HACKING WETWARE
- SOCIAL ENGINEERING
All computer systems are made up of
three essential systems which are
all co-dependent. These three are:
- Hardware, this is the actual physical components making up the
computer system
- Software, these are the logical programs which give the hardware
it's functionality
- Wetware, this encompasses the users of the above two systems.
Wetware is the weakest link in this
setup. These days you need at least
some technical expertise to perform an attack on the hardware or the
software systems. Hacking people -or conning them- is a lot easier. You
ask any
IT person who has been around the block once or twice; "What is the
easiest way to get someone's password?", and I am certain they will
answer something along the lines of "Ask them for it". And
you know what? It works! This is called "Social Engineering" which can
be nicely defined as manipulating people to gain information or access
you should not have. The weakest link in any setup is always the people
using it or looking after it. So lets look at this problem in more
detail.
Why is there a
problem?
Attackers can perform these types
of attacks over the phone, with email
or direct contact. Basically anyway that they can "access" the people
using the system. But how do they use that access? thats the catch...
- If you look nice or sound nice
you must be nice.
Like it or not, people judge other people by how they look, act and
sound. If you
look like a technician, act like one and sound like one, then people
will generally assume you are one. You will be surprised how often just
being confident and acting like you belong somewhere gets people to
think that perhaps you actually have got a right to be there. Now think
about the people who tend to have a large degree of access around your
systems, like cleaners.
- Confidence counts.
We mentioned this previously, but it is very
important. Even the best costume and the most blatant name-dropping
will not help if the social engineer seems nervous. When a person
appears confident and assured about who they are, what they are doing
and where they are going to, they are very seldom questioned.
- Default trust.
People generally trust other people until they are
given a reason not too. This is a very normal and common behavioral
pattern, otherwise we would spend our days huddled in a corner. But
that still does not stop attackers from using this trait to their
advantage.
- People like to help.
We are all conditioned from an early age to try to help where we can,
society encourages this behavior. Again this is a normal and good
behavioral pattern, but it is also one exploited by attackers.
- People like to feel important.
Not everyone is a CEO or Lead Scientist or some other VIP, in fact for
every one of these people there are probably a couple hundred everyday
workers. But everyone wants to feel important, we all want to feel
special, listened to, to have attention paid to us. So when an
attacker preys on these feelings, they can generally find easy targets.
They won't
catch my staff...
Social engineering can include a
person trying to go in "cold", in other words, without knowing anything
about your company and it's people. Sometimes they may even succeed,
but generally they do a bit of research in order to make their
"attacks" more realistic, more tailored. How do they do this? Quite
easily as it turns out...
- Corporate
Knowledge.
Companies very often publish contact details with names on their
websites, sometimes with addresses. Sometimes you find an address book.
Searching for published articles relating to or about the company, can
also yield a wealth of information. Running searches through online
usergroups can also give out details. Heck, if you trawl through online
resume sites, where someone currently working at the company has posted
their resume, you will be surprised at what you find.
- Corporate
Trash.
Do you know what you throw away? All those print-outs, think about
whats on them. Old IT equipment, imagine seeing whats on those old
tapes or hard-drives. What about old intra-company literature? With
phone lists and name lists.
- Networking.
When your staff go out to lunch or to a pub after work, who do they
talk to? What do they say? What about when your staff go to
conferences? Thats a prime place for attackers to chat to people and
find out more.
- Ask.
What do your staff do when
someone phones looking for the IT manager because they want to send a
CV through, then they ask for the email address as well? Generally just
asking for information with a semi-plausible reason will get you the
information you want.
But so what?
The scope for social engineering
attacks is limited only by the attackers imagination and the
gullibility
of people, this means that it is a very diverse field and the attacks
can have different "payloads". They are also a class of attacks which
are difficult to fully list, but lets take look at some of the more
common types of
these attacks...
- Ask
and ye shall receive.
We have touched on this before but you will be surprised at what you
can get by asking. Imagine this; a smartly dressed person walks into
your company and speaks to your receptionist. They say they are from
XXX technology company, and that you are actually one of their biggest
clients, and his company has asked him to send some small token of
appreciation to the IT team, but he doesn't want to mess up. Can he
just have phone list so that he gets the spelling of their names right?
If he gets this, he now has names, numbers, possibly email addresses
and
whatever else. This information can be used in many ways.
- Impersonation.
This is a classic class of attack. Here the attacker impersonates
someone in order to perpetrate the attack. Imagine this; one of your
staff gets a call, the lady on the other end knows them by name,
identifies herself with a known name and phone number of an IT person.
She then says that she has heard that the staff members
internet/email/whatever has been slow and she would like to take a look
at it. Could she have his username and password to just check it out.
She can also mention the names of some people around him to further the
illusion that she is from the company. If she gets this information,
she now has a valid username and password to get onto the system.
- Mislead.
This is similar to the impersonation, but with a twist. Here the
attacker gets access or information by misleading someone about their
intent. Imagine this; a person comes into the building and says that he
is a fire inspector and he is here to inspect the premises for
compliance with the new building code 12ID1T. If you do not mind he
just needs to go to some areas of the building and take some air
samples and readings. He walks around, and can see any documentation
lying around which could include passwords, phone lists, pretty much
anything printed and not nailed down. And if he is not watched, then he
may even take them with.
- Anger.
This attack takes a different tack, it uses emotion to throw a person
off balance and thus give out information. Imagine this; a lady phones
the receptionist, and starts off loud and very angry complaining about
poor service and loss of time and anything else. She demands to speak
to the manager, in fact, she wants the managers direct line, email
address and cellphone number just so that she knows she will be able to
get in touch with him, or else she will involve the papers or lawyers
or who knows what. The poor receptionist will most likely give her the
details just so that she does not have to deal with it.
- Flatter.
Same as the above approach just from the opposite angle. Here the
attacker makes the staff member feel important and therefore more
helpful. Imagine this; a junior technician gets a call from some guy,
he
says he is part of the audit team busy working with finance, and the
finance director told him that if he needed any help he was to call the
technician direct because he knew what he was doing and would be able
to
help. Now he is trying to get onto the wireless network just to share
some files quickly, could he please have the wireless key to connect,
thats it. He does not want to take the technician away from doing
other more important work. How often do you think the technician will
give up the wireless key?
- Terminology.
This attack can stand on its
on, but is more often used to make other social engineering attacks
more successful. Company staff are used to certain people having
certain nicknames, or certain processes being called something. Every
company has its own slang and culture, if the attacker can use the same
slang and references it gets straight away puts people off their guard.
I like to think of it as putting the attack into context.
It cannot get
worse..
Yes it can. A lot worse. Remember
that the information gained from social engineering attacks may not of
itself mean a compromise, but it can be easily used to make a
normal cyberattack more successful. For example, if you have a list of
names, it makes choosing usernames to bruteforce a lot easier. If you
have the titles of people, you can further refine your attempts. Social
engineering can at worst result in an easy compromise, and at best can
make a normal attack more focused and successful. Social engineering
attacks have spawned many other areas which are complete topics and
attacks in their own right;
- Phishing,
using email to harvest
a persons sensitive details using crafted emails, websites and anything
else.
- ID
theft, using information about a
person to impersonate them in order to steal money, credit, even
-in one case- a house.
- Privacy
Invasion, selling
personal information to other people for purposes ranging from
marketing to robbery.
- Dumpster
diving, going through a
companies trash in order to steal information.
- Malware,
using cleverly crafted
emails or web pages to get users to install software -or allow it to be
installed- which gives an attacker access.
- Social engineering viruses,
all those fake virus emails, prank emails, etc. Not only do they waste
considerable resources in bandwidth, disk space, etc. But if a user
actually listens to them they can get the user to cause damage
to their own machine.
What do I do?
This one is difficult, you see the
only real protection is education. The problem is that (and I know I am
going to get nailed for this), some people are either too thick to
listen or just do not want to listen. Assuming you are one of those
lucky and blessed people who do not have to worry about these 2 classes
of people, then you must educate your users. Teach them what
information they should never give out, teach them to always make sure
about who they are talking to, phoning a person back is a helpful step.
Also consider the idea of a chokepoint applied to social engineering,
instead of asking the users to think, just tell them to redirect all
queries to one person, and make sure that person knows what they are
doing. Lastly, when doing a penetration test on your network, remember
to test the staff as well.
Final Words
Social engineering attacks are not
a nice neat package of attacks, there is no easy answer or fix (Well
actually there is no real easy fix for any class of attacks, but the
vendors would like you to think otherwise). There is no software or
appliance you can buy to sort the problem out. This is when a company's
commitment to information security is tested, because only with proper
management support, proper policies in place, training and vigilance
will you have a chance of stopping these attacks. Have fun and learn.