First-Person Account of a Social Engineering Attack 347
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
Not quite news (Score:2, Insightful)
Yikes! So much effort! (Score:5, Insightful)
I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.
Just Check! (Score:3, Insightful)
Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.
If some one is poking around who I do not know I will check it with my boss.
For the love of all things holy (Score:1, Insightful)
This rant brought to you by my cold, Adobe InDesign and my idiot clients.
Dont really need that. (Score:5, Insightful)
Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.
Re:Hmm (Score:2, Insightful)
for the sake of clarity (Score:5, Insightful)
Not news... but still useful (Score:5, Insightful)
While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...
Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.
Re:Just Check! (Score:3, Insightful)
And why is it that way? (Score:5, Insightful)
Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?
Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!"
negative vs positive (Score:5, Insightful)
Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).
Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.
-stormin
Re:Yikes! So much effort! (Score:4, Insightful)
teach employees? (Score:5, Insightful)
If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.
It will never happen.
Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.
Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.
Re:For the love of all things holy (Score:3, Insightful)
Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.
As far as distinction in vocabulary and vernacular of language, that would just gloss over any doubts the unwilling participant might have in most cases. Try that tactic against the wrong sort, and you will easily out yourself as an imposter.
neowun, have you actually manipulated people for fun, profit, or other? If not, you should try it sometime. It will give you a better sense of the spectrum that is 'social awareness' i.e., common sense.
Re:Yikes! So much effort! (Score:3, Insightful)
Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.
If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.
Re:Amazing! (Score:3, Insightful)
perhaps I wasn't clear enough (Score:3, Insightful)
Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.
Intel v. Randal Schwartz: Why Care? [mabuse.de]
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --
Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.
There, that should be clear enough.
Re:Mac Addresses are easily faked (Score:3, Insightful)
Re:Hmm (Score:2, Insightful)
I'm not super knowledgable in the area of man in the middle attacks, but I'm pretty sure that he could just unplug the copier, plug in his laptop, and then spoof the MAC address on the copier. From there he just poisons the arp cache on the switch and voila, snifferic pwnz0rz.
Re:Employees are not conditioned to be security aw (Score:3, Insightful)
In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a pain in the rear to find the right person at the other company who could verify that the technician you have is supposed to be there now, not to mention the cleaning staff and all of the other people who need access to your building. You could escort them, but most companies don't have enough dedicated security guards or people without work to do to watch over the guy for 2 hours while he works on some machinery. Even if they do, most of the people at your local bank would have no idea that what he's doing is actually sniffing passwords off of the network, not working on the copier. This guy went to plenty of trouble to make himself look like a copier repairman, he could have easily set up a "diagnostic" program on his laptop and plugged it into the copier's network port (when in actuality he's plugging the network cable into his laptop), and sniff passwords for some time.
That said: How much danger is his knowledge of the passwords? Obviously it isn't good, but what does that actually get you in the bank? Access to the printers and network shares? Without knowing the bank's IT setup it's hard to know how valuable that information is. Clearly he couldn't try to fire up a copy of their software on his laptop (if he even had it), because any teller walking into the copy room would no doubt recognize it and put up a red flag. Presumably the transactions from that software would be encrypted (at least I hope it would be), and they may have additional protections.
In a world full of thugs with guns I'd rather ... (Score:1, Insightful)
What these security auditing clowns are actually doing is not improving security, but putting untrained employees at risk by asking them to deal with potentially dangerous people.
Re:Yikes! So much effort! (Score:2, Insightful)
Re:Yikes! So much effort! (Score:3, Insightful)
No harm done, (pat on back) and release. . . (Score:2, Insightful)
Its one thing to sling a few "bots" together from another continent and "see if you can get in" anonymously from the safety of your den or bedroom. Its takes quite another breed of individual to walk their living flesh in the front door and risk being taken out in handcuffs. To face felony theft in months of court time later. . .
Yes, its a valid demonstration of what is available if they make it in. . . I'm not sure its at all statistically or even operationally significant by any practical stretch. . .
Why should I risk my own freedom? How about instead of going in, I just wait will the branch manager comes out on his way home, club him over the head, and extract the passwords I need from him directly. After I've transferred a few hundred million to my bank account in an extradition free country (do we still have those? And can someone list them for me?) then I'd be all set.
Comparing the type of "in your face, willing to risk capture and jail-time" type of personality, with the "I'd like to stay safe at home" type of crime. . . seems too much Apples and Oranges comparison to suit my tastes.
How many 13 year old adolescent pimple faced copier repair men do you typically expect to see in your average work day? And how many "back alley club-you-over-the-head" thieves are pulling major-league cyber-crimes?
Apple crimes for Apple risk, or Orange crimes for Orange risk, but this is Orange risk for Apple crimes.
jkh
Re:Dont really need that. (Score:4, Insightful)
He didn't say they succeed 9 times out of 10 (Score:3, Insightful)
He's saying that, when they do get caught, nine times out of ten it's because someone wants to verify their presence with someone higher up. I don't think he said how often they actually do get caught.
Re:True story. (Score:4, Insightful)
He apparently reached up, grabbed the wall, pushed up the ceiling panel, and climbed up easily using the door handle to step on. It held him about 30 seconds.
Whose FA is this, anyway? (Score:2, Insightful)