Hacking the Human
The average person naturally wants to be helpful to others. Many of us work in positions that provide some function to customers inside and outside of our companies. Our helpfulness directly reflects the company image and as a result is an important part of business culture. However, it is important to understand how pervasive social engineering can be, where the information comes from, and how it can be used to circumvent security controls. This is the process wherein a person is manipulated into providing information, a service, or access to an unauthorized entity.
It is often far easier to attempt to breach a company through a human than it is to attack an entity’s security controls.
Open Source Intelligence
This is largely a fancy word for “Public Information”. It refers to any information that can be freely gathered about a person or company through public records, social networking sites (LinkedIn, Facebook, etc), or information aggregation sites such as http://www.spokeo.com or https://pipl.com. (Try it, you might be surprised at how much information you can find about yourself.) Pay a few bucks more and additional buckets of information become available. Many of these websites do not care how the information is used or who is requesting it.
This information includes: publicly viewable pictures, previous addresses, phone numbers, relationships between other people, interests, schedules, hobbies, organizational charts, pet names, birthdays, your best friend’s name, etc. Any of this sound familiar? It’s information often used as password reset or identity validating information!
This information gives the attacker some background to work with. They could determine that you enjoy underwater basket weaving and ask for a donation to a charity for such using a phone number they found. They’ll send you an email containing either a malicious attachment or a link to a malicious website, potentially compromising your computer. The incoming email address might be forged to appear to come from that charity. The website they send you to could be designed to look like that charity. While you may approach most unsolicited email with scrutiny, this vector is will seem much more plausible because of the personal touch.
The attacker may try to reach out to you via your social networking websites using a fake identity and attempt to establish a rapport. Be aware that the person could be anyone and be cautious of any links or files they attempt to send to you.
QUESTIONS, QUESTIONS, QUESTIONS!
Once the attacker has enough background information they can start cold calling employees or attempt to enter the building under the guise of meeting someone they’ve researched. They could call several different departments to get a feel about how your processes work or attempt to circumvent those processes.
Often they are trying to figure out answers to the following: Under what circumstances can a password be reset? Will they send the reset to a “personal” email address? What information is required to validate a user over the phone? Where are deliveries taken? How is trash handled? Is a pin and/or badge required to enter the building? Are people escorted once inside? Can I follow in behind someone who left a door open? Who is the newest employee at the call center? Who’s the most serious boss? Maybe they’ll pose as a job applicant to get a view inside the building, etc.
Furthermore, if the first attempt at information gathering doesn’t work, they may call back and try to get a different employee who might respond differently to the same questions. It’s important to share between your teams and your Security any social engineering attempts you can identify.
If the conversation or interaction feels weird, it probably is weird and is worth your additional attention.
PART 2
Next month we’ll cover signs for detecting if you’re being socially engineered and tips on how to foil those attempts.
CREDITS AND ADDITIONAL RESOURCES
How social engineering, mixing of services, and knowledge of company policy caused a technology writer to lose his Internet identity within an hour. (Lengthy but interesting read)
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
Security Week Article on Digital Social Engineering
http://www.securityweek.com/cisos-nightmare-digital-social-engineering