By Jon-Louis Heimerl on April 08, 2011
In the past, I have called Social Engineering the “art of creative deception,” and other security people have used similar words over the years. The truth of the matter is that anyone with some intestinal fortitude can do social engineering. Although a great technical mind is not necessary, it does help identify risks. As a matter of fact, social engineering is a significant component of a dedicated attack, and is definitely included in an Advanced Persistent Threat (APT).
What ultimately makes a social engineering attack work is simply human nature. We want to trust and help people, most of us dislike the idea of being rude to someone. So, when someone calls or emails with a problem, we try to help.
Therein lies the rub…
Many of us lack that human firewall that makes us wary of requests for help or information.
A short while back, I received an email from one of my credit card companies, asking me to call a 1-800 number in regards to “a problem with my account.” The email looked official, and included the proper corporate colors and format, as far as I could tell. It also included the last four digits of my credit card number and my last name. Being a justified security paranoid, I called the 1-800 number in the email, more out of curiosity than anything else. A young lady answered and immediately started asking questions to “verify my identity.” Although she already had my last name, she blew her cover when she got another part of my name wrong. Yet, I continued to play along. When she asked for my social security number, I asked her if she could tell me the date of the last transaction on the account. She paused, and shortly afterwards disconnected the call. I then dialed the 1-800 number on the back of my card, and asked them if they had sent out an email alert on my card. Of course their response was, “we don’t do that.”
Although I had never believed it for a minute, the ploy was very good; the young lady who answered the phone was perfect. She really sounded like she was in a call center, and she very well may have been. It made me wonder what percentage of people who got the same email I did went through the entire call, gave up their SSN and whatever else they were asking. I had the credit card company issue me a new card just to be sure.
As another example of how easily social engineering can work, I recall my fastest social engineering engagement ever. Once upon a time, a client asked us to verify that their security training program was top-notch. They wanted to prove that a social engineering attack would not work against them. They almost mocked the fact that we were even going to try. As part of the effort, I looked online to find their main switchboard number. Then I dialed the phone, using a number somewhat after their main number. A guy answered the phone with something like, “Don Reynolds, IT” (names have been changed to protect the innocent, and the guilty). I was so pleased to hear that I had reached IT on my first call that I excused myself and mumbled something to the effect of “wrong number.” I waited about five minutes then dialed the next number, and got a voicemail that was something like, “Hi, you have reached Chip Thomas in Corporate IT Security. I am on vacation through the 17th. If you need immediate assistance, please call Jon Doe on N-NNNN, or call the helpdesk on X-XXXX.” I immediately called X-XXXX, and recognized the person who answered the phone as Don Reynolds. I put on my best southern drawl accent to match that of Chip Thomas, and mixed in a healthy dose of sore throat, laryngitis, and plugged up nose. With some trepidation I started, “Don, glad I got you. It’s Chip, I‘m on vacation, but have to log back in today. Some kind of crap going on. The problem is, I changed my password on Friday, and have no idea what it is.” Don was very obliging and changed Chip’s password immediately. Conveniently, right on the company’s web page, they had a link to the corporate “Outlook Web Access.” Chip’s new password worked great, and within about 30 seconds, I was logged onto Chip’s email account. Unfortunately for Chip, he used his Outlook as a database, and even stored several system passwords in an email folder very cleverly labeled “Passwords.”
Three phone calls in less than 10 minutes. With the admin passwords I got from Chip’s email, we were through their perimeter within 30 minutes of my first call, and had effectively compromised their primary website, retail website, production database, firewall, and primary domain controller. Those are a lot of results for three phone calls that required limited technical skills.
A true dedicated attack, like an APT, will use these techniques as well as many others. You can expect email attacks to be in the mix as well. During one of our tests, I sent emails to a total of 68 contacts from the client, and got 52 responses that gave us useful information – that is a 76% hit rate at a company that had a formal security awareness program. Among the 68 people we contacted, only one responded that we looked suspicious, and not one target reported our contact internally. Not one. And we were not really very sneaky about it either. For a test against the “ACME” company (names have been changed… you know the drill) we sent emails from an account named something like acmesupport.@yahoo.com. In a series of email exchanges, we were able to obtain group names, phone numbers, street addresses, full names, job titles, usernames, applications used, operating systems and versions, IP addresses, and even got one user to email back their login password. We learned that they were closing building 516 before most of their employees knew it. That information alone helped us get the password on their main Cisco router. We were not authorized to send in "hostile" attachments, but if I can get someone to email their IP address and password so I can "troubleshoot suspicious activity coming from your computer," then talking them into running an attachment would have been simplicity itself. Email. Gotta love it.
Think this would not work on you or your company? Have you tested yourself? I suspect you would be very surprised. Each of the two companies above thought they were bulletproof. They each had formal security awareness training programs, a very savvy technical staff, and active security personnel. As a matter of fact, in each case intrusion testing and war dialing turned up nothing significant to attack. If we had stopped there they would have gotten solid grades. Unfortunately, or maybe fortunately, we added the social engineering testing and exposed serious gaps in their security. The social engineering tests provided detailed information so that the subsequent technical attacks were able to succeed. If you have not tested your resistance to an attack that includes social engineering, it is worth considering.
1. Contract it out. Your own people have an advantage since they know too much about the company. They are also at a disadvantage because they will play by the rules. Chances are your own people would not push the envelope, or try the little things that help make such an attack effective. Social engineering is a rather unique skill that requires a certain amount of nerve. Personally, I found the attacks very stressful. Calling up staff, lying to them, and blustering or cajoling them into doing something wrong is not something that comes natural to most sane people.
2. Set the ground rules. What is attackable and what is not? Are phone, email, fax, and social media all in play? Can the contractor email in a “virus” or executable attachment (or a fake one)? Can they call employees at home? Is a physical intrusion attempt acceptable or not? Make the rules as broad as you can to make the attack as meaningful as possible.
3. Make it a comprehensive test. Don’t just contract for a “Social Engineering” attack. Pair it up with technical attacks. The social engineering results can feed technical attacks, which can in turn provide more fodder for discussions during additional technical attacks and data gathering. The more each part of the test learns, the more the other side of the test can use to be more productive. The whole really is greater than the sum of its parts.
It is worth repeating that there is no such thing as a personal firewall that would help stop people from doing stupid things like emailing their password to a total stranger. But what we can do is know that our people are vulnerable, and remind them to be conscious of, and ready for an attack. A little vigilance never hurt nobody.
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.