First-Person Account of a Social Engineering Attack 347
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
Hmm (Score:2, Interesting)
Would Biometric Security Devices Mitigate Sniffing (Score:3, Interesting)
The copyer hole (Score:3, Interesting)
1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)
2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.
Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.
The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.
Some do (Score:2, Interesting)
Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your fault. Whomever was granting you access failed to inform everyone." Pretty easy to see if they were trying to engineer me after that, depending how they reacted. If they were insistant then I'd call security which would make them change their tune pronto.
Common sense: If you don't know about some repairman, then it's not your fault when you turn them away.
Employees are not conditioned to be security aware (Score:5, Interesting)
I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.
After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.
Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.
After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.
I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.
Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!
No DHCP! (Score:3, Interesting)
At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.
Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.
True story. (Score:5, Interesting)
1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.
He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.
But that's the real world for you.
Re:Yikes! So much effort! (Score:2, Interesting)
How about this: I _HAD_ a user who made the MS Flying banner hold his password. I would have never believed it had I not seen it myself.
Re:And why is it that way? (Score:5, Interesting)
I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.
1) Change every 90 days (up from 60 at least. that was really bad).
2) no repeating letters or numbers
3) no letter or number in the same position as last password.
4) must have a number
5) not be a word in a dictionary
Starting password something like
YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)
Current password something like
secre1t
I have about 8 passwords.
And they are all on a yellow sticky on my desktop.
More than just social security problems here... (Score:2, Interesting)
> I then disconnected the network cable from the copier/printer and attached my laptop. As soon
> as my laptop booted up, DHCP provided a network address and I was on the internal network.
This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive subnets by a firewall that should only pass the sort of traffic needed for printing/copying/scanning functions, and only if it's coming from the copier's IP address. Discovering the copier's IP address, in order to use it, would be easy enough (our copier has an easy menu interface for configuring that, for instance), but it's an extra thing the attacker has to do, and it should still only get him the ports that the copier normally uses. Defense in depth demands that you erect whatever barriers you can.
Furthermore...
> I started a few of our utilities and started sniffing the traffic on the network.
> Within seconds I had a variety of logins and passwords,
Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.
Re:True story. (Score:3, Interesting)
Shit, I'd fire then sue them.
Re:True story. (Score:3, Interesting)
So they hire your friend to pen test their security and, rather than implement his findings, they made up a "wanted poster" and did nothing else? What was the point of hiring him in the first place?
If you call them on it, people get upset. (Score:5, Interesting)
Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.
They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.
Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.
That's what happens when you do it right. Annoys everybody.
Re:And why is it that way? (Score:5, Interesting)
All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.
Re:teach employees? (Score:2, Interesting)
That's why we have a revolving door with a weight sensor. If a second person enters, the door goes backwwards and pushes you out.
Re:Not quite news (Score:3, Interesting)
I had a job on wall street many years ago. And I consistently caught people whom were trying to get info about our main frames or dumpster diving. I ended up putting a strict policy, and I was able to buy one heck of a schreader ( this THING was as big as a wide screen TV and could eat your hand if you were not careful).
I still do my transaction thier because the guy I left in charge was more paranoid than I was.
onepoint
Re:True story. (Score:5, Interesting)
Most nuclear power facilities are run by private companies, but a separate government organization is responsible for safety inspections. When a government inspector finds something wrong, the company involved can face massives fines.
I know a guy who was an inspector at our local nuclear power plant. He said that once he found a guard sleeping so he went and got the supervisor so it could be documented. On the way back, he said the supervisor was talking loudly and stomping his feet. Not surprisingly, the guy was awake when they reached him, and consequently, that supervisor saved the power company a couple hundred thousand dollars.He did learn his lesson, and in later similar situations would only tell supervisors to come with him and not the reason. :)
Re:And why is it that way? (Score:3, Interesting)
This is veering dangerously OT, but here's what has worked (so far!) for me: I had a nice, secure password that I never wrote down. When they made me "change" it regularly, I started using the same password but with my right hand shifted one letter down on the keyboard. 6 months later, shift the other hand down. 6 months later, shift the right hand outward. I intend to move around in this fashion until I can return both hands back to home position.
The only part that requires brainpower is "what to do when I exceed the keyboard area" - for now, I simply don't travel any further: "dR" becomes "e$" becomes "3$" as the left hand moves up. I can't quite get myself to consider the kbd as toroidal.
As an interesting side effect, I cannot actually tell you what my current password is. The best I could do is rattle down what would be a string of letters, numbers and symbols if your hands were in home row and how to move your hands before typing it.
Re:Yikes! So much effort! (Score:3, Interesting)
I am a private IT consultant and I was recently contracted by a Fortune 500 insurance company subsidiary on a very minor issue (2 days). I was hired through an ad on an online bulletin board. The president of the company hired me over the telephone without requesting any references or inquiring about background, education, or even aptitude with the systems they had in place.
Upon arriving for the appointment, I was led into the server room and immediately left alone, laptop in hand. I left the first day with a company laptop in hand unchallenged. The reason I was taking it was because it was being used as a spam zombie and needed to be reformatted. This laptop had been syncing with the company's entire ACT database and contained other sensitive information as well.
When I informed the president that this data had very likely been compromised and that he should take some action to mitigate the repercussions of this, he just shrugged and informed me that the employee responsible for that laptop no longer worked for the company. He obviously had no intention of following through on any of my recommendations.
Needless to say, I will never be one of their clients.
Re:negative vs positive (Score:2, Interesting)
disclaimer..Ok, this is actually a sea story so it may only have elements of truth, but it sounds cool
The military conducts security/pen testing of bases regularly. The Navy has SEAL teams which are sent in to infiltrate, kidnap senior officers, capture security posts/armories, etc. in the manner that a terrorist or foreign military might try. To minimize the chances of someone getting shot, base commanders are informed that a test will be conducted (although not in much detail or exactly when for obvious reasons) and the SEAL teams are ordered to surrender if caught. Usually it doesn't matter- the SEALS get on base and take control easily despite the advanced warning, most of the time without any challenge or questions asked.
At one base, however, the CO was a bit smarter than usual. He wasn't allowed to tell anyone that a security test was pending so he decided to issue flight deck whistles (for those of you who haven't served, they are EXTREMELY loud) to all base personnel. Orders were that if they saw anything suspicious they were to blow the whistle and keep it up until security arrived, with no repercussions for good-faith false alarms. Anyone hearing a whistle was to blow THEIR whistle, and so on, until relieved by Mardet. Sure, there were a few times when someone misconstrued something innocent and brought a truckload of Marines around to investigate, but the payoff was when the SEALS finally did try to sneak on the base. A sailor thought something didn't look right and blew his whistle, the Marines responded, caught the SEAL team, alerted the entire base to the ongoing security breach, and the whole pen test was over in about half an hour.
Re:Yikes! So much effort! (Score:2, Interesting)
Re:Hmm... (Score:3, Interesting)
The author of the other site I linked to argues that just because people use the word irony incorrectly and this has become popular, it doesn't make it correct. It's like asking if enough people misspelled "lose" as "loose", would the definition of the word "loose" change as a result?