Social engineering reloaded
by Sarah Granger
The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program.
Top five hacking moments on film
To break the ice, let's start this article by looking at this author's top five favorite hacking moments in modern movies, all of them quite old-school to emphasize a point:
- 5. Independence Day: Using an old space ship as cover for two humans to infiltrate the alien mother ship and upload a virus to destroy it.
4. Hackers: Dumpster diving in the target company's trash in order to obtain financial data from printouts.
3. War Games: Password cracking the military computer system by studying its creator.
2. Ferris Bueller's Day Off: Faking a grandmother's death to get Ferris's girlfriend excused from school through multiple phone calls and answering machine recordings.
1. Star Wars: R2-D2 gaining access to the death star main computer and shutting down the garbage dispensers (remember the com link!).
Question: Which of the above hacks did not employ a social engineering technique? Answer: None of the above.
In Independence Day, the characters spoofed the mother ship with a physical Trojan horse. In Hackers, dumpster diving can't be achieved with a computer. In War Games, Matthew Broderick's character studied his target before attempting to crack the password, and then in Ferris Bueller's Day Off, his phone scam was sheer brilliance. You've got to love the low-tech approach. And although it would seem R2-D2's hack was entirely technical, remember he had to sneak into the room with the computer access point before achieving his goal.
The lesson here is that social engineering is a major component of hacking in both fictional and real scenarios. By merely trying to prevent infiltration on a technical level and ignoring the physical-social level, we are leaving ourselves wide open to attack.
Social engineering redefined
Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, reminds us that social engineering, aka "socio-technical attacks" is really all about the human aspect, and that means trust. Kevin Mitnick, renowned and reformed hacker, in his book The Art of Deception, goes further to explain that people inherently want to be helpful and therefore are easily duped. They assume a level of trust in order to avoid conflict. It's all about, "gaining access to information that people think is innocuous when it isn't," and then using that information against the real target. We are the weakest link in the security chain. This point cannot be underemphasized. People are the weakest link, not technology.
This article is a followup to a social engineering series written several years ago. The goal is to go beyond the basics and explore how social engineering has been employed as technology has evolved over the past few years. For further information on social engineering, see this author's previous article, "Social Engineering Fundamentals, Part I: Hacker Tactics" and "Part II: Combat Strategies."
Since social engineering involves the human element of any attack, it's important to get into the head of the hacker and understand her motivation. Historically, the motivation has been intellectual challenge, bragging rights, access to sensitive information, simple curiosity, or our biggest fear - malicious intent. By knowing why we are at risk, we can better protect ourselves from the foolish things we do, thereby allowing social engineers to exploit us.
Targets of an attack can be both physical and psychological. Social engineering attacks will occur in person, over the phone, and online. No medium is safe from them. Individuals are targets for rampant identity theft and businesses fall prey to exploitation of a variety of holes. Weak passwords are always a target, as are file backdoors and improperly set permissions. That's the obvious stuff. What's changed over the past few years is that borders progressively don't matter. Words like "cyberterrorism" have become mainstream and we now even have an FBI-organized counter-terrorism posse of hackers waiting to pounce in the event of a massive online terrorist attack. Even some of the best hackers will use social engineering techniques against a victim (in combination with a highly technical approach) because it's simple, easy, and very effective. Social engineering is everywhere.
Types of attacks
The biggest change over the past four years, since our original article series on SecurityFoucs, is the exponential growth of e-commerce. Browsers and the use of the SSL (secure socket layer) protocol now are the norm for viewing everything from financial data to party invitations over webmail. Those of us who still use pine for email are in the minority. The types of attacks we see today tend to be targeted more toward web applications. Hidden programs running on web sites and hidden programs in email enclosures opened through webmail programs can host all kinds of dangers.
Browser add-ons can mask all kinds of rogue programs. DDoS (Distributed Denial of Service) attacks are still quite common and are a royal pain to combat, but they're not increasing in number the way identity theft is. Malware continues to plague everyone, although the widespread viruses of the nineties seem to have taken a back door to the browser back doors, most often installed as drive-by spyware by visiting a website. VoIP (Voice over Internet Protocol), being the new buzzword, has also attracted attackers with results varying from authentication failures to crashing phones.
So how does social engineering fit into the picture? Before employing some of the techniques noted above, some preliminary social engineering can be incredibly fruitful. Footprinting - the art of gathering information (or pre-hacking), is like a robber casing a bank. It's commonly done to research a predetermined target and determine the best opportunities for exploitation. Footprinting can include anything from phone calls from a role playing person asking seemingly innocent questions to physically mapping out buildings and data centers. And footprinting is a major social engineering component of a choreographed attack.
Phishing is the most common form of social engineering online, and most notably includes email spoofs. It's a rare day where the average email inbox doesn't include some sort of spoof. Today, eBay, Paypal and Citibank are the most common targets. Phishing itself is not new, but the frequency has increased over the past few years. The user receives email claiming that his Paypal account information needs updating and the email includes a link that sends the user to a fake web site where he is instructed to enter his password to update his information. The web site then stores the real passwords for use in identity theft attacks against the real Paypal site. For more information about phishing, see Scott Granneman's article, "Phishing For Savvy Users."
The best response is to delete these messages before even looking at them, just in case a rogue program might be launching in the background. However, to be sure a genuine message from a site like Citibank or eBay isn't being ignored, the best course of action is to log into their main site login, by typing http://www.ebay.com/, and then check the account for a record of the email or of any sort of problem. Due to the nature of phishing, you can't reliably click on a link in your email anymore and be sure it's what it appears.
In the case of eBay, go to "my messages" or "my ebay" to verify the authenticity of the email sent. Paypal doesn't have this feature yet. It's also easy to send a quick note to email@example.com or firstname.lastname@example.org, forwarding the message in question, and they will respond quickly as to its authenticity. eBay recently adapted their email sent to users to include usernames in the subject and body of the message, to emphasize authenticity. In general though, the best practice is to assume the email is a fake and remove it permanently from any email archives.
Case study - Company X
To illustrate the importance of incorporating social engineering education into a corporate security program, here is an overview of the security for a fairly typical high-tech company, called "Company X" for the purposes of this article. Company X, a multi-billion dollar organization, spends millions on hardware and security, but in reality it only does the minimum of what is necessary to keep its assets secure. Such is the life of an average security program in the competitive market of high-tech.
Company X's physical (building) security includes badges for all employees, locked doors, security guards, and restricted access. Employees, however, tend to hold doors open for others and don't tend to check the photos on IDs when doing so. Dumpster areas are gated but unlocked, leaving them open to potential dumpster divers. Phone security is standard, allowing internal transfers and outgoing calls with blocked IDs. Remote access is through a VPN with SecureID, the use of which requires permission from a superior and inactive accounts are suspended within 30 days. Wireless access points in the buildings also fall under these restrictions.
As for hardware, remote drives are used, but employees are instructed not to store confidential information on the drives. Laptops are common, but only roughly 30% of users lock them with the provided cables. Shared drives on the internal network are protected by group permissions. On the system level, the company runs weekly virus scans. Security teams have reduced administrative rights on machines so employees can't install rogue programs. Password requirements are fairly standard, requiring a variety of characters, changed every few months.
Software comes standard for each machine. Screen savers are password protected, but not always locked. Most machines are open to Internet access, with the exception of some site blocking. Passwords can be saved in browsers, however. Email suffers from frequent server problems, webmail is not always secure, and IM use internally is rampant.
In the areas where social engineering prevention could be most useful, barely anything is done. When an employee is on the phone with Help Desk support, the employee's number comes up on phone but no standard authentication questions are asked by either the Help Desk staff or the employee being helped. CallerID spoofing would be a very simple way to get a password reset. Security training is available for home network usage and basic encryption, but departments differ in their use of these tools. No standard training is given for new employees, leaving the organization open to staff passing around a wide range of bad habits.
Sadly, Company X's security is not much better than it was ten years ago and it has barely evolved with the times. It's tough enough to keep up with the latest technology, patches, and filters with corporate budget cuts. Security teams tend to get the short end of the stick until the company suffers a major outage from an attack. Since various attacks became more public in recent years, everybody and their brother company claims to be secure - but the reality is that most companies are like Company X, struggling to maintain a basic level of security.
What could Company X and others like it do to prevent attacks on the social engineering level? On the technical side, they must continue to install spam filters and update software patches, as a bare minimum. Making cryptography standard for email and web access, not allowing passwords to be saved in browsers, and changing to an internal messaging program are key technology step. The next step would be to develop an incident reporting and tracking program. This way they can discover additional holes in their program and attend to those holes. Incident reporting won't necessarily catch the intruders, but it helps to find ways to deter them.
Not to bite the hand that feeds us, but as Mitnick says, "anyone who thinks that security products alone offer true security is settling for the illusion of security." Therefore, training cannot be emphasized enough. New employee training, repeat training, regular updates, and fun security tips can keep the security education process fresh and lively. Some companies now use t-shirts and other paraphernalia to advertise security practices and remind employees to beware of suspicious phone calls and other potential phishing attempts. Help Desk staff need to have proper authentication procedures for all support calls. Security personnel should be adequately trained as well, and screened beyond regular employees in case they themselves pose a risk to the company.
Security policies used to have more bark than bite, but these days it's now common to put more teeth into them. Corporate policies, standards, guidelines, and so on cover a wide range of areas but the important thing is to develop them with growth and accountability in mind. Topics that should be covered in corporate policies include information sensitivity, password protection, ethics, acceptable use, email, database credentials, extranet usage, VPN security, and server security.
Also, pay attention to what's happening on the national and international level as far as ID theft laws and database protection are concerned. New bills are being developed to make identity theft more difficult through the greater protection of personal information.
The bottom line
Unfortunately, the reality is that intruders rarely get caught, and even when they are caught, the penalties haven't traditionally been stiff. Shouldn't we be more worried about serial murderers running loose than a bunch of computer geeks? Seriously though, identity theft, corporate espionage and cyber-terrorism are here to stay, so the bottom line lies in making a commitment to combating potential attackers.
At Company X the buck ultimately stops with the CIO, who must commit to improving their security program before they lose a significant amount of money and intellectual property to a major attack. That requires committing both the financial and people resources to the problem, and not dropping education and training from the budget. As individuals, we must commit to increasing our awareness of the risks we face and the potential openings we create for social engineers to fool us. The key, according to Schneier, lies in, "securing the interaction between the data and the people."
In any good security program, a realistic balance must be reached. There's always a fine line between an "atmosphere of paranoia" and a productive environment. However, if we err on the side of stronger security, knowing human error is the problem, we'll be more likely to achieve success. Just remember that we, the people, are the weakest link and as Mitnick writes, "Don't' be gullible!"
"A VOIP security plan of attack", Joel Snyder, Network World, September 13, 2004.
"Cisco Denial of Service VoIP Attack", VoIP & Gadgets Blog, January 21, 2005.
"Closing the Floodgates: DDoS Mitigation Techniques", Matthew Tanase, Security Focus, January 7, 2003.
Hacking Exposed: Network Security Secrets & Solutions, McClure, Scambray & Kurtz, Fifth Edition, McGraw-Hill/Osborne, 2005.
"Malicious Malware: attacking the attackers, part 1", Thorsten Holz and Frederic Raynal, Security Focus, Jan 31, 2006.
"Malicious Malware: attacking the attackers, part 2", Thorsten Holz and Frederic Raynal, Security Focus, Feb 2, 2006.
"Phishing losses overestimated - survey", John Leyden, The Register, December 3, 2004.
"The SANS Security Policy Project", SANS, 2006.
Secrets & Lies: Digital Security in a Networked World, Bruce Schneier, Wiley Computer Publishing, 2000.
"Social Engineering Fundamentals, Part I: Hacker Tactics", Sarah Granger, Security Focus, Infocus, December 18, 2001.
"Social Engineering Fundamentals, Part II: Combat Strategies", Sarah Granger, Security Focus, Infocus, January 9, 2002.
The Art of Deception, Kevin Mitnick & William L. Simon, Wiley Publishing, Inc., 2002.
The Hacker Ethic, Sarah Granger, Ethics in the Computer Age, ACM Press, 1994.
"Voice over IP Security", Matthew Tanase, Security Focus, March 12, 2004.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.