Slashdot Mirror
First-Person Account of a Social Engineering Attack
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
I wonder what kind of sniffer he was using to get passwords is 'seconds', including the higher-ups... weren't they not in the building at that time?
I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?
My Computer Music Tutorial Videos
1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)
2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.
Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.
The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.
We are the Borg...
Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your fault. Whomever was granting you access failed to inform everyone." Pretty easy to see if they were trying to engineer me after that, depending how they reacted. If they were insistant then I'd call security which would make them change their tune pronto.
Common sense: If you don't know about some repairman, then it's not your fault when you turn them away.
A feeling of having made the same mistake before: Deja Foobar
I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)
I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.
After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.
Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.
After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.
I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.
Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.
Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Friend of a friend got a job doing security audits for a major energy company here in houston.
1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.
He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.
But that's the real world for you.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
"All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor."
How about this: I _HAD_ a user who made the MS Flying banner hold his password. I would have never believed it had I not seen it myself.
There are no loopholes. It's either legal or it's not.
Completely agree.
I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.
1) Change every 90 days (up from 60 at least. that was really bad).
2) no repeating letters or numbers
3) no letter or number in the same position as last password.
4) must have a number
5) not be a word in a dictionary
Starting password something like
YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)
Current password something like
secre1t
I have about 8 passwords.
And they are all on a yellow sticky on my desktop.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
There were a number of technical security flaws he exploited as well. Among them:
> I then disconnected the network cable from the copier/printer and attached my laptop. As soon
> as my laptop booted up, DHCP provided a network address and I was on the internal network.
This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive subnets by a firewall that should only pass the sort of traffic needed for printing/copying/scanning functions, and only if it's coming from the copier's IP address. Discovering the copier's IP address, in order to use it, would be easy enough (our copier has an easy menu interface for configuring that, for instance), but it's an extra thing the attacker has to do, and it should still only get him the ports that the copier normally uses. Defense in depth demands that you erect whatever barriers you can.
Furthermore...
> I started a few of our utilities and started sniffing the traffic on the network.
> Within seconds I had a variety of logins and passwords,
Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.
Cut that out, or I will ship you to Norilsk in a box.
Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.
They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.
Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.
That's what happens when you do it right. Annoys everybody.
My explanation of why you *should* write down your password. Bruce Scheier has made the same point.
All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.
If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.
That's why we have a revolving door with a weight sensor. If a second person enters, the door goes backwwards and pushes you out.
Have you read my journal today?
think interesting was an understatement. I found it wonderful and should be sent to every VP. basic security is so rare.
I had a job on wall street many years ago. And I consistently caught people whom were trying to get info about our main frames or dumpster diving. I ended up putting a strict policy, and I was able to buy one heck of a schreader ( this THING was as big as a wide screen TV and could eat your hand if you were not careful).
I still do my transaction thier because the guy I left in charge was more paranoid than I was.
onepoint
if you see me, smile and say hello.
This is veering dangerously OT, but here's what has worked (so far!) for me: I had a nice, secure password that I never wrote down. When they made me "change" it regularly, I started using the same password but with my right hand shifted one letter down on the keyboard. 6 months later, shift the other hand down. 6 months later, shift the right hand outward. I intend to move around in this fashion until I can return both hands back to home position.
The only part that requires brainpower is "what to do when I exceed the keyboard area" - for now, I simply don't travel any further: "dR" becomes "e$" becomes "3$" as the left hand moves up. I can't quite get myself to consider the kbd as toroidal.
As an interesting side effect, I cannot actually tell you what my current password is. The best I could do is rattle down what would be a string of letters, numbers and symbols if your hands were in home row and how to move your hands before typing it.
We're all born with nothing.
If you die in debt, you're ahead.
I am a private IT consultant and I was recently contracted by a Fortune 500 insurance company subsidiary on a very minor issue (2 days). I was hired through an ad on an online bulletin board. The president of the company hired me over the telephone without requesting any references or inquiring about background, education, or even aptitude with the systems they had in place.
Upon arriving for the appointment, I was led into the server room and immediately left alone, laptop in hand. I left the first day with a company laptop in hand unchallenged. The reason I was taking it was because it was being used as a spam zombie and needed to be reformatted. This laptop had been syncing with the company's entire ACT database and contained other sensitive information as well.
When I informed the president that this data had very likely been compromised and that he should take some action to mitigate the repercussions of this, he just shrugged and informed me that the employee responsible for that laptop no longer worked for the company. He obviously had no intention of following through on any of my recommendations.
Needless to say, I will never be one of their clients.
Like this comment? I accept Bitcoin! - 153sc8UUBXyp12ofQqfAWDmJrzyiKCYC1x
One time...when I was in the Navy...
:)
disclaimer..Ok, this is actually a sea story so it may only have elements of truth, but it sounds cool
The military conducts security/pen testing of bases regularly. The Navy has SEAL teams which are sent in to infiltrate, kidnap senior officers, capture security posts/armories, etc. in the manner that a terrorist or foreign military might try. To minimize the chances of someone getting shot, base commanders are informed that a test will be conducted (although not in much detail or exactly when for obvious reasons) and the SEAL teams are ordered to surrender if caught. Usually it doesn't matter- the SEALS get on base and take control easily despite the advanced warning, most of the time without any challenge or questions asked.
At one base, however, the CO was a bit smarter than usual. He wasn't allowed to tell anyone that a security test was pending so he decided to issue flight deck whistles (for those of you who haven't served, they are EXTREMELY loud) to all base personnel. Orders were that if they saw anything suspicious they were to blow the whistle and keep it up until security arrived, with no repercussions for good-faith false alarms. Anyone hearing a whistle was to blow THEIR whistle, and so on, until relieved by Mardet. Sure, there were a few times when someone misconstrued something innocent and brought a truckload of Marines around to investigate, but the payoff was when the SEALS finally did try to sneak on the base. A sailor thought something didn't look right and blew his whistle, the Marines responded, caught the SEAL team, alerted the entire base to the ongoing security breach, and the whole pen test was over in about half an hour.
All the copier and printer maintenance techs I have ever worked with have silver or gray briefcases w/ their cleaning tools in them (I do silent visual inspections of the ones I am responsible for escorting). From the outside, the case is totally innocuous and all of them do use them. It would make sense for the penetration testers to do so as well. Put a few screwdrivers and a few rags in it and no one would notice the other stuff. Makes perfect sense to me.
...quicker, easier, more seductive the darkside is...but more powerful, it is not.
I know what you mean as it basically blows the whole common concept of what most people understand irony to be right out the window. Some references I've seen do describe that kind of irony but the more authoritative ones indicate that irony is when what you say has a different literal interpretation than what you mean. So if you *described* an event which had what you call situational irony, it could be ironic... but the event itself isn't. Wikipedia covers the controversy over the varying opinions.
The author of the other site I linked to argues that just because people use the word irony incorrectly and this has become popular, it doesn't make it correct. It's like asking if enough people misspelled "lose" as "loose", would the definition of the word "loose" change as a result?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.