it's hard to know how valuable that information is. Clearly he couldn't try to fire up a copy of their software on his laptop (if he even had it), because any teller walking into the copy room would no doubt recognize it and put up a red flag. Presumably the transactions from that software would be encrypted (at least I hope it would be), and they may have additional protections.

In a world full of thugs with guns I'd rather ...

[Anonymous Coward]

... let some security breech happen than challenging a stranger. My employer doesn't pay me enough to risk my life for one of his alleged secrets.

What these security auditing clowns are actually doing is not improving security, but putting untrained employees at risk by asking them to deal with potentially dangerous people.

Re:Yikes! So much effort!

[EaglemanBSA]

What bank is this? I want an account there.

Re:Yikes! So much effort!

[markov_chain]

What gets me is that he was able to sniff the president's login and password off a LAN. Seems like they need to do some work on their intranet security.

No harm done, (pat on back) and release. . .

[jhumkey]

Yes, testing was done by a "penetration tester". If he fails, he can NOT look forward to 20 years in jail and $1M fine for corporate espionage.

Its one thing to sling a few "bots" together from another continent and "see if you can get in" anonymously from the safety of your den or bedroom. Its takes quite another breed of individual to walk their living flesh in the front door and risk being taken out in handcuffs. To face felony theft in months of court time later. . .

Yes, its a valid demonstration of what is available if they make it in. . . I'm not sure its at all statistically or even operationally significant by any practical stretch. . .

Why should I risk my own freedom? How about instead of going in, I just wait will the branch manager comes out on his way home, club him over the head, and extract the passwords I need from him directly. After I've transferred a few hundred million to my bank account in an extradition free country (do we still have those? And can someone list them for me?) then I'd be all set.

Comparing the type of "in your face, willing to risk capture and jail-time" type of personality, with the "I'd like to stay safe at home" type of crime. . . seems too much Apples and Oranges comparison to suit my tastes.

How many 13 year old adolescent pimple faced copier repair men do you typically expect to see in your average work day? And how many "back alley club-you-over-the-head" thieves are pulling major-league cyber-crimes?

Apple crimes for Apple risk, or Orange crimes for Orange risk, but this is Orange risk for Apple crimes.

jkh

Re:Dont really need that.

[shadwstalkr]

Why pay them? Just fill out an application and make a few extra bucks while you prepare for your big heist.

He didn't say they succeed 9 times out of 10

[Von Rex]

Here's what he said:

Over the years and after doing several security assessments using social engineering techniques, nine times out of 10 we usually get caught when that one person says "I need to call someone about what you're doing." That call to confirm, usually raises enough suspicion to stop us from proceeding. And after that person realizes what they did, word travels real fast throughout the organization that they caught the "bad guy."

He's saying that, when they do get caught, nine times out of ten it's because someone wants to verify their presence with someone higher up. I don't think he said how often they actually do get caught.

Re:True story.

[Maxo-Texas]

And in this case, the airlock had a standard drop in tile false ceiling. The real concrete ceiling/floor of second story was 2' above the false ceiling.

He apparently reached up, grabbed the wall, pushed up the ceiling panel, and climbed up easily using the door handle to step on. It held him about 30 seconds.

Whose FA is this, anyway?

[haggais]

"That's right, the mod categories are just like the points on 'Whose Line' -- they don't mean anything..."