Social Engineering: People Hacking

Transcription

1 Social Engineering: People Hacking Historically speaking, humans have always been great social engineers. You d have to agree that it probably started out around the time when the first caveman husband told his wife that she wasn t fat and, in fact, looked fitter than her wedding day in that latest dinosaur-skin dress of hers. While this is, debatably, less malicious, history has witnessed more spiteful incidents of social engineering. As far back as the 1600s, George Psalmanazar falsely claimed to be the first Formosan to visit Europe and even wrote a successful book on Formosa. Jefferson Smith, better known as Soapy Smith, sold bars of soap to onlookers duping them into believing that some of the lucky bars had money strung to them. Victor Lustig is best known as the man who sold the Eiffel Tower twice. More recently, Frank Abagnale, whose exploits were immortalized in books and movies, committed forgery in 26 countries and assumed multiple identities, all before he was 21 years of age. Manipulation of words or actions to build up a false sense of trust and confidence and ultimately evoke a desirable response is known as social engineering. This, however, has taken a sinister turn in the modern world where we depend on technology and lightning-fast communications. The rules are still the same, but the consequences are more severe. People Hacking Social engineering aims to exploit the weakest link in information security people. Just as in historical examples in which people were manipulated into meeting one s ends, social engineering is grounded in the same principle. Yet social engineering does not necessarily need the use of technical methods. By nature, people tend to be helpful and polite. Social engineering techniques take advantage of this intrinsic nature to manipulate people into divulging sensitive information. In fact, many people who divulge information do not really think they are even giving away anything too critical. The social engineer s goal then is to put pieces of information, gathered from various sources, together. In ancient times, assassins used extremely subtle information gathering techniques and spent several months in preparation for the final assassination attempt. Pieces of seemingly innocuous information were assembled in this pursuit and ultimately led to fatal consequences for a number of kings and men of power. Social engineers in the modern day use a very similar modus operandi. Organizations today spend heavily on their information security infrastructure and employ the latest and best technological advancements in security. However, security is only as strong as the weakest link. If the human firewall is weak, an organization will fall prey to the oldest tricks in the book. The expensive technical security infrastructure will be rendered useless if social engineers can have their way through people hacking.

2 Old Dog, New Tricks To combat social engineering, it is important to understand the tricks that social engineers use. One needs to know the way a social engineer thinks and operates to protect against the threat of social engineering. Let us take a look at some of the common methods employed by social engineers: Pretexting Social engineers often create a believable pretext to dupe their target into divulging precious sensitive information. The creation of such a pretext is often the result of serious planning and homework. The main objective for the social engineer is to be able to establish a sense of legitimacy in the mind of the target victim. Human emotions like fear, guilt, sympathy, confusion, intimidation, flattery, and friendship are a social engineer s best friends when pretexting. For instance, nobody would want to mess with an enraged vice president, especially one that you ve never even seen before. A fire marshal coming in to inspect your workplace would obviously be an intimidating uniform-clad authority to challenge. It could sometimes be as simple as a social engineer putting up a pitiable face asking for your help, without which he/she would be completely lost. A typical example of pretexting is a social engineer pretending to call from your cellular telephone provider informing you that you need to pay for $5000 worth of international calls that it claims you made. Since you are completely taken aback at the accusation, your thoughts are in disarray. The caller then steps up to provide the much-needed support by telling you that he/she will waive the amount you owe and place a hold on your account to prevent further calls of the kind. However, he/she tells you that you need to confirm your credit card details for identification purposes. You then quickly provide your card details, and the social engineer s job is done. Social engineering techniques in pretexting are highly evolved today. Social engineers use acronyms and company jargons to target organizations, lending great credibility and believability. One technique involves social engineers recording the target organization s on-hold music. The social engineer then calls someone at the organization posing to be a co-worker at the same organization. He/she then tells the person to hold the line because there is another call on line two. The on-hold music is then played to the listener who then is inclined to believe that the caller works for the same organization. The use of Voice over IP (VoIP) technology today even allows a caller to spoof the caller ID to show up as a number from within the target organization. Such meticulous arrangements could fool even the well-prepared. Phishing and Spear Phishing Phishing techniques have become all too common. It is likely that anyone who owns an account has received at least one phishy . These s look highly legitimate and solicit personal information. Often, these s will appear to come from commonly used services and websites like ebay and PayPal. The may have a link that takes the unsuspecting target who clicks on it to a webpage that looks strikingly similar to the original. The webpage would contain a form that asks for all levels of personal and account details.

3 Again, human emotions play a critical role in phishing. Social engineers often add presumed credibility on their s by asking the target to validate his/her account, failing which it will be blocked permanently. Alternatively, the e- mail could state that the account has already been blocked and that the recipient needs to click this link to go to the activation page. Vishing The Nigerian scam, also called the 419 scam, has been a menace in the history of social engineering. The scam uses an e- mail to persuade the target into divulging advance sums of money with the lure of an unclaimed will or lottery money amounting to millions of dollars. This scam has utilized a wide array of variations over the years, to great success. Spear Phishing techniques are very similar to phishing, except that these are more targeted and often directed at organizations. Legitimacy, in this case, is established with the help of information gathering. For instance, a social engineer could find out that an organization uses ADP services for payroll. The social engineer would then craft his/her spear phishing as if it was being sent by ADP to employees within the target organization who are on payroll via ADP. The would state that the employee s payroll was not processed and that this situation could be sorted by clicking this link and logging in. Few individuals would want to mess around with their payroll. A relatively new development in social engineering that is fast gaining ground is vishing. Vishing uses interactive voice response (IVR) systems to dupe a target into divulging personal information such as card details, Personal Identification Numbers (PINs), and Social Security numbers. Typically, legitimate IVR messages and commands are recorded by social engineers and then played back over a toll free number that targets are enticed to call using an advertisement/notification of some sort. Alternatively, social engineers could design an automated calling system wherein a string of telephone numbers are fed into the system and the system sequentially calls the numbers in an automated manner. The system plays a recorded message which asks a target to renew or validate his/her services with a popular bank/credit union/service. The IVR commands are then played to make the target enter the much-valued personal information. Malicious Code Social engineers at times also send out s that have attachments enticing the target to open them. The pretext could be a failed UPS package delivery, an important work-related file, free Britney Spears wallpaper, a critical anti-virus upgrade from your tech support team, or even an I love you letter. The target that succumbs to the message opens the attachment which contains malicious code like a keylogger, Trojan, backdoor, virus, or worm. Malicious code has evolved to become highly intelligent these days. Such code is designed to detect and respond to a target s suspicions and relevant actions.

4 Dumpster Diving A great supplement to technical methods of social engineering is dumpster diving. The technique involves literally rummaging through the target s garbage for confidential information. While this technique may sound dirty, it is a highly rewarding one. One possible reason for the widespread use of this technique is its non-technical nature. Social engineers may even use pretexts to support their dumpster diving initiatives. These include posing as a salesperson, a law enforcement officer, pest control, a repairman, or a technician. Posing as a cleaner could prove to be one of the best pretexts a social engineer can adopt. A cleaner usually comes in after work hours when there are no suspicious eyes scanning the workplace. A social engineer usually looks for targeted information using dumpster diving. This includes confidential reports, sales forecasts, salary data, network diagrams, source code, configurations, internal communications, post-it notes, and discarded applications. Something as simple as a full departmental telephone list is often a social engineer s dream. Shoulder Surfing and Piggybacking As the name suggests, shoulder surfing involves stealthily observing the target to obtain or deduce confidential information. This is usually done to observe password keystrokes on a keyboard or a PIN entered into an ATM machine. Expert social engineers have even been known to observe and memorize signatures. A social engineer does not necessarily need to have a full view of a keyboard or an ATM keypad. This would actually be undesirable, considering that social engineers try to be inconspicuous. Positional awareness of keys can be a helpful tool for social engineers. A technique that follows similar principles is called piggybacking. Social engineers use piggybacking to get physical access to premises. Preying on common politeness, this is generally accomplished by stealthily slipping into the premises along with another authorized individual, when the authorized individual is kind enough to hold the door open for the social engineer. Quid Pro Quo The quid pro quo technique involves giving something to get something in return. A survey 1 once found that more than 70% of people would reveal their computer password in exchange for a bar of chocolate. Even more surprising, 34% of the respondents of the survey volunteered their password without even needing to be bribed. As an example of this technique, a social engineer would call a target posing as a technical support agent. The social engineer finds a harassed soul who is grateful that someone is calling back from his/her service provider. The social engineer then directs the target to type some commands that gives him/her full access to the target s computer or even has malicious code installed onto it.

5 Baiting Imagine that you re finishing up with lunch in the break room and you notice a CD lying on a table. The CD has your company s logo on it and has Layoffs 2009 Private and Confidential printed on it. You re all alone in the room and decide to take the CD to your office. You open the CD and you find that it s exactly what you thought it was. The CD contains an excel file that has a list of employees, perhaps the ones you think are to be laid off. The names of the excel file are not familiar, but you work for a big organization so you assume they are all legitimate. You are thrilled to see that your name is not on the list. This is a perfect baiting scenario. A script installed a keylogger on your computer when you opened the excel file. All your keystrokes are now being logged and sent via lightweight text s to a social engineer sitting in a remote location. Baiting is a highly potent weapon in a social engineer s arsenal and can have devastating effects for a target. Con Repellent While social engineering is a very real and ominous threat to organizations, employing the right countermeasures in the right way can fortify an organization very effectively against social engineering threats: Policies and Procedures Policies and procedures provide a solid foundation to counter the threat of social engineering. Having specific policies and procedures that are clear, concise, and well-documented is the first step. The critical second step is consistently enforcing these policies and procedures. Organizations should make it well-known internally that non-compliance will be dealt with strictly. Further, policies and procedures need to be highly comprehensive and all-inclusive. These need to have a long-term vision and factor in the future of the organization, including a growth in size. Training and Awareness An organization s employees are the very first line of defense against social engineering and yet are, more often than not, the weakest link. Training your employees is the best possible investment you could make to combat the threat of social engineering. An employee with an awareness of social engineering techniques will be able to proactively identify the traps and pitfalls commonly used. Employee training and awareness programs should be tailored to meet audiences of varying technical levels. The human firewall can be strengthened by making employees fully aware of the organization s policies and procedures. Targeted and focused programs are the most effective long-term tool against social engineering.

6 Social Engineering Engagements The best way to beat a social engineer at his/her game is to be one. Social engineering engagements performed by experts are highly effective in exposing your organization s vulnerability to social engineering attacks. These engagements use the same techniques used by social engineers to test an organization s level of preparedness. Any awareness and training program employed by an organization needs to have a focused direction. Social engineering engagements provide this direction. These engagements give an organization a clear picture of exactly where it is vulnerable. Awareness and training programs can then be directed to address these specific areas and ultimately lead to a well-prepared organization. Awareness Tools When using awareness and training programs, awareness tools should be employed to make the entire learning process more interesting and engaging. Articles and newsletters about security are one way of spreading awareness in an organization. Webcasts and podcasts are other tools that could be made available on the organization s intranet. Humorous posters are another means of communicating messages about social engineering. Periodic quizzes, seminars, presentations, and live demos are other successful methods of spreading awareness. An organization could also hire a team of professional social engineers to perform tests and present their results to the employees. Such interactive sessions are often entertaining, eye-opening, and highly educational. Overall, awareness tools should instill an environment of security in the organization to encourage everyone to accept security as a personal responsibility. Hack-Proof Your People Social engineering has proven to be the wake-up call for all those who believed that technology alone could solve the problem of information security. In fact, users of all security measures will always be the weakest link. While investing in your organization s information security infrastructure, do not forget to hack-proof your employees. Amateurs hack systems, professionals hack people. - Bruce Schneier References

7 ERM wants to hear from YOU. With this edition of our newsletter, we re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to editor@emrisk.com. Enterprise Risk Management: At a Glance ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk management issues of today, as well as the broader and ever-increasing security challenges of the future. Services IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation Certifications Certified Public Accountant (CPA) Certified Information Systems Security Professional (CISSP) Certified Information Systems Auditor (CISA) Certified Information Systems Manager (CISM) Certified Information Technology Professional (CITP) GIAC Security Essentials Certification GIAC Systems and Network Auditor Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV) Some of our Clients ABN-AMRO Private Banking Bacardi-Martini, Inc. Bancafe International Banco Industrial de Venezuela Banco ITAU Bank United Caja Madrid Bank Carnival Cruise Lines, LLC CitiBank Coconut Grove Bank Commerce Bank E-data Financial Florida International University Florida Power & Light Company Heico Aerospace Helm Bank Knight Ridder Nova Southeastern University Rinker Materials Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc. The International Bank of Miami TransAtlantic Bank U.S. Century Bank For more information, visit info@emrisk.com Phone: Douglas Road North Tower, Suite 835 Coral Gables, FL 33134