I've always been interested in social engineering. Well, I guess to be fair, I should cite Kevin Mitnick's book, "The Art Of Deception" as the official catalyst to my intrigue, but the examples outlined in that book don't do modern day social engineering justice. The art of social engineering has greatly evolved. The days of cold calling have greatly diminished with the wide spread availability of information on search engines like the Google. It is now possible to achieve a much higher success rate by scavenging publically available information off of these search engines, which in turn allows an attacker to narrow his search and target a specific individual or department.
The following scenario outlines a modern day social engineering attempt.
Social Engineering Exercise 1.
The social engineer (“SE”) begins by visiting ACME company’s website with the intent of gathering information to aid him in his social engineering attempt. SE visits the Contact Us page which only provides a general support contact number. This information by itself is not very useful by itself, but SE records it anyways. Not to be discouraged, SE browses through the News Releases section of the site, and finds a quote about security from the head of the IT department “Marshall Jones.” Using various combinations of “Marshall,” “Jones,” and “ACME,” in a search engine, SE uncovers an internal personnel directory that contains contact information for ACME staff.
SE looks through the IT staff section of the directory and begins dialing desk numbers. He selects an individual “Brian Jones,” whose voicemail indicates he is on vacation until next week. SE figures since Brian works in IT, his account is likely to have access to more resources than a normal user’s account. This would be SE’s target. SE records down Brian’s phone number and email address. SE notes that email format is last name followed by first name initial (jonesb@ACME.com). SE then performs a quick search of “Brian Jones” and “St. Paul” (the physical location of ACME) and learns that Brian grew up in a town called New Brighton, and went to Irondale High School. SE records additional information about Brian that he has gathered from the search engine and at this point decides he is ready for the attack. SE now drives around town with his laptop in his car until he locates an unsecured wireless network. He then calls the general support contact number he obtained from the Contact Us page using Skype (a VOIP provider he signed up for using fraudulent information that allows IP to landline calls) and asks to be transferred to the help desk. He tells the help desk staff that his login isn’t working and mentions that he just had to change it last Friday and can’t quite remember what he changed it to. SE makes sure to come off as agitated and makes a comment that “Marshall Jones” is having them change passwords every other week. The help desk operator has never heard of Brian, but knows Marshall, and can relate that Marshall often hassles the help desk staff about security too. SE has now established a certain level of trust with the help desk operator.
The help desk operator asks SE what his login is. Remembering the format of ACME email address, SE replies “jonesb.” This appears to have worked as the help desk operator tells SE that he can reset his password if he can answer a security question. SE is momentarily caught off guard, as most companies do not even require this level of authentication. Fortunately for SE, ACME has not based its security questions off of private information. The help desk operator asks SE what his high school mascot was. SE performs a quick search of “Irondale High School” and “Mascot” and replies to the operator “Knights.” The help desk operator resets Brian Jones’s password and gives it to SE. SE thanks the operator.
Now that SE has valid set of credentials, SE performs a publically available ARIN record search of ACME and uncovers its publically accessable address space. Using Nessus (a vulnerability and service detector) SE scans this address space and discovers a SSH gateway service. Using Brian Jones’ credentials, SE logs in. Since the organization has not provisioned a separate administrative level account for Brian, his day to day credentials are used to administer any system on the network. SE now has access to the entire organization and can place a backdoor for easy re-entry into the environment.
As you can see from the above example, system level security and organizational awareness often rely on each other as one layer of security is rarely enough to keep a determined attacker at bay. Your site security policy should include training for new employees. Regular organization-wide communications are an effective way to provide information about telephone dos and don’ts, physical security, email phishing, and password selection.