First-Person Account of a Social Engineering Attack

← Back to Stories (view on slashdot.org)

First-Person Account of a Social Engineering Attack

Posted by kdawson on Thursday November 30, 2006 @05:37AM from the in-by-the-front-door dept.

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

36 of 347 comments (clear)

Min score:

Reason:

Sort:

Hmm... by The+Zon · 2006-11-30 05:42 · Score: 5, Funny

You know, I was wondering why that guy needed my password to fix the copier.

--
Some attitudes replaced or by cgi optimizes
1. Re:Hmm... by Anonymous Coward · 2006-11-30 06:19 · Score: 5, Funny
  
  Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.
2. Re:Hmm... by bcattwoo · 2006-11-30 07:27 · Score: 4, Informative
  
  And ironically your insightful comment was modded funny.
3. Re:Hmm... by dr_strang · 2006-11-30 07:37 · Score: 4, Funny
  
  Are there ironic mod points? Because that would be ironic.
  
  --
  This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
4. Re:Hmm... by LordSnooty · 2006-11-30 08:08 · Score: 3, Funny
  
  Yeah, but they cancel each other out.
Yikes! So much effort! by moore.dustin · 2006-11-30 05:45 · Score: 5, Insightful

I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.
I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

--
Invexi - a Phoenix, AZ based web design and web development company.
1. Re:Yikes! So much effort! by mallgood · 2006-11-30 06:13 · Score: 4, Insightful
  
  My question is why would you ever need to get into the vault? Really. Look at the world, almost nobody uses cash any more. There isn't a reason to. You swipe your card and the transaction is done. All it means is that - tap tap tap - a dozen key strokes later and you have a bunch of money transfered into an account of your liking. Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.
2. Re:Yikes! So much effort! by rvw14 · 2006-11-30 06:16 · Score: 3, Insightful
  
  Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.
  
  If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.
3. Re:Yikes! So much effort! by Negadecimal · 2006-11-30 06:16 · Score: 5, Informative
  
  I think a bank requires a little more awareness on the part of the staff than most offices.
  
  That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.
  
  Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.
4. Re:Yikes! So much effort! by mrogers · 2006-11-30 06:41 · Score: 5, Funny
  
  Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.
  "Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"
5. Re:Yikes! So much effort! by Solra+Bizna · 2006-11-30 06:57 · Score: 4, Funny
  
  Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.
  
  Or, transfer it into your own, separate account on the same bank, then use Log Modifier to change the destination account in the transaction record to someone you hate (or someone you're being paid to discredit), and Log Deleter to delete the record on your end. Disconnect before they trace you, and BOOM! Watch your Uplink rating smash through the roof...
  
  You'll probably need a level 5 Firewall Disable (or Firewall Bypass) and version 3 of Decypher. And don't try to hack into the Uplink Corporation's bank; yours is the only account.
  
  Wait, we are talking about Uplink, right?
  
  -:sigma.SB
  
  --
  WARN
  THERE IS ANOTHER SYSTEM
6. Re:Yikes! So much effort! by erpbridge · 2006-11-30 07:22 · Score: 5, Informative
  
  Card printers with stripe encoders are fairly inexpensive. In 2000, picked one up for a previous employer for $400.
  
  However, also being the guy who ran the prox card access system, I can tell you this: Prox cards are not easy to reprogram. They are usually hard coded with technology that resembles a primitive form of a RFID chip and small battery that only energizes when in the prescence of a mildly strong magnetic field (more than kitchen refrigerator magnets, but not as strong as the rare earth magnets you can buy for cheap), has a transmit range of 6 inches, and is attached to a antenna/induction coil loop that circles the length of the card about 5-10 loops.
  
  Theres a reason you don't leave a prox card on top of a unchielded stereo speaker... Not only does the stripe become scrambled over time, but the battery, which is constantly in the range of the magnetic field, will stay energized and keep broadcasting the signal untill.... well, until its dead. Typical prox cards are specced for about 10-20 access per day, with a usable lifespan of 5 years.
  
  Prox cards from HID (one of the biggest manufacturers of prox security equipment) are sold with a two-fold identifier: 4-digit site ID, and 6-digit card number. Yes, these are both printed on the card. Yes, HID keeps track of which company owns which site ID, so they can sell further stock in the future with the same site number...and also so they don't sell the same site number to someone else in the same region.
  
  Prox reader controllers (a closet component that is what the readers are wired to, each controller capable of holding a token-style chain of 127 modules that can each control up to 8 doors on each module) are programmed to accept only a certain set of site ID's. They keep a local database, updated at regular intervals from the master controller, a server (anywhere from 15 mins to an hour) of what card numbers within each site are allowed to access a specific reader/door combo.
  
  If the communications to the server is down, the controller tries to contact the nearest controllers it knows about (up to 255), which also keep the same database. If no redundundant communication to other controllers or to server is available either, the controller maintains its current memory and security settings for 72 hours from last communication. After that, no access is allowed at readers until communications are enabled again and a database synch is performed.
  
  Of course, this info is all dated to 2002, for Andover Controls security systems... but is pretty much standard to all prox systems.
In the words of the Paranoia RPG by Billosaur · 2006-11-30 05:46 · Score: 3, Funny
1. Stay alert
2. Trust no one
3. Keep your laser handy
--
GetOuttaMySpace - The Anti-Social Network
1 ream = 500 sheets by Anonymous Coward · 2006-11-30 05:51 · Score: 5, Funny

In this case I wrote his password on a ream of paper and tucked it under the machine.
That seems like an awful lot of effort, when you could just write it on one sheet. :)
Dont really need that. by Lumpy · 2006-11-30 05:52 · Score: 4, Insightful

$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.

Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.

--
Do not look at laser with remaining good eye.
1. Re:Dont really need that. by shadwstalkr · 2006-11-30 08:07 · Score: 4, Insightful
  
  Why pay them? Just fill out an application and make a few extra bucks while you prepare for your big heist.
Re:Look under your keyboard... by DarthTaco · 2006-11-30 05:53 · Score: 4, Funny

thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!
for the sake of clarity by Gary+W.+Longsine · 2006-11-30 05:54 · Score: 4, Insightful

Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.

--
If you mod me down, I shall become more powerful than you could possibly imagine.
Not news... but still useful by Khomar · 2006-11-30 05:55 · Score: 4, Insightful

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.

--
I believe in de-evolution. God made the world perfect, man fell, and its been going downhill ever since!
Employees are not conditioned to be security aware by simm1701 · 2006-11-30 05:58 · Score: 5, Interesting

I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)

I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.

After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.

Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.

After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.

I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.

Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!

--
$_="Slashdotter";$syn="OTT";s;..;;;sub _{print shift||$_};s!ash!Perl !;s=$syn=ack=i;tr+LLEd+BLAH+;_"Just Another ";_
ObSneakers by Rob+T+Firefly · 2006-11-30 06:03 · Score: 4, Funny

"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"

--
Slashdot Burying Stories About Slashdot Media Owned
And why is it that way? by blueZ3 · 2006-11-30 06:05 · Score: 4, Insightful

Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.

Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?

Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!" :-)

--
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
1. Re:And why is it that way? by Maxo-Texas · 2006-11-30 06:12 · Score: 4, Interesting
  
  Completely agree.
  
  I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.
  
  1) Change every 90 days (up from 60 at least. that was really bad).
  2) no repeating letters or numbers
  3) no letter or number in the same position as last password.
  4) must have a number
  5) not be a word in a dictionary
  Starting password something like
  YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)
  
  Current password something like
  secre1t
  I have about 8 passwords.
  And they are all on a yellow sticky on my desktop.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
2. Re:And why is it that way? by Beryllium+Sphere(tm) · 2006-11-30 06:50 · Score: 4, Interesting
  
  My explanation of why you *should* write down your password. Bruce Scheier has made the same point.
  
  All of which is really a distraction. Sticky notes on the monitors? If someone's that close they can install a hardware keylogger in a matter of seconds or RAT and rootkit the machine with a live CD in a few minutes. The only security improvement you get from taking down the sticky notes is against casual or opportunistic attacks, which is not nothing, but face the fact that physical access means Game Over.
True story. by Maxo-Texas · 2006-11-30 06:05 · Score: 5, Interesting

Friend of a friend got a job doing security audits for a major energy company here in houston.

1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

But that's the real world for you.

--
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
1. Re:True story. by Joe+Snipe · 2006-11-30 06:52 · Score: 3, Funny
  
  what the hell is a man-trap?
  
  --
  Sometimes, life itself is sarcasm...
2. Re:True story. by Beryllium+Sphere(tm) · 2006-11-30 07:04 · Score: 4, Informative
  
  It's like an airlock: two doors in series, only one of which can open at a time. Crooks hate things that could slow down a getaway and if you implement your access check on someone in the middle with both doors locked, well, if they're a crook you've got them in custody.
3. Re:True story. by Danny+Rathjens · 2006-11-30 07:35 · Score: 4, Interesting
  
  Most nuclear power facilities are run by private companies, but a separate government organization is responsible for safety inspections. When a government inspector finds something wrong, the company involved can face massives fines.
  I know a guy who was an inspector at our local nuclear power plant. He said that once he found a guard sleeping so he went and got the supervisor so it could be documented. On the way back, he said the supervisor was talking loudly and stomping his feet. Not surprisingly, the guy was awake when they reached him, and consequently, that supervisor saved the power company a couple hundred thousand dollars.
  He did learn his lesson, and in later similar situations would only tell supervisors to come with him and not the reason. :)
4. Re:True story. by Maxo-Texas · 2006-11-30 08:12 · Score: 3, Insightful
  
  And in this case, the airlock had a standard drop in tile false ceiling. The real concrete ceiling/floor of second story was 2' above the false ceiling.
  
  He apparently reached up, grabbed the wall, pushed up the ceiling panel, and climbed up easily using the door handle to step on. It held him about 30 seconds.
  
  --
  She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
negative vs positive by theStorminMormon · 2006-11-30 06:12 · Score: 5, Insightful

I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

-stormin

--
The Southern Baptist Convention has creationism. On Slashdot, we have porn.
teach employees? by Lord+Ender · 2006-11-30 06:14 · Score: 5, Insightful

Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

It will never happen.

Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.

--
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Re:For the love of all things holy by Anonymous Coward · 2006-11-30 06:15 · Score: 3, Insightful

Yes it is lying, however its also quite a bit more than that.

Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.

As far as distinction in vocabulary and vernacular of language, that would just gloss over any doubts the unwilling participant might have in most cases. Try that tactic against the wrong sort, and you will easily out yourself as an imposter.

neowun, have you actually manipulated people for fun, profit, or other? If not, you should try it sometime. It will give you a better sense of the spectrum that is 'social awareness' i.e., common sense.
Re:Amazing! by jacks0n · 2006-11-30 06:18 · Score: 3, Insightful

moderator sarcasm
If you call them on it, people get upset. by Animats · 2006-11-30 06:42 · Score: 4, Interesting

Some months back, I saw some people working on the phone lines outside my house. They knocked off my DSL connection, so I went out to see what they were doing. They didn't have an SBC truck, so I asked to see their ID. Classically, telcos were very careful about issuing picture IDs to all employees authorized to meet the public or work on plant. There's even a notice in most telephone directories about it, telling customers that all telephone employees are required to carry a telco photo ID.
They didn't have SBC IDs. So I called SBC repair service via a cell phone. They didn't have a clue. So I called 911 and had the local cops come out. They ask the guys for phone company ID, and the techs don't have it. Twenty minutes of confusion as the techs and the cops are calling various parties.
Turned out that SBC had quietly been "outsourcing" some routine outside plant work, and had been sloppy about issuing credentials to the outsourcing contractor. Tied up four techs and two cops for half an hour to straighten that out.
That's what happens when you do it right. Annoys everybody.
Re:Backwords by rthille · 2006-11-30 06:46 · Score: 4, Funny

Which is why you should bang your mistress in the back of the theater.

--
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Re:Man I Wish... by 6Yankee · 2006-11-30 09:58 · Score: 4, Funny
If you ever do get the chance, just remember the basic rule of any pen test:
- Get permission first or you'll end up in a world of trouble. Given the likely circumstances of this particular test, I strongly recommend that you cover your ass.
- File a report afterwards, or your mark may never know you were in there - with this target, and especially with your particular toolset, such an outcome is especially likely. :P
Yes, I have mod points, but this seemed like more fun :)