Hacking-101.com - me - will be attending the RSA Conference 2008 in San Francisco from April 7th through April 11th. You can also follow me on Twitter!
I am excited to attend this year. It will be my second time attending and I’ve prepared my itinerary of sessions and keynotes to attend ahead of time. Last year it was hectic.
It’ll be a blast. Maybe I can snag some good pics for all of you who can’t attend!
In a previous post I went into further detail about what social engineering is and the major types of social engineering that are employed today.
Safeguards That Protect Against Social Engineering
There’s a lot to be said about the phrase “An ounce of prevention is worth a pound of cure” and this holds especially true in regards to social engineering.
Prevention is the key to social engineering. In many cases it’s impossible to determine if someone is attempting social engineering attacks against your organization. This is due to the fact that many of the things an attacker may be asking are innocuous and don’t necessarily stand out as sensitive information to an employee.
Training, Training and More Training
Employee’s should be taught what social engineering is, common attacks, and what sort of information is safe to discuss with non-employee’s. Refresher Information Technology training should be accomplished at least yearly to ensure that employee’s continue to be vigilant about computer security.
One of the best training examples I ever used was to tell stories about successful social engineering attacks I’d performed during my security assessments. It’s quite an eye opener to find out the sort of information people willingly disclose to people they barely know.
What About Customer Service?
We live in a customer service oriented world. Everywhere you turn people are greeting you and generally being helpful. Or hopefully. Another negative side-effect is that no one wants to tell the customer “no.” We’re always focused on being helpful and giving the customer what they want.
It is possible to strike a balance, have a postive and helpful attitude, but still protect the company and its’ assets. First, employee’s must know what information they cannot give out. Examples of this are:
When asked for these types of information employee’s should be trained to either redirect the question or politely notify the person asking that information is sensitive and cannot be provided. Any real customer will understand this. If the person asking escalates the situation the employee should know who to call for more help.
The dangers of social engineering are real. Not only are hackers using it to gain access to prove that they can, companies have been known to use these techniques to perform corporate espionage on competitors. A well-documented training plan along with detailed incident reponse procedures can prevent social engineering attacks or minimize the impact of a successful attack.
In a previous post I touched on the dangers of social engineering. Social engineering is the process by which a hacker builds a rapport with trusted individuals to gain access to restricted systems.
How Serious Is Social Engineering?
Social engineering comes in many shapes and sizes and no company is immune. In larger companies there’s more of a chance that social engineering attempts will go undetected. Smaller companies benefit from a close-knit community of employee’s and a base of customers that tend to be smaller as well.
Larger, more disparate environments may suffer from a non-centralized security staff, a client-base that is spread out with no face-to-face interaction and a disparate management staff with policies that differ from the rest of the company. A lack of common procedures and incident handling procedures minimizes the effectiveness of any Information Technology Policy.
To further complicate things, social engineering is hard to detect. Unless someone from the IT staff is actually contacted, or that users are extremely savvy, most attacks may go unnoticed. Social engineering attacks come in so many different flavors that there’s not really a one-size-fits-all approach to detect and deter these attacks.
Types of Social Engineering Attacks
Let’s break this down into two different areas; operational attacks and technical attacks. They overlap a little but they are two separate and distinct entities.
Operational Attacks
Operational attacks are phone calls, emails and maybe even faxes that do two things, build trust and ask for information. A skilled social engineer will take his or her time and not jump to the really difficult questions until they have spent time building a groundwork and rapport with employee’s. Only after they have gathered a significant amount of prepatory information the attacker will ask for more detailed information, or maybe even favors, like a trip to see the datacenter or the server room.
Technical Attacks
Technical attacks require little human interaction. These attacks are really just gaming the system to gather information. Many times these techical attacks will precede an operational attack. An example of a technical attack would be calling the voicemail system of any business and enumerating names, phone numbers and job description.
Next I’ll tell you ways you can protect yourself against these attacks.
Skype recently disclosed a vulnerability that affects Skype on a Windows PC that executes without user consent. This vulnerability affects Skype and Dailymotion, the video site that works with Skype so that users can download clips and use them in Skype for moods and chat.
According to Skype this vulnerability affects users of Skype version 3.5 and 3.6 but has already been fixed. The attack was demonstrated as a proof-of-concept prior to any known exploits.
To further protect their customer base, Skype has temporarily disabled users the ability to add videos from Dailymotion until a software fix has been released.
Aviv Raff has a great article discussing this vulnerability on his website. Included is a great video demonstrating the PoC.
Read the Skype Security Bulletin SKYPE-SB/2008-001.
It was only a matter of time and determination.
Discovered in December 2007, rootkit writers have the ability to install rootkits as a non-privileged user via the Master Boot Record. The disappointing fact is that this is not a new avenue of attack; MBR viruses have existed for the past dozen years. Theoretically if you can control the MBR of a host you can manipulate the operating system.
The known MBR rootkits (and variants) cannot be removed while the OS is running. Booting into the Recovery Console and running FIXMBR will successfully remove the rootkit and restore the pristine boot record. Now, couple this rootkit with a zero day exploit that can overwrite the MBR once the system boots and you’ve got a rather annoying infestation.
For more details on the Master Boot Record read this.
Symantec has more information on the rootkit and can be found here.
Sunbelt-Software’s Sunbelt Personal Firewall (Formerly Kerio Personal Firewall) is on-sale for $9.95 a copy ($10 instant rebate). If you buy now you can also get the Award-Winning CounterSpy for an additional $9.95. For under $20 you can secure your system with an awesome firewall and malware-spyware blocker. You can also use a full-featured version of Kerio for 30 days. After that it loses some functionality but the firewall itself is left intact.
I’ve used Kerio for years and for me it’s the best host-based firewall and host intrusion prevention system out there. I run it on my systems at home. It’s powerful, easy-to-use, and much easier to navigate than Comodo Personal Firewall.
CounterSpy is a state-of-the-art anti-spyware application similar to Windows Defender. It runs in the system tray and actively blocks malicious code execution. CounterSpy is simple to configure and runs a full system scan at 1:00 AM by default.
Check both of these apps out here.
If you want to hack your desktop (Windows) to look like something else, check out this MakeUseOf.com article. Five new (Sort of) looks for your Windows XP system.
Use at your own risk, considering these apps are provided by the community who knows how ’safe’ they are. =)
If you feel like spending some of your hard-earned Christmas cash check out Windows Blinds by Stardock Software.
Happy New Years!
Humans, more than passwords, are the most unsecure part of any network. In the end, if all systems are as secure as possible, the personality of people is exploitable and practically no one is immune.
The famous hacker/phreak, Kevin Mitnick, was a master of social engineering. He gained most of his knowledge of phone systems, usernames, passwords and numbers by calling and talking to employees of the company he was going to hack.
In our customer service oriented age it’s becoming harder to teach employee’s to challenge visitors and phone calls with caution as well as service. Employee’s and supervisors are both compromised by skilled social engineers. Both groups are taught to help customers, give them what they want, and get them off of the phone. In the meanwhile they may not understand what information they are providing that can be exploited by the skilled hacker.
Let me tell you a story about a bank I did penetration testing for. Their name shall rename nameless to protect their confidentiality.
I called in over the phone and spoke to a bank teller. After several minutes of general discussion with her about a suspected “virus outbreak” I convinced her to collect and email me all of the usernames and passwords for the other branch office members. This was the first call to the branch and the first time I’d ever spoken to her.
People are easily convinced when they either want to believe something is true or they are afraid it is. She was afraid that something she had done had helped spread this “virus outbreak” and it was simple to use that to gather information about the systems. This isn’t the first, nor was it the last, time I’d successfully used this technique.
Social engineering is quite simple. First, you have to be able to lie convincingly. You need to be able to say something and BELIEVE it yourself. If you can’t convince yourself and use proper verbal speech patterns with body language, no one will believe you.
Secondly, a skilled social engineer needs to have mastered the ability to mix truth with lies. The most successful social engineering attempts have always had a shade of truth mixed with the lies. It is hard to keep track of multiple lies and easy to get caught up with them. Adding half-truths and actual facts will lend credence to the attack as well as make it easier to keep track of in the attackers mind.
Third, and finally, you must conquer your own fears and understand your weakness as the attacker. Social engineering can be mentally exhausting as well as physically tiring. Your pulse quickens, your breath comes faster, you start to speak faster, you look away more when you talk. It’s our natural tendency when we lie. That’s why you must be aware of how your body responds to the situation and learn to control it.
Firewalls, Intrusion Prevention Systems and secure passwords are useless when an attacker can call and get valid access to the system. Many employees will hand out information that an Information Security professional would not want them to. All this is possible because of natural human tendencies or patterns taught in our customer service focused culture.
How to protect against social engineering
No system is 100 percent secure. The only true defense against social engineering is a strong information security training program. This program must be designed to teach what social engineering is, ways to challenge a ’strange request’ in a customer-focused fashion and how to notify the IT Department. All employee’s must be continually reminded of what they can tell non-employee’s.
Part of this training should also incorporate what employee’s can expect from the IT department. This includes the obvious “we won’t ask you for your password. Ever.” Many social engineering attacks that involve computer systems are focused on systems information. Employee’s should be aware of the names, numbers and locations of the IT staff.
An ounce of prevention is worth a pound of cure. Find or create literature that can be emailed to employee’s to tell them what social engineering is and how to combat it. We are fallible and require constant practice to master any skill. Social engineering attacks ARE preventable.
Brought to our attention by Damon Cortesi, Internet Security and Application Security Specialist. The 2007 Ethical Hacker Challenge is alive and well.
Have you ever heard of Security Through Obscurity? It’s the concept of “what the enemy doesn’t know won’t hurt you.” Sort of like having your firewall drop all incoming ICMP packets. They won’t know you are there…
If you believe that I have a bridge to sell you in Mexico.
Security through obscurity is like having full windows inside of your shower and pretending that since the glass is a little dirty no one can see your naughty bits and even if they could they wouldn’t want to. You’re probably wrong on both accounts. You can’t hide behind dirty glass and they would look at your naughty parts just because they could.
Do not pretend that security through obscurity is a part of defense in depth. Defense in depth is a great approach to holistic security that entails operational, procedural and technical controls to protect your information. Attempting to hide your systems will only work to a point. Every system on the Internet is potentially vulnerable and possible to find.
What’s the good news? The good news is that you can mitigate your risk even if someone knows that you have a juicy Oracle server hiding behind your firewall. A properly tuned Intrusion Detection/Prevention System coupled with well documented Access Control Lists go a long way in defending your network. Unfortunately we can no longer rely on the network perimeter as the only attack vector. You’ll also need to ensure patches are updated, passwords are complex and that you have proper auditing enabled.
Oh the work never ends.
People who live in glass houses shouldn’t walk around naked.
Network Security Professionals Professing Network Security!
