“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”
“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”
“Well he said he was pretty busy but I just need a few generic questions to close out this help ticket so I can go home — do you think you can help?” “Uh, I don’t know…”
“Please? Its after 7 here and I really got to go home. Its just a second”
“Um. Ok, sure.”
What operating system do you use?
>>>XP
What web browsers do you have on your PC?
>>Firefox 2.0 and IE6
Do you use outlook?
>>No, we use a webmail
When was the last time you updated?
>>The IT team does updates every Tuesday night.
What version of Acrobat Reader do you have?
>>7
What’s your antivirus/endpoint security brand?
>>Mcafee endpoint security.
… It might not look like it at first, but Mr. “Downs” from “Dell technical support” is a hacker who just obtained enough reconnosence to compromise users and servers inside the target company — an act that costs US companies an average of $6,751,451 per data breach incident according to a Ponemon Research study.
Now, if I walked up to you on the street and asked you those questions out of the blue, you’d likely be either annoyed or (hopefully) suspicious. However, if I called your secretary at her desk and told her I was from Dell solving a problem and I want to get off quickly because I’m a working stiff with a family too — that might be a different story. She might tell me she’s on windows, and that the IT team pushes updates every Tuesday, and that she uses webmail and Internet explorer 6. Maybe she’ll even give out her email for me to send her so that I can close out the ticket with a link that takes her to another website for analysis or exploitation through a hole I found in Dell’s website (Cross Site Scripting attacks in vulnerable websites make this attack method very easy to do). Hackers that can con people into giving information or help them gain unauthorized access are known as social engineers this term is also used for con artists).
A good hacker knows that a good hack involves three things:
Vulnerability
Exploitation
Maintenance of access
Talking to that secretary gave us a lot of information — the antivirus vendor and version of Internet Explorer being the most important among other things. This tells us what the system is vulnerable to — in this case IE6 vulnerabilities. Knowing the antivirus lets us know what vulnerabilities will be detected or stopped unless they are re-written or modified. With very little work we can probably find a way to circumvent any signatures based antivirus for a payload and a working exploit on a system with a profile similar to that described by the secretary. Now we have both a vulnerability and a method with which we will exploit it. Finally, the secretary informed us that patches to systems are done on Tuesdays — so we can have up to a week after successful exploitation to develop a system to maintain access either through reverse shells or an autonomous setup, which should be easy to do once we are in and get the lay of the network. It’s very easy to find and package exploits with the wide availability of large databases of viruses and exploits (I regularly check several exploit databases to stay on top of trends).
It seems like a lot of information in a seemingly innocuous less-than-5-minute conversation. Now consider the fact that I also got her to expect an email with a link — with that I can collect information like IP addresses, computer names, MAC addresses, perhaps the last few websites the receptionist has gone to, the exact web browser version, and more. It’s easy to see where this information begins to take a sinister turn into a goldmine of potentially exploitable information.
People such as the once-infamous Kevin Mitnick have long used these con-artist techniques to gain unauthorized access to computer systems. In fact, most of what Mr. Mitnick did to gain unauthorized access to computer systems was social engineering, not hacking. He knew what to say and how to say it and who to say it to by doing his homework on how his targeted industries and businesses operate. Most of his techniques and how he used them to exploit his targets are explained in detail in his book The Art of Deception, which goes over in-depth on teqniques to prevent and close human security breaches. Hackers use social engineering so much that this year at Defcon 18 hackers competed in a game in which they researched and called companies to get information from them that could be used later to compromise their security. Every single one of the companies that were involved in the game failed to adequately protect themselves from the hackers-turned-conmen (10 companies, 80 hackers, 3 failed calls), and several hackers were even able to score extra points by convincing personnel to visit websites under their control. [link to defcon 18 game]
Train your personnel in how to spot people who are going in the extra mile to get information about your company to do real damage to it (not drive by browser exploits and page-jacking). It isn’t enough to have endpoint protection or antivirus systems in place. People need to be coached on what information to give out and what to keep, especially people with access to sensitive information or that handle many calls every day. Go through this process with your employees frequently — perhaps place a flyer on company phones reminding them not to give out information on the computer systems or bring it up at company meetings or as part of the new-hire routine training (new hires are the favorite targets of any social engineer. They’re eager to help and do not yet know the rules).
Also, regularly shred important documents with good shredders or shredding services, and securely destroy hard drive data (DOD mandates a 7-pass write-over wipe to prevent re-reading), and make sure that you aren’t encouraging a workplace environment where it is not OK to question management for the correct credentials when employees are being told to perform sensitive operations like changing passwords. Let your employees know that rules apply to everyone and they will know to stick with them every time — even if it means asking the “new boss from the Cleveland office” who’s forgotten his recovery question for more information to confirm his identity. It’s important to be proactive and prevent your company from losing face before an incident happens, even if you’re small.