First-Person Account of a Social Engineering Attack

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

Hmm...

[The+Zon]

You know, I was wondering why that guy needed my password to fix the copier.

Re:Hmm...

Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.

Yikes! So much effort!

[moore.dustin]

I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.

I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

Re:Yikes! So much effort!

[Negadecimal]

I think a bank requires a little more awareness on the part of the staff than most offices.

That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.

Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.

Re:Yikes! So much effort!

[mrogers]

Yeah I imagine all the money's sitting in a shared folder on the secretary's PC. Never mind a dozen key strokes, you can probably just drag and drop.

"Are you sure you want to replace 'Teh Money.xls', size $13.28, modified 11/21/2006, with 'Teh Money.xls', size $1,000,000.00, modified 11/30/2006? [OK] [Cancel]"

Re:Yikes! So much effort!

[erpbridge]

Card printers with stripe encoders are fairly inexpensive. In 2000, picked one up for a previous employer for $400.

However, also being the guy who ran the prox card access system, I can tell you this: Prox cards are not easy to reprogram. They are usually hard coded with technology that resembles a primitive form of a RFID chip and small battery that only energizes when in the prescence of a mildly strong magnetic field (more than kitchen refrigerator magnets, but not as strong as the rare earth magnets you can buy for cheap), has a transmit range of 6 inches, and is attached to a antenna/induction coil loop that circles the length of the card about 5-10 loops.

Theres a reason you don't leave a prox card on top of a unchielded stereo speaker... Not only does the stripe become scrambled over time, but the battery, which is constantly in the range of the magnetic field, will stay energized and keep broadcasting the signal untill.... well, until its dead. Typical prox cards are specced for about 10-20 access per day, with a usable lifespan of 5 years.

Prox cards from HID (one of the biggest manufacturers of prox security equipment) are sold with a two-fold identifier: 4-digit site ID, and 6-digit card number. Yes, these are both printed on the card. Yes, HID keeps track of which company owns which site ID, so they can sell further stock in the future with the same site number...and also so they don't sell the same site number to someone else in the same region.

Prox reader controllers (a closet component that is what the readers are wired to, each controller capable of holding a token-style chain of 127 modules that can each control up to 8 doors on each module) are programmed to accept only a certain set of site ID's. They keep a local database, updated at regular intervals from the master controller, a server (anywhere from 15 mins to an hour) of what card numbers within each site are allowed to access a specific reader/door combo.

If the communications to the server is down, the controller tries to contact the nearest controllers it knows about (up to 255), which also keep the same database. If no redundundant communication to other controllers or to server is available either, the controller maintains its current memory and security settings for 72 hours from last communication. After that, no access is allowed at readers until communications are enabled again and a database synch is performed.

Of course, this info is all dated to 2002, for Andover Controls security systems... but is pretty much standard to all prox systems.

1 ream = 500 sheets

In this case I wrote his password on a ream of paper and tucked it under the machine.
That seems like an awful lot of effort, when you could just write it on one sheet. :)

Employees are not conditioned to be security aware

[simm1701]

I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)

I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.

After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.

Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.

After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.

I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.

Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!

True story.

[Maxo-Texas]

Friend of a friend got a job doing security audits for a major energy company here in houston.

1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

But that's the real world for you.

negative vs positive

[theStorminMormon]

I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

-stormin

teach employees?

[Lord+Ender]

Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

It will never happen.

Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.