Slashdot Mirror
First-Person Account of a Social Engineering Attack
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
That's the same combination I use on my luggage.
I think a bank requires a little more awareness on the part of the staff than most offices.
That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.
Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.
Who modded this insightful?
This is funny mods.. funny. Not insightful
It's like an airlock: two doors in series, only one of which can open at a time. Crooks hate things that could slow down a getaway and if you implement your access check on someone in the middle with both doors locked, well, if they're a crook you've got them in custody.
Card printers with stripe encoders are fairly inexpensive. In 2000, picked one up for a previous employer for $400.
However, also being the guy who ran the prox card access system, I can tell you this: Prox cards are not easy to reprogram. They are usually hard coded with technology that resembles a primitive form of a RFID chip and small battery that only energizes when in the prescence of a mildly strong magnetic field (more than kitchen refrigerator magnets, but not as strong as the rare earth magnets you can buy for cheap), has a transmit range of 6 inches, and is attached to a antenna/induction coil loop that circles the length of the card about 5-10 loops.
Theres a reason you don't leave a prox card on top of a unchielded stereo speaker... Not only does the stripe become scrambled over time, but the battery, which is constantly in the range of the magnetic field, will stay energized and keep broadcasting the signal untill.... well, until its dead. Typical prox cards are specced for about 10-20 access per day, with a usable lifespan of 5 years.
Prox cards from HID (one of the biggest manufacturers of prox security equipment) are sold with a two-fold identifier: 4-digit site ID, and 6-digit card number. Yes, these are both printed on the card. Yes, HID keeps track of which company owns which site ID, so they can sell further stock in the future with the same site number...and also so they don't sell the same site number to someone else in the same region.
Prox reader controllers (a closet component that is what the readers are wired to, each controller capable of holding a token-style chain of 127 modules that can each control up to 8 doors on each module) are programmed to accept only a certain set of site ID's. They keep a local database, updated at regular intervals from the master controller, a server (anywhere from 15 mins to an hour) of what card numbers within each site are allowed to access a specific reader/door combo.
If the communications to the server is down, the controller tries to contact the nearest controllers it knows about (up to 255), which also keep the same database. If no redundundant communication to other controllers or to server is available either, the controller maintains its current memory and security settings for 72 hours from last communication. After that, no access is allowed at readers until communications are enabled again and a database synch is performed.
Of course, this info is all dated to 2002, for Andover Controls security systems... but is pretty much standard to all prox systems.
And ironically your insightful comment was modded funny.
I agree. The only real things worth of value stored in vaults these days are in safety deposit boxes. Even then, when your looking at a wall of a couple hundred boxes, you've got several challenges.
You need to get into the vault alone. Everytime I've ever gone to add/remove stuff from my SDB I've been escorted into the vault where I was put into a small room while then unlocked the safety door to the vault, not the big solid door, but a smaller internal door. On this door was a lock. Also the whole area is covered by security cameras.
0. Get into area around vault and provided the main door isn't locked, defeat lock on internal door.
1. Your time is limited so you'd need to know in advance which boxes you were going to attack.
2. Unless you've figured out a way to get keys, you've got to defeat at a minimum of 2 locks per SDB quietly. Needless to say, I suspect they'd think it a bit odd if they hard drilling coming from the vault.
3. Stash the loot.
4. Replace and relock SDB doors
5. Get back into around around vault and relock the internal door.
Yes Francis, the world has gone crazy.
Company politics.
And they were reasonably clever about it.
They didn't say "WARNING! THIS MAN IS DANGEROUS!" they said something like "This man is our new security officer. Make sure you help him out and ensure we follow all security requirements!"
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.
The switches, they do *nothing*! (See the various attack methods for turning a switch into a hub on the fly, then sniffing all traffic.)
The better question is why the company is sending passwords in the clear in the first place? Just about every protocol under the sun can be encrypted now. And in an all Windows shop, you can tell the servers to only use IPSec for talking to the WinNT / Win2k / WinXP clients.
Wolde you bothe eate your cake, and have your cake?
Consider two propositions.
(1) Not all lying is social engineering.
Lying, by definition, is making a statement believed to be untrue with the intent to deceive another (see: lie) therefore all lying might be considered a form of social engineering, using the most inclusive possible definition for "social engineering". However, one might consider that there are types of lying which do not really have a useful purpose (e.g. pathalogical lying) and which are not employed to seek a gain, and these types of lying might be considered to fall outside of the domain of social engineering. Lying and social engineering therefore might be thought of as two domains which share an overlapping subset. As an aside, deception is a superset of lying, not an equivalent set as you implied.
(2) Not all social engineering involves lying, but may involve other forms of deception.
A trivial and familiar example is the practice of following someone through a physical access point, known as "tailgating." Tailgating may exploit a natural human trust relationship (I've seen your face before or you dress like you work here or you walk with confidence, make eye contact and smile) or may merely exploit a conflict avoidance instinct without active propogation of a statement believed to be untrue. Tailgating is clearly a tool which could be used to circumvent security controls and can be clearly considered as a type of social engineering, but does not fit within the accepted definitions for lying.
If you mod me down, I shall become more powerful than you could possibly imagine.
Or on Linux, as root (replace eth0 with your device name):
ifconfig eth0 down hw ether 0123456789ab up