Social hacking: The easy way to breach network security

RELATED CONTENT Risk management strategies Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication Increasing information security awareness in the enterprise How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Cut down on calls to help desk with cybersecurity awareness training IT Security Jobs, Careers and Certification Training Upsurge in infosec jobs for 2010 Salary research shows upturn for those who know how to sell security M86 buys Web security gateway vendor Finjan How to prepare for an information security job interview Some IT security certifications are overvalued, analyst says Information security salaries hit the buffers Information security recruitment freezes as security staffs sit tight Information security skills must include communication, says Dorey Poll: Information security salaries remain steady despite recession CISSP Essentials training: Domain 9, Physical Security Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

It's important to note that not everything in these articles is about technical hacks or technical mitigation strategies. Most business people go about their day without a security-related thought in their heads, blissfully ignorant of how easy it is to steal information merely by tricking people. As ethical hackers, we're often given the task of finding creative ways to target a particular organization, and it's typically the unwary employee who is the way in.. Here's an example from our real-world experience.

Consider a "pay as you go" mobile phone, which guarantees anonymity and ensures a realistic test of a potential attacker's ability to gain information over the phone since the client, or target, organisation wont have prior knowledge of the phone's number. After purchasing the phone, it is possible to call the freely available switchboard number of the target company and ask for the names and email addresses of the IT project leaders of interest -- perhaps those in charge of payroll and payment systems. In our experience, apart from asking whether we are a recruitment company (not the most successful vetting process!), there are no checks; the receptionist is happy to give us this information over the phone.

Next, after careful study of the firm's website, a spoof webpage can be created in the same style as the corporate site, even using the same images and logos by embedding the real image paths in the code. This spoof page may ostensibly be a questionnaire on staff awareness of the firm's information security policy, with a few simple questions on how passwords are chosen, whether or not they were written down, and so on.

Then, using the source email address of the firm's information security manager, the targeted project managers are emailed. The phony message requests the recipients complete a short questionnaire using the Web link to the spoofed page. Many people would be suspicious about these fairly obvious questions, except for the fact that they see a legitimate-looking webpage, and the request appears to come from their own information security manager.

Even better, when they click on the link, the first thing they are asked to do is identify themselves with their username and password. This, of course, is the scam, since the rest of the questionnaire is irrelevant to the attacker (although perhaps interesting) since all that is wanted is their network credentials.

Using this method, it's possible to rapidly harvest some valuable network credentials with no risk whatsoever to us (the simulated criminals) and without ever going anywhere near the target organisation. When the scam is subsequently exposed by a more alert individual, and all the passwords have been changed, it's too late, since the credentials have already been used to log in remotely to their extranet, steal valuable information and even set up another "back door" account.

It's also possible, using a similar technique, to ask for the names, job titles and direct dial numbers of the senior IT staff. After compiling the list, each staff member's number can be called until an "out of office" message is received. This will be the stooge: the person whose identity can be temporarily assumed.

So returning to the phone once more, after being kindly put through by the switchboard operator, of course, our social engineer can then simply explain that he (or she) is working at home, but screwed up his remote login and forgotten the password to his corporate laptop. After, he can make up an excuse, perhaps telling the help desk operator that he has to go out to collect his son from the nursery, and ask the help desk to please reset his account and text him the new password. Of course, the number given is the new, untraceable mobile phone. Within 15 minutes, they text not only the password, but also the account name for good measure. It's a good thing we're ethical and employed to do this as a test!

If switchboard staff were forbidden to give out information about members of staff and help desk personnel were given clear guidelines about how to validate requests for password resets, perhaps by using PIN codes or cherished information, then this type of telephone social engineering would fail most of the time.

Preventing these and most other varieties of social engineering attacks depends on staff awareness and training. Passwords and credentials should never be given out. It is all too easy to impersonate a senior IT staff member, not only via the telephone, but also going so far as to use fake business cards and uniforms to gain physical access to a targeted building, and once inside, install keyloggers that steal more credentials. Proper physical security checks on visitors are also important to prevent this kind of deceptive cybercrime. An alert staff should be able to report a person or group of people wandering around an office without badges or supervision. Tests of this type almost always reveal an absence of controls and policies, resulting in an horrific potential security breach.

About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.