Slashdot Mirror
First-Person Account of a Social Engineering Attack
darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."
You know, I was wondering why that guy needed my password to fix the copier.
Some attitudes replaced or by cgi optimizes
It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.
In a world of acronyms, the words are the real victims.
I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.
Invexi - a Phoenix, AZ based web design and web development company.
penetration tester. now that's a job! is it somehow related to the porn industry?
I wonder what kind of sniffer he was using to get passwords is 'seconds', including the higher-ups... weren't they not in the building at that time?
GetOuttaMySpace - The Anti-Social Network
Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.
If some one is poking around who I do not know I will check it with my boss.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?
My Computer Music Tutorial Videos
In this case I wrote his password on a ream of paper and tucked it under the machine. :)
That seems like an awful lot of effort, when you could just write it on one sheet.
$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.
Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.
Do not look at laser with remaining good eye.
1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)
2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.
Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.
The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.
We are the Borg...
Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your fault. Whomever was granting you access failed to inform everyone." Pretty easy to see if they were trying to engineer me after that, depending how they reacted. If they were insistant then I'd call security which would make them change their tune pronto.
Common sense: If you don't know about some repairman, then it's not your fault when you turn them away.
A feeling of having made the same mistake before: Deja Foobar
thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!
Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.
If you mod me down, I shall become more powerful than you could possibly imagine.
That's the same combination I use on my luggage.
While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...
Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.
I believe in de-evolution. God made the world perfect, man fell, and its been going downhill ever since!
...I could be a penetration tester. On Jenna Jameson. ;P
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)
I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.
After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.
Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.
After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.
I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.
Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.
Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"
Slashdot Burying Stories About Slashdot Media Owned
Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.
:-)
Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?
Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!"
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
Friend of a friend got a job doing security audits for a major energy company here in houston.
1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.
He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.
But that's the real world for you.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Once they realize it's AWOL and they call the original owner who says he returned it, they'd report it stolen and then getting pulled over wouldn't be so easy to get out of.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.
Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).
Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.
-stormin
The Southern Baptist Convention has creationism. On Slashdot, we have porn.
There were a number of technical security flaws he exploited as well. Among them:
> I then disconnected the network cable from the copier/printer and attached my laptop. As soon
> as my laptop booted up, DHCP provided a network address and I was on the internal network.
This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive subnets by a firewall that should only pass the sort of traffic needed for printing/copying/scanning functions, and only if it's coming from the copier's IP address. Discovering the copier's IP address, in order to use it, would be easy enough (our copier has an easy menu interface for configuring that, for instance), but it's an extra thing the attacker has to do, and it should still only get him the ports that the copier normally uses. Defense in depth demands that you erect whatever barriers you can.
Furthermore...
> I started a few of our utilities and started sniffing the traffic on the network.
> Within seconds I had a variety of logins and passwords,
Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.
Cut that out, or I will ship you to Norilsk in a box.
Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.
If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.
It will never happen.
Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.
Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Yes it is lying, however its also quite a bit more than that.
Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.
As far as distinction in vocabulary and vernacular of language, that would just gloss over any doubts the unwilling participant might have in most cases. Try that tactic against the wrong sort, and you will easily out yourself as an imposter.
neowun, have you actually manipulated people for fun, profit, or other? If not, you should try it sometime. It will give you a better sense of the spectrum that is 'social awareness' i.e., common sense.
"Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."
This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.
Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.
Intel v. Randal Schwartz: Why Care?
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --
Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.
There, that should be clear enough.
If you mod me down, I shall become more powerful than you could possibly imagine.
Mostly for ease of deployment. Assuming that everyone already has a VPN client for connecting from home or hotels, etc. Your users then don't have to do anything special like 802.1x for wireless but VPN for something else, and your administrators have one less variable to control.
You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.
In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a pain in the rear to find the right person at the other company who could verify that the technician you have is supposed to be there now, not to mention the cleaning staff and all of the other people who need access to your building. You could escort them, but most companies don't have enough dedicated security guards or people without work to do to watch over the guy for 2 hours while he works on some machinery. Even if they do, most of the people at your local bank would have no idea that what he's doing is actually sniffing passwords off of the network, not working on the copier. This guy went to plenty of trouble to make himself look like a copier repairman, he could have easily set up a "diagnostic" program on his laptop and plugged it into the copier's network port (when in actuality he's plugging the network cable into his laptop), and sniff passwords for some time.
That said: How much danger is his knowledge of the passwords? Obviously it isn't good, but what does that actually get you in the bank? Access to the printers and network shares? Without knowing the bank's IT setup it's hard to know how valuable that information is. Clearly he couldn't try to fire up a copy of their software on his laptop (if he even had it), because any teller walking into the copy room would no doubt recognize it and put up a red flag. Presumably the transactions from that software would be encrypted (at least I hope it would be), and they may have additional protections.
I read the internet for the articles.
Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.
They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.
Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.
That's what happens when you do it right. Annoys everybody.
Which is why you should bang your mistress in the back of the theater.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Its one thing to sling a few "bots" together from another continent and "see if you can get in" anonymously from the safety of your den or bedroom. Its takes quite another breed of individual to walk their living flesh in the front door and risk being taken out in handcuffs. To face felony theft in months of court time later. . .
Yes, its a valid demonstration of what is available if they make it in. . . I'm not sure its at all statistically or even operationally significant by any practical stretch. . .
Why should I risk my own freedom? How about instead of going in, I just wait will the branch manager comes out on his way home, club him over the head, and extract the passwords I need from him directly. After I've transferred a few hundred million to my bank account in an extradition free country (do we still have those? And can someone list them for me?) then I'd be all set.
Comparing the type of "in your face, willing to risk capture and jail-time" type of personality, with the "I'd like to stay safe at home" type of crime. . . seems too much Apples and Oranges comparison to suit my tastes.
How many 13 year old adolescent pimple faced copier repair men do you typically expect to see in your average work day? And how many "back alley club-you-over-the-head" thieves are pulling major-league cyber-crimes?
Apple crimes for Apple risk, or Orange crimes for Orange risk, but this is Orange risk for Apple crimes.
jkh
No, I don't remember your name. But the memory mapped screen on a TRS80 from 1977 is from 15360 to 16383 if that helps.
He's saying that, when they do get caught, nine times out of ten it's because someone wants to verify their presence with someone higher up. I don't think he said how often they actually do get caught.
"That's right, the mod categories are just like the points on 'Whose Line' -- they don't mean anything..."
Consider two propositions.
(1) Not all lying is social engineering.
Lying, by definition, is making a statement believed to be untrue with the intent to deceive another (see: lie) therefore all lying might be considered a form of social engineering, using the most inclusive possible definition for "social engineering". However, one might consider that there are types of lying which do not really have a useful purpose (e.g. pathalogical lying) and which are not employed to seek a gain, and these types of lying might be considered to fall outside of the domain of social engineering. Lying and social engineering therefore might be thought of as two domains which share an overlapping subset. As an aside, deception is a superset of lying, not an equivalent set as you implied.
(2) Not all social engineering involves lying, but may involve other forms of deception.
A trivial and familiar example is the practice of following someone through a physical access point, known as "tailgating." Tailgating may exploit a natural human trust relationship (I've seen your face before or you dress like you work here or you walk with confidence, make eye contact and smile) or may merely exploit a conflict avoidance instinct without active propogation of a statement believed to be untrue. Tailgating is clearly a tool which could be used to circumvent security controls and can be clearly considered as a type of social engineering, but does not fit within the accepted definitions for lying.
If you mod me down, I shall become more powerful than you could possibly imagine.
Or on Linux, as root (replace eth0 with your device name):
ifconfig eth0 down hw ether 0123456789ab up