Tales of a Professional Social Engineer
eWeek, 04/07/2005
By Larry Seltzer
Opinion: Nobody thinks it will happen to them, but social engineering is the way the pros use to compromise your security. And you'll invite them in.
Jim Stickley robs banks, government offices and other allegedly secure locations. And he does it the unorthodox way.
Stickley doesn't go in like Edward G. Robinson with a Tommy gun. He gets you to like him and trust him and leave him alone while he steals your confidential information and other assets that you should be guarding unceasingly. His is a field that has come to be known as social engineering.
His firm, Trace Security Inc., is hired by organizations like banks to test the security of their offices the only right way there is, by challenging it. Faceless National Bank will hire him to see if the Podunk branch is paying attention to security policy. The bank may even say, "Go in and try to steal these specific corporate account records."
If you got an e-mail that appeared to be from your boss or from headquarters telling you to expect a visitor, an exterminator, for example, would you let them in the door? Of course you would. But it's not too hard to fake a situation like that. Consider one way it might be done:
It's easy to determine who works in the branch. Sometimes it's on the Internet, or you can just walk in and look at the names on the desks and badges. The names of people at headquarters are often as available on the Internet.
The social engineering team sends innocuous probe e-mails to some of these people in a variety of styles, like john.smith@facelessnational.com and jsmith@facelessnational.com and so on to determine what everyone's address is.
Then the team registers a one-off domain name like facelessnationa1.com (notice the '1' at the end instead of an 'l').
When an e-mail comes in from the regional VP @facelessnationa1.com saying, for example, that an exterminator is coming, people are likely not to notice. And in fact, the "from" address of the message can actually say facelessnational.com with an "l" since that's easy to spoof, but if someone were suspicious enough to check headers they would quite possibly miss the "1."
Once the team's in the door and says they have to go around setting traps, the proper procedure should be to escort them anywhere and everywhere they go. Don't leave them out of your sight. When they crouch down under someone's desk near the back of the computer, look at what they are doing, because if it's Stickley he's probably installing a data-thieving dongle on the computer, which he intends to retrieve when he comes back to "check the traps." Other favorite scams are air conditioning tech and fire marshal.
Of course, Stickley really does leave some cheap glue traps, but he probably installs more pests than he'll ever take away. And don't leave him alone in the computer center because he'll probably walk out with the server backups tapes, the ultimate grand prize of such expeditions, since they contain mountains of sensitive data and are likely unencrypted.
This is just one of the schemes Stickley and his merry band will use. It's all very reminiscent of "Ocean's Eleven" and requires the attacker to be a great liar and cool under pressure. And such attackers always carry an authorization document from someone in authority in case they arouse suspicion, which Stickley insists is not very often.
When it happens it's because someone was assiduous at following procedure, a trait that often goes unappreciated or even ridiculed in normal circumstances. If you were in charge, would you assign one of your people to follow the exterminator around?
It's also worth mentioning that large financial institutions like banks usually have internal security groups that do audits to cover situations like this, but I don't think they often get as creative as Trace Security.
Stickley also engages in the more common remote forms of social engineering of the Kevin Mitnick variety. If you got a call from the development group at headquarters and they asked you, for test purposes, to sign in to the new development Web site at dev-facelessnational.com, would you? You might, and then they'd have your log-in credentials. (It's in cases like this that two-factor authentication is useful, but it's still not universal.)
Stickley also will e-mail e-greeting cards to users that attempt to use Windows vulnerabilities to install malware that gives him a backdoor to the system.
Do you want to worry about threats like Stickley every day while you're trying to get your job done? No, and neither do I. But unfortunately human failings are at the heart of most security breaches. In the end, the moral is that it can happen to you. Don't be complacent because you're in a big company that has security policies and even a budget for it. Don't think that because you're in a small company that you can fly under the radar. The Internet has made it too easy to attack anyone, and even small banks have money in them.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
 |
 |
 |
 |
 |
 |
Career Center | Privacy Policy | Contact Us | info@tracesecurity.com | Toll Free: (877) 275-3009
Copyright © 2012 TraceSecurity, Inc. All rights reserved.