Information Security News Alert November 2015
THE SOCIAL ENGINEERING ISSUE Oh my! I think it’s a social engineer!
Now if I could just get your User ID and password I can fix the problem.
QUESTIONS? PLEASE CONTACT: Dawn Thistle 508-767-7095 dthistle@assumption.edu
Bob Lavner 508-767-7006 blavner@assumption.edu
DISCLAIMER: The advice within was collected and created by the Security Awareness Company and is intended to be used as general safe practices. You should always follow College policy.
What Does a Social Engineer
Look Like? There is no real answer to that question; a social engineer can look like anyone, because a social engineer is just a con artist. It’s not unusual to flip on the TV and see a variety of characters on popular shows and movies employing both technical and non-technical tricks to get people to do what they want, whether it’s giving them access to a restricted area or turning over lots of cash. In fact, social engineering has been going on for years. Con men existed in ancient Egypt, Greece and Rome; they’ve been around forever. In the 19th century, we called them Snake Oil Salesmen. One of the most famous social engineers of the 20th century was Frank Abagnale, Jr. His social engineering skills were so good that he conned people out of more than two million dollars in the 1960s when he was just sixteen years old! The modern computer age’s equivalent of Abagnale would be Kevin Mitnick. At age 12, he used social engineering to bypass the Los Angeles bus system’s punch-cards so he could ride for free. At 16, he used social engineering to break into Digital Equipment Corporation’s computer network to steal their software (a crime he was convicted of in 1988). He later hacked into Pacific Bell’s voicemail system and became a federal fugitive for two and a half years. According to the U.S. Dept. of Justice, he
used his con skills to gain unauthorized access to dozens of computer networks while he was on the lam. As we mentioned, pop culture shows us a lot of great examples of social engineering – from The Sting, Matchstick Men and the Ocean’s 11 movies, to sly detectives on TV such as Veronica Mars, Simon Baker and Sherlock Holmes. We see tons of social engineering examples in popular shows such as Dexter, Leverage, Better Call Saul, and Mr. Robot. (We discuss some pop culture examples you may recognize later in this issue.) Social engineers can be criminals from anywhere in the world, representing organized crime or just a small oneman operation. They can be black hat hackers, nationstates attacking our critical infrastructures (such as our financial system), or even terrorist groups with both financial and other agendas.
You never know who is out to get you, scam you, con you or cheat you, and you can’t tell just by looking at or listening to them. You have to use your common sense, maintain a healthy dose of skepticism and develop your internal scam detector. That’s what being security aware is all about!
FORMS OF SOCIAL ENGINEERING Social engineering is all about manipulation and tricking the victim to do something they shouldn’t–and wouldn’t normally–do, such as giving out personal information or giving access to sensitive corporate data. The term actually encompasses many different tactics. Let’s examine a few of the most common attacks.
PHISHING Phishing emails come in a variety of styles. Some phishing emails might say you’ve won the lottery or just inherited a lot of money from some aunt you don’t remember. Some will be urgent; you have to do something right now or something bad will happen to your account. And others might be sneaky, pretending to be your boss requesting you click on a link or download an attachment. Avoid falling victim to these attacks by looking closely at any email wanting you to give information. Double checking email addresses and hovering over links is a good place to start.
PRETEXTING Pretexting is simply someone on the telephone (or on social media) who is pretending to be someone they are not in order to steal information. The “pretexter” will create a scenario such as saying that you have an unusual charge on your credit card and they need some information to confirm your identity in order to resolve the issue. They might sound sympathetic, overly helpful or official in order to gain your trust. Don’t fall for it!
BAITING So, you found this lonely USB drive just hanging out. How do you find out
whom it belongs to? Whatever you do, don’t plug it into your home computer or work computer! That USB drive could be a baiting attempt. If you plug it in, it could install malware onto your device. Baiting attempts usually offer goods in exchange for something like a login and password or, in the case of the USB drive, a free USB drive if you can’t locate the owner.
QUID PRO QUO If you give me something, I will give you something. Don’t be fooled by this form of social engineering. Quid pro quo is similar to baiting but generally involves the victim giving information and the criminal giving a supposed service in return. For example, someone posing as your internet provider calls you up and offers to improve your PC’s performance for free. All he needs is your password. Be aware!
TAILGATING So, you’re driving to work and this guy behind you just will not back off. Time for a brake check! (No, don’t do that! That’s how fender benders happen.) You get to work, you’re about to open the door with your pass
card, and BAM! Another tailgater! This time, though, it’s the human kind. Tailgating occurs when an unauthorized person gets into a restricted area by slipping in behind authorized individuals. “Tailgaters” may pose as a delivery person to gain entrance, or even as a friendly fellow employee that has lost his badge or left it inside. Never allow tailgating!
Social Engineering in Pop Culture The Music Man Harold Hill, a traveling con man convinces the locals of River City to start a band for the local kids by purchasing uniforms and instruments from him. He plans to leave town as soon as everyone pays. But the local librarian, Marian, suspects he might be a fraud, and his developing romantic feelings for her get in the way of his plan. The security aware Marian the Librarian stopped the social engineer before he swindled her neighbors out of hard-earned cash!
Dirty Rotten Scoundrels Lawrence, suave and erudite, cons corrupt rich people out of their money to live a lavish lifestyle, while Freddy, charmingly arrogant, just tries to score a free meal. They go to great lengths to dupe Janet, an heiress, into giving them $50,000 until they find out she’s not an heiress at all but a contest winner. In the end, she turns out to be the better social engineer, conning them out of their own money. They say, “It takes one to know one,” but in the case of social engineers, we hope you can spot a con without being a con artist yourself!
Catch Me if You Can The true story of Frank Abagnale, Jr., one of the most successful con artists of all time, includes too many excellent examples of social engineering to count. Our favorite? Posing as a Pan Am pilot for two years during his teens, flying over 1,000,000 miles to 26 countries by deadheading. You may have already seen the film version starring Tom Hanks and Leonardo DiCaprio, but we recommend reading the original memoir for more details and further insight into his creatively illegal antics.
Inception The plot of this film introduces the complex idea of planting an idea in someone’s mind–referred to as “inception.” Just like in many movies about cons, the main character, Dom Cobb, is a thief given a chance at redemption by reversing his criminal behavior. This mindbender plays with an ethical question: can social engineering, which is usually used for crime and subterfuge, be justifiable when trying to stop a bad company from destroying the world?
Live Free or Die Hard While this movie shows the catastrophic effects of a cyber terrorist attack on America’s critical infrastructure, it also contains an excellent example of social engineering. John McClane and Matt Farrell, a hacker being targeted by the bad guys, need a car. McClane offers to hotwire one but Farrell has a better idea: he calls the vehicle’s monitoring service, using the pretext of being a teen whose father is having a heart attack and needs the car to be started remotely. He bypasses the need for the password by emphasizing the emergency and avoids the possibility of a remote shut down, should the car detect the hotwire attempt.
For a look at some of the social engineering tactics used in the popular new hacking show Mr. Robot, check out: http://blog. thesecurityawarenesscompany.com/?p=2634 For more lessons in security awareness derived from pop culture, visit: http://blog. thesecurityawarenesscompany.com/category/ security-pop-culture/
What is Pen-testing? Far more exciting than the ballpoint variety, modern pentesting encompasses an extremely wide range of operations by a single person or team to do one thing: break in. This may include security audits, analyses, discussions, scans, stealth attacks, phishing or even physically sneaking around and plugging into networks. While the need for security testing is nothing new, pentesting has seen a large growth in recent years as product/ application developers, CEOs and administrators want to feel safe with their security assumptions. “Is my network secure from outside attackers?” “Are my web applications vulnerable to Cross Site Scripting or SQL injection?” “What stops an attacker or insider from stealing my company’s secrets?” “Can someone break into X from Y?” “Is my customer’s data at risk?” “Are users of our product at risk of attack?” Pen-testers are sometimes called “ethical hackers“, although I think that goes without saying: we use our skills for good. The goal is to improve security by uncovering vulnerabilities and getting them fixed. Pen-test and security audit teams put themselves into the mindsets of potential attackers, disgruntled employees or malicious hackers. We work to find the bugs in the network, application, design or system before the bad guys do, and let the client know the most secure way to fix them. Pen-testing helps encourage everyone involved within the organization to remember that security is a process, should be applied in layers and that it cannot be purchased.
Social-Engineer.org Resources
(the leading expert on the subject)
The Social Engineering Village at DefCon 23: http://www.social-engineer.org/
social-engineering/the-sevillage-at-def-con-23/
The Social Engineer Podcast: http:// www.social-engineer.org/category/podcast
The Newsletter: http://www.socialengineer.org/category/newsletter
By Aaron Grattifiori
Security is never finished, there is always a back and forth.
To borrow an analogy from the infamous cryptographer Bruce Schneier, imagine the following: You’re developing a new form of hardware safe. You want customers to trust your device for their valuables, but how do you know it’s really secure unless you have it tested? So you bring in some pentesters. They only need to find a single flaw and the whole system can crumble, but where is it? To make it even easier, you share with them the blueprints for the entire design, provide them with samples of the building materials and let them interview your engineers. After some reasonable time, if they’re unable to locate a weakness, it means you can be much more confident in the security. Obviously, you can never be 100% assured, as nothing has absolute security unless it’s completely unusable (e.g. buried at the bottom of the Mariana Trench). Security itself is primarily about minimizing access, privilege and attack surfaces, from a browser sandbox to an ancient castle’s drawbridge. From locating the basic stack buffer overflow to a complex use-after-free vulnerability, or weak firewall rules and unsafe design, pen-testing is applied ethical hacking. Regardless of the type of assessment (network scan, code review, red team assessment, mobile or web application audit, etc.) you never know what you might discover.
Aaron “dyn” Grattafiori Principal Security Consultant at iSEC Partners/NCC Group
Social Engineering
rThroughout Historys START
~1200 BCE
Trojan Horse
The deception that the Greeks used to breach the borders of the city of Troy – a gift of a wooden horse concealing a small force of soldiers – is a classic example of social engineering.
Selling the eiffel tower
1925 CE
Victor Lustig was a con artist who convinced investors that the Eiffel Tower was being sold for scrap.
The original ponzi scheme
1920s
Charles Ponzi told friends that he could double any investment they gave him in 90 days when, in reality, new investors were simply paying off old investors with the business running at a loss.
Mark Rifkin
1978
Mark Rifkin memorized the daily transfer security code of a bank, then posed as an international employee and called the bank’s transfer department. He wired $10.2 million to a private Swiss account.
Diamond Burglar
Real stories, from real people. These stories were told to us by colleagues, friends and family.
Carol, 56, Nashville, USA
I once received an email claiming I’d won tickets to a Taylor Swift concert. My daughter desperately wanted to go so at first I was excited. But then, I read it again and noticed a few things. First of all, it said “Dear prize winner" and didn’t even use my name. And her name was misspelled. How do you misspell Taylor Swift’s name?! The email looked official, with the logo from the concert venue and a photo of Taylor Swift. But then I ended up deleting the email because I never entered a contest in the first place so I figured, how could I win one?
Victor, 41, Sydney, AU Every time I get an obvious fake email from PayPal, I laugh. They always come in on my work email address but my PayPal account is set up through my personal email address. Those get deleted ASAP!
2007
A man (who has not been caught) walked away from a Belgium bank with 120,000 carats of diamonds and other gems without the use of ANY technology. He simply used his “people skills” to gain the staff’s confidence.
RSA Securid Breach
“
That One Time They Tried to Phish Me
Fatima, 29, Washington DC, USA
2011
Over a 2 day period, someone sent a small portion of RSA employees a phishing email that contained malware (a zero-day exploit that installed a backdoor) posing as a spreadsheet...which someone clicked.
I recently received an email claiming to be from my friend stuck in the Philippines, needing me to wire her $2000 immediately. There were no misspellings and her email looked legit, but I had just seen my friend two days before and she hadn’t mentioned a trip. I deleted the email and contacted her; it turns out that her email account was hacked!
Garrison, 34, Dublin, IE
Twitter hijacking
2013
The Twitter account for the Associated Press was hijacked by the Syrian Electronic Army, and they used it to send a fake report: “Breaking: Two Explosions in the White House and Barack Obama is injured.” The stock market nosedived by 150 points within 3 minutes of the Tweet being posted.
BREAKING NEWS
2015
A small group of young adults claim to have used simple social engineering tactics to gain access to the AOL account of CIA Director John Brennan and the Comcast account of Homeland Security Secretary Jeh Johnson.
?????
I did get a rather convincing phish a few weeks ago. It appeared to come from one of the executives in my company. Reading the message immediately made me realize it was not for my eyes. It was directed to our CFO with an XLS attached, labeled 2016SalariesByDept.xls, and I’ve got to be honest: my curiosity was piqued. But then I thought, "How or why would this executive accidentally email me?" My name wasn’t even close to that of the CFO. So I looked again at the email and realized there was a period between his first and last names, while our company uses underscores. I forwarded it to the IT desk and they confirmed that other people had received the same thing.
Pretexting in depth > I - I just started yesterday and I’ve already messed up! And... I don’t know what to DO!
> Good morning. This is Zack with the IT Help Desk. OH my gosh, I don’t know what to DO...! They said you could help me...
>
> Whoa! Slow down... What’s wrong?
>
No, it’s okay. We all make mistakes.
and my boss already doesn’t like me, and I don’t want to get fired, it’s just....
Oh, is that all? No problem at all, I can help. You said Cranston?
> >
> Okay... I see you in the employee database. #412, correct? And your email is...?
> Not like THIS! I forgot my password, and now I can’t log in... And this is just my SECOND day
It’s Sue_Cranston@AcmeCorp.com. You mean it’ll be okay? And I won’t get into trouble??
>
> Yes, Sue Cranston! Though it might be under Susan.
> It’s really not a big deal. Just write down this temporary password and promise me you’ll immediately change it and destroy the piece of paper, okay?
> Here goes... ITwuzEngin33red2DAY
Calm down so that I can help you. What’s your name? Sue Cranston. I just started yesterday, and... Oh my gosh, this is so embarrassing.
Of course! Thank you!! What’s the password?
>
Got it. Thanks so much, you’re the best!
>
>
> Of course, it’s not a big deal! Let me just reset your password and give you a temporary... Oh my gosh, you’re my hero!
>
Let’s look at what just happened. Sue (or someone pretending to be Sue) called claiming she’d lost her password, and asked Zack to reset it. So, how do we or Zack know if Sue was the real Sue Cranston or an imposter? Zack did nothing to verify the identity of the caller, then fell for her scheme and gave her access to the account. A good social engineer does advance research, and Sue IS a really important person at this organization. That most likely means that Sue’s email account is full of important confidential company information that would be useful to the bad guys.
What should Zack have done instead? How would you have handled the situation differently?