Social Engineering : The Human Exploit

[Morally.Corrupted]

As it pertains to Computer Security - here is an article I wrote on Social Engineering for my blog (blog.morallycorrupted.net) and I've posted it to a few others out there but felt the need to add it here as well to increase discussion on the topic.

 

What is Social Engineering?

 

Social Engineering is a collection of human exploit techniques designed to manipulate people into performing actions and/or confiding personal information with malicious intent. These human exploits make even the most secure networks susceptible to remote attacks.

 

Persons of any level of intelligence are vulnerable to deception by an experienced Social Engineer.

 

“THE IT SCENARIO”

 

“Good Morning, this is Chip from the IT department. We have received numerous phone calls from throughout the building regarding network outages. Have you yourself experienced any issues this morning with connectivity? …. Well it appears as though from what I’ve established so far the latency issue seems to be stemming from somewhere in your department. I’d like to run a few system checks to see what the connection speeds are from your machine but I’m not at my desk at the moment so I am unable to pull up your login credentials. I’m going to go ahead and login remotely from the station I am working at right now, you’ll see me playing around with the mouse on your screen once I have connected…. I promise not to close out to many of your unsaved documents while I run my tests (laugh). Ok, what is your username and password…”

 

“Pretexting” is a social engineering method by which an invented scenario is created ,such as the example above to persuade an individual to freely disclose vital information or perform a task. This method of social engineering is generally done remotely via the phone. Much like other methods pretexting requires a fair amount of reconnisance work to make the scenario more believable. The more information you have readily available about the target and the task or information you want them to preform and/or divuldge the more plausible your scenario will appear thus creating a more solid sense of trust between you and the individual.

 

To the majority of business professionals’ working day to day in corporate America this conversation would have seemed completely innocuous and they would have been happy to divulge their system information thus allowing someone else to access their machine through a remote desktop connection thus making the network susceptible to an attack.

 

This is but only one example of the techniques used by Social Engineers.

Reconnaissance

 

Information gathering and data mining are an essential part of successfully Social Engineering a target. There are countless techniques and tools to use in preparation, and the amount of information varies based on the target and magnitude of the attack.

 

Some of these techniques and tools are “Dumpster Diving” and “Shoulder Surfing”, as well as computer based mining tools like Google and Maltego. While it is nice to stay fresh smelling and use the web to crawl for your information sometimes there is no substitute for doing the dirty work the old fashioned way.

 

“Dumpster Diving” is one of the oldest forms of information reconnaissance. Remember, this isn’t the Olympics and there are no points for form so forget about doing the half-pike off the dock into the 30yard dumpster and just get in there and search!

 

A word of caution on this part, Dumpster diving itself is not a federal crime, while some state and local ordinances may supersede this, trash picking is in itself not a crime and does not violate a companies or individuals rights to privacy under common law as stated in the California v. Greenwood U.S Supreme Court case. That being said, trespassing is illegal!

 

Business and Individuals alike discard sensitive information in regular unsecured waste refuse containers everyday including printouts with passwords, credit card information, email listings, internal phone directories, etc. This information can then be used to gain access directly to the network in some cases or as background information for a more sophisticated social engineering scenario.

 

Many companies as of late have contracted out to third party shredding providers to help cut down and eliminate the amount of sensitive materials that are discarded in the normal waste refuse. That being said, a large number employee still discard materials at their own workstation versus the provided alternative receptacles so the information is still out there you just need to be willing to do the dirty work.

 

“Shoulder Surfing” is another form of tech-less information gathering. It refers to the direct observation of individuals in an attempt to gain privilege information such as login credentials, PIN #’s, etc.. This method is extremely effective when executed in a crowd, as it is easier to stand near the individual without being overly suspicious.

 

An afternoon of coffee and lattes in a public area or even a trip to the gym can yield a vast amount of information. Overwhelming amounts of people are creatures of habit and repetition; this makes them more susceptible to being exploited. People become fixated on numbers and use them over and over again. Locker combos are their voice-mail password, their voice-mail password their bank PIN #, their bank PIN # their birthday, etc. Why? Because the numbers are easier to remember that way.

 

“The Friendly Stranger” is another technique that follows along more so with the confidence man scams of the late 50’s only done now so for information versus material items. Unlike Pretexting scenarios that are usually initiated via the phone, The Friendly Stranger requires direct contact with your target.

 

An example of this technique would be to initiate a friendly chat with your target at a local bar. You seat yourself next to the target and then casually introduce yourself at an opportune time. After building up a dialog with the individual wait for a “Bridge” moment to arise in which you can introduce important information elements into the conversation.

 

A “Bridge” moment is a timed opportunity to bridge a conversation to a key topic. An example of this is if a dog food commercial appears on the television, you could initiate a “Bridge” moment by sharing that you had a dog once when you were a child that looked just like that, share his/her name, and then pose a question to the individual as to whether or not they ever had a dog before and what was his/her name. In appearance it’s a very harmless question but in reality that answer could allow you access to their email address later as numerous online email account use simple security questions like “What was your first pets name?” as a security question in the event that you loose your login credentials and need to have them reset.

 

With a little precursory knowledge about the various email providers, most of the security questions that they pose in the event of lost credentials are topics that could be raised in a friendly everyday conversation. This type of account security measure is also used by other online entities as well such as Myspace.com, Facebook.com, etc…

 

Google and the “Googledork” - “Google search engine is a endless source of information, you need only to know how to find it.”

 

Almost anything you ever need to know about any subject you can find on Google. Search modifiers allow for more specific search strings in google(i.e. inurl:, intitle:, indexof:, filetype:[modifier], rphonebook:, bphonebook:, etc..) These are but a few examples of Google search directorives. When used correctly they create specific search strings to narrow down the results.

 

Why would google play a part in Social Engineering? Simple, Google indexes just about everything on the net such as social networking sites, forums, articles, phonebooks, and the list goes on. With a wealth of information cached away it can provide you with all you need to know.

 

“Maltego” is an open source program designed to graphically displayed 6 degrees of separation but for real world relationships and links between people, companies, organization, affiliations, etc… Maltego is a collection of modules linked together in an open source framework.

 

Maltego provides you with the ability to quickly and accurately establish connections between individuals and companies even making it possible to see hidden connections. It’s unique in that its core framework can be customized and adapted to meet your specific needs. The use of Maltego’s extensive modules for the information gathering phase make it possible to work faster and more accurately in establishing connections.

 

There are countless other methods of gaining information for Social Engineering recon. Company PBX voicemail systems are good for establishing names of people within the company using the dial name or department. This way when you are crafting your scenario you are able to incorporate more valid information into your scenario thus making it more plausible.

 

The Scenario

 

The human element is the variable in Social Engineering. Mainframes, crypto, MD5 hash passwords, etc.. they are the constants. No two Social Engineering feats will ever be the same as no two people will ever react in exactly the same manner so it all comes down to the scenario. This is the manner in which you put forth the information you have gathered in your recon.

 

A good lie is a half-truth as it is more believable and will make you more credible from the start. If you go to a company durring the day and tell them your from the power company and there is a problem with the breaker while the lights are on they are going to be more so suspicious than if you were to do that same thing durring a power outage. Believability is the key.

 

There are numerous factors to consider when looking to establish a plausible scenario, one of which is the size of the company. If company X only has 10 employees than the statistical odds of raisings someones suspicions when you say your from the “IT Department” are significantly greater than if company X has 1000 employees. Another factor to consider is what you hope to accomplish in exploiting the target, are you merely looking to gather more information from them to be used on a larger scaled scenario or is there a specific task you wish for them to perform.

 

As in all things believability is key. Companies that utilize caller identification systems are less likely to be cooperative with someone calling for information from an outside line. Spoofing your caller ID to show that you are calling from an internal number again increases your legitimacy drastically. Third party services make this possible for as little as $.05 a minute.

 

An example of a physical media scenario is the “Road Apple“. The Road Apple plays of the curiosity of the unsuspected target by enticing them with the proverbial forbidden fruit. Ex… I place a trojan shell on a CD and label the CD as “Company X’s Performance Reviews” and leave it in the rest room at company X on the counter. The statistical odds show that the first person to see that CD will in fact take it to their workstation and try to load the data at which point they have unknowingly compromised their companies network security.

Final Thoughts..

 

Persons of any level of intelligence are vulnerable to deception by an experienced Social Engineer.

-Int3rc3pt

[alexander]

shh, dont let the secret out.... No, social engineering is fun, i mean, um, it's probably the easiest exploit to do to gain information. It is sad that it is so commonly overlooked...

[UncleAl]

A shortcut: Flash a badge, seize the laptop, warrantlessly search (dump the hard drive). Homeland Severity has a goldmine here. Corporations are demanding personnel travel with freshly reformatted hard drives and no thumb drives. Encrypted data is downloaded from the Web at destination, or encrypted drives are independently shipped FedEx, DHL, UPS... to the hotel.

[alexander]

Surprised we didn't get more replies by now. This is actually a really good article for those who don't know what social engineering is, and for those who do, like to read up on these things. Furthermore it is a good refenrence for those who want to not be tricked.... etc.

 

Since you guys don't want to read... i mean discuss it (everyone except for Uncle), i will.

 

A shortcut: Flash a badge, seize the laptop, warrantlessly search (dump the hard drive).

Well while that may work for some people or some companies, what if the people you are socially pengeneering (pentesting in social engineering way) are either ex employees or are a gov-t branch? This actually works fairly well, in fact a certain someone was telling me a story about him pengineering a customer, who was at the time a gov-t secured site, i think it was some sort of a small base or something. He wanted to get access to the room in the back, which requires a very high level security clearance. So, he comes up to the front guards with a group of people (who all work at the place) and to the guard, flashes a badge (random fake one he bought somewhere as a souvenir), walks in walks to the next set of guards, flashes teh badge again (on his keychain), guard has him sign his name and everything on this form, so he fills in a fake name, and then 2 officers escort him to the one room he wanted to access. He goes in, takes a crate of files, walks out, he is escorted out by the friendly people at the base.... the people that hired him to do the security test are like "You what, what, where.... FILES, whaaaat?"

 

Case and point there that you can do this, Uncle, but do know, it does not always fly :eek:

 

Main thing in social engineering, especially in person, is to project confidence, you have to be confident in what yuo are doing, always look and believe in your legend, speak professionally, i remember that scene from Ocean's 11 when the main character (Danny Ocean played by Clooney) is explaining to Linus (played by Damon) how to project himself when he is talking to Benedict (played by Garcia) the owner of the Casinos.

You look down, they know you're lying and up, they know you don't know the truth. Don't use seven words when four will do. Don't shift your weight, look always at your mark but don't stare, be specific but not memorable, be funny but don't make him laugh. He's got to like you then forget you the moment you've left his side.

In pengineering, it does not matter how brilliant your plot is, unless you create a good disposition to yourself, you don't gain trust where people will trust whatever you say and forget you the next day, no matter the plot or preparation, you will fail at the end of the day...

 

Oh another thing, this is something that intercept's article did not cover. It is sometimes good to bring items that are common to bring for your personality, to further project your confidence in you. Example, you are pretending to be a phone company technician, it would not hurt to wear a polo shirt in the company color, jeans or "worked in" pants, and some equipment, even something as simple as a little tool belt with some screw drivers wire cutters, a punch tool, and a phone over your shoulder to test the phone system... with that, a laptop in a bag, which can further conseal things, such as a wifi point or a micro box, or whatever the mean you chose to connect to the network from the outside is, well with your phone arsenal, chances are that noone will ever doubt that you work for the company, chances are that nobody will doubt your legend (which can be "Have you noticed the calls outside the building being all staticky? We have been troubleshooting this for a week now, and it seems that there is some feedback into your line coming into this building" blah blah blah... you get the point)

 

This also reinforces something intercept has said too, it is not a bad idea to call yourself in, before you arrive, create a trust prior to actually being there in person. For the above example, call, whoever you are trying to engineer, and set yourself up, even if its something as simple as "This is Harry from the phone company, we are troubleshooting a problem in your area, and it seems that it's coming from your phone line, can i ask you to do some things for me to test it?" have them do something stupid, like tap on the mic, then appologise saying that it seems to be coming from the building, but a tech needs to look at it, and he will be there within the next 3-4 hours or something. Bingo, your technician personality, will now be escorted to the phone pannel (and this is generally the same room as the patch pannel ;) and sometimes the switch room)

 

This brings me to the next point, when choosing a position to impersonate (even over the phone) it is generally said, that a position of some power is generally a good way to go, though i have to say that sometimes the new employee will give you better results, especially in an environment where most people know the admins. Or a position where, "hey i am just trying to do my job", is good. I think it is not important who you choose to be, as long as you have a plan to use that position in a matter that will benefit you in some way, but how you project yourself as that person. Having a good, authoritative voice, projection of yourself, clean cut, trustworty appearance is a must...

[UncleAl]

The difference between seduction and rape is salesmanship! Agreed that seduction with camoflauge is always best. Rape and run as required.

 

Professional management often secures itself by compartmentalization. Each little aspect of its domain is a perfect isolated clockwork independent and noncommunicative with the others - all trained to respect authority. Yes SIR! They work against rather than with each other.

 

One can then be clever and reptate into an organization through personal ties. Workers are starved for attention and praise. Masquerading as a service or managerial component that cares about an individual can - and does - work. Patience and a little due diligence to be credible.

 

Young, cheap black shoes, bad black pants, white shirt, skinny black tie, plastic pocket protector, hard hat; pencil, clipboard, pad of complex (false) forms on company stationery (all but the top being blank paper). Walk fast, look worried, demand names; drop some high corporate names. Start by wanting the fellow or foreman in charge. Big stick, little carrot that grows. They'll pretty much let you go anywhere to get rid of you. Leave an "attaboy!" behind to delay the obvious.

 

People are overall polite and helpful. It is a terrible weakness for maintaining security. Add a dollop of "stupid" and the best you can do is not very much. When was a bank robbery ever thwarted by armed guards? Workplace injury in San Onofre nuclear power plant included security personnel self-inflicted gunshot wounds. They are now banned from practicing holster quick draws in the washrooms. Sidearms with safeties safed would also be good. Penetrate as a new-hire guard.

[Theory5]

Hehe, nice. I just cant social engineer, I stop and sometimes forget stuff even in a regular conversation. :-)

I know how to look busy, figured that out in middle school when I was tired of the class I would wander around, I figured out how seem like I was going somewhere so the vice principal wouldn't bother me. :-P

A tip, ALWAYS rehearse and/or write out your speeches. That will most likely help. I found its better to write a couple difference scenarios that you can respond to.

I've found being corny is helpful. As in jokes. "Working hard or hardly working?"

 

The oldest social engineering trick is "May I use your bathroom?" Doesn't really work anymore though.

[alexander]

Lol social engineering in High School was fun. I once socially engineered my way into the principal's office, mind you i had complete access to the principal's computer with nobody in the office :) i was a straight A student that month.... (i am kidding about being straight A for the month, i actually found a virus deleted it off the machine, but i did prove my point to a friend of mine, who happened to be the IT person for the school.)

 

I basically used the situation at the school to my advantage. The knight before, there was a zero day virus out, news were all talking about it, and i remembered that a few months before, the school's ISP disconnected them, because they found machines on that network that were infected with some other virus. So using this to my advantage, i walked to the main office (and that is where the principal's office was) and headed for the office. Somebody stopped me, and told me that the principal just ran out for a few hours to a meeting or something and pondered as to why i was still heading for the office. I was like, "Did you watch the news this morning?" *there was a pause, and then a "Not really what happened?" question* "Well, apparently there is a big virus going around, they said on the news that a university in Florida lost all their financial data because of it already (which never happened).... i just don't want them to do what they did a few months ago... remember no internet and all... we just have to check all the machines in school, that's all." and went into the principal's office. All hail windows people who never lock their machines, so i played a game of solitare. It was running slow, so i looked at running processes and there was one that had me pondering, so i googled it, came out to be some release of some virus from like a year before, and it didn't really do anything harmful, so i got the removal instructions, removed it, patched the machine (i think that zero day got in using the "system restore" system, so before anyone had a patch for it, a friend of mine came up with a quick fix for turning off the system restore, which fixed the way for the virus to make it into the machine)

 

But yeah, i was actually helpful, but you see how this rather simple, but well timed exploit could have gotten me information that is not disclosed to anyone, maybe even in the staff. I mean who knows what the principal stores on his/her machine, email, files or what's in the desk drawers and file cabinets in his room...