Hacking-101.com

In a previous post I went into further detail about what social engineering is and the major types of social engineering that are employed today.

Safeguards That Protect Against Social Engineering
There’s a lot to be said about the phrase “An ounce of prevention is worth a pound of cure” and this holds especially true in regards to social engineering.

Prevention is the key to social engineering. In many cases it’s impossible to determine if someone is attempting social engineering attacks against your organization. This is due to the fact that many of the things an attacker may be asking are innocuous and don’t necessarily stand out as sensitive information to an employee.

Training, Training and More Training
Employee’s should be taught what social engineering is, common attacks, and what sort of information is safe to discuss with non-employee’s. Refresher Information Technology training should be accomplished at least yearly to ensure that employee’s continue to be vigilant about computer security.

One of the best training examples I ever used was to tell stories about successful social engineering attacks I’d performed during my security assessments. It’s quite an eye opener to find out the sort of information people willingly disclose to people they barely know.

What About Customer Service?
We live in a customer service oriented world. Everywhere you turn people are greeting you and generally being helpful. Or hopefully. Another negative side-effect is that no one wants to tell the customer “no.” We’re always focused on being helpful and giving the customer what they want.

It is possible to strike a balance, have a postive and helpful attitude, but still protect the company and its’ assets. First, employee’s must know what information they cannot give out. Examples of this are:

• Usernames and passwords to computer systems
• Specific or probing questions about information systems
• PIN codes or access codes
• Organizational Charts of any kind
• Telephone directories

When asked for these types of information employee’s should be trained to either redirect the question or politely notify the person asking that information is sensitive and cannot be provided. Any real customer will understand this. If the person asking escalates the situation the employee should know who to call for more help.

The dangers of social engineering are real. Not only are hackers using it to gain access to prove that they can, companies have been known to use these techniques to perform corporate espionage on competitors. A well-documented training plan along with detailed incident reponse procedures can prevent social engineering attacks or minimize the impact of a successful attack.

In a previous post I touched on the dangers of social engineering. Social engineering is the process by which a hacker builds a rapport with trusted individuals to gain access to restricted systems.

How Serious Is Social Engineering?
Social engineering comes in many shapes and sizes and no company is immune. In larger companies there’s more of a chance that social engineering attempts will go undetected. Smaller companies benefit from a close-knit community of employee’s and a base of customers that tend to be smaller as well.

Larger, more disparate environments may suffer from a non-centralized security staff, a client-base that is spread out with no face-to-face interaction and a disparate management staff with policies that differ from the rest of the company. A lack of common procedures and incident handling procedures minimizes the effectiveness of any Information Technology Policy.

To further complicate things, social engineering is hard to detect. Unless someone from the IT staff is actually contacted, or that users are extremely savvy, most attacks may go unnoticed. Social engineering attacks come in so many different flavors that there’s not really a one-size-fits-all approach to detect and deter these attacks.

Types of Social Engineering Attacks
Let’s break this down into two different areas; operational attacks and technical attacks. They overlap a little but they are two separate and distinct entities.

Operational Attacks
Operational attacks are phone calls, emails and maybe even faxes that do two things, build trust and ask for information. A skilled social engineer will take his or her time and not jump to the really difficult questions until they have spent time building a groundwork and rapport with employee’s. Only after they have gathered a significant amount of prepatory information the attacker will ask for more detailed information, or maybe even favors, like a trip to see the datacenter or the server room.

Technical Attacks
Technical attacks require little human interaction. These attacks are really just gaming the system to gather information. Many times these techical attacks will precede an operational attack. An example of a technical attack would be calling the voicemail system of any business and enumerating names, phone numbers and job description.

Next I’ll tell you ways you can protect yourself against these attacks.

Skype recently disclosed a vulnerability that affects Skype on a Windows PC that executes without user consent. This vulnerability affects Skype and Dailymotion, the video site that works with Skype so that users can download clips and use them in Skype for moods and chat.

According to Skype this vulnerability affects users of Skype version 3.5 and 3.6 but has already been fixed. The attack was demonstrated as a proof-of-concept prior to any known exploits.

To further protect their customer base, Skype has temporarily disabled users the ability to add videos from Dailymotion until a software fix has been released.

Aviv Raff has a great article discussing this vulnerability on his website. Included is a great video demonstrating the PoC.

Read the Skype Security Bulletin SKYPE-SB/2008-001.

It was only a matter of time and determination.
Discovered in December 2007, rootkit writers have the ability to install rootkits as a non-privileged user via the Master Boot Record.  The disappointing fact is that this is not a new avenue of attack; MBR viruses have existed for the past dozen years.  Theoretically if you can control the MBR of a host you can manipulate the operating system.

The known MBR rootkits (and variants) cannot be removed while the OS is running.  Booting into the Recovery Console and running FIXMBR will successfully remove the rootkit and restore the pristine boot record.  Now, couple this rootkit with a zero day exploit that can overwrite the MBR once the system boots and you’ve got a rather annoying infestation.

For more details on the Master Boot Record read this.

Symantec has more information on the rootkit and can be found here.

Humans, more than passwords, are the most unsecure part of any network.  In the end, if all systems are as secure as possible, the personality of people is exploitable and practically no one is immune.

The famous hacker/phreak, Kevin Mitnick, was a master of social engineering.  He gained most of his knowledge of phone systems, usernames, passwords and numbers by calling and talking to employees of the company he was going to hack.

In our customer service oriented age it’s becoming harder to teach employee’s to challenge visitors and phone calls with caution as well as service.  Employee’s and supervisors are both compromised by skilled social engineers.  Both groups are taught to help customers, give them what they want, and get them off of the phone.  In the meanwhile they may not understand what information they are providing that can be exploited by the skilled hacker.

Let me tell you a story about a bank I did penetration testing for.  Their name shall rename nameless to protect their confidentiality.

I called in over the phone and spoke to a bank teller.  After several minutes of general discussion with her about a suspected “virus outbreak” I convinced her to collect and email me all of the usernames and passwords for the other branch office members.  This was the first call to the branch and the first time I’d ever spoken to her.

People are easily convinced when they either want to believe something is true or they are afraid it is.  She was afraid that something she had done had helped spread this “virus outbreak” and it was simple to use that to gather information about the systems.  This isn’t the first, nor was it the last, time I’d successfully used this technique.

Social engineering is quite simple.  First, you have to be able to lie convincingly.  You need to be able to say something and BELIEVE it yourself.  If you can’t convince yourself and use proper verbal speech patterns with body language, no one will believe you.

Secondly, a skilled social engineer needs to have mastered the ability to mix truth with lies.  The most successful social engineering attempts have always had a shade of truth mixed with the lies.  It is hard to keep track of multiple lies and easy to get caught up with them.  Adding half-truths and actual facts will lend credence to the attack as well as make it easier to keep track of in the attackers mind.

Third, and finally, you must conquer your own fears and understand your weakness as the attacker.  Social engineering can be mentally exhausting as well as physically tiring.  Your pulse quickens, your breath comes faster, you start to speak faster, you look away more when you talk.  It’s our natural tendency when we lie. That’s why you must be aware of how your body responds to  the situation and learn to control it.

Firewalls, Intrusion Prevention Systems and secure passwords are useless when an attacker can call and get valid access to the system.  Many employees will hand out information that an Information Security professional would not want them to.  All this is possible because of natural human tendencies or patterns taught in our customer service focused culture.

How to protect against social engineering
No system is 100 percent secure.  The only true defense against social engineering is a strong information security training program.  This program must be designed to teach what social engineering is, ways to challenge a ’strange request’ in a customer-focused fashion and how to notify the IT Department.   All employee’s must be continually reminded of what they can tell non-employee’s.

Part of this training should also incorporate what employee’s can expect from the IT department.  This includes the obvious “we won’t ask you for your password.  Ever.”  Many social engineering attacks that involve computer systems are focused on systems information.  Employee’s should be aware of the names, numbers and locations of the IT staff.

An ounce of prevention is worth a pound of cure.  Find or create literature that can be emailed to employee’s to tell them what social engineering is and how to combat it.  We are fallible and require constant practice to master any skill.  Social engineering attacks ARE preventable.

The 1.1.1 update for the iPhone turns all hacked iPhones into an iBrick or iPaperWeight.  Sucky, eh?  Well, too bad.  Sure, it’s cool and hip to unlock your iPhone, not that anyone but you truly cares that you did.

Do I think that Apple should have gone with AT&T (Your world.  Delivered–To The NSA)?  Probably not the best choice to use an EDGE cellular network, but that’s their mistake.  The iPhone has generated huge amounts of income for Apple and AT&T.  Would it have generated more income if they had used a more open (or multiple) cell network?  Definitely.

If your iPhone is bricked you can find instructions on how to roll back to 1.0.2 on the Internet.  I’m not going to post them or a link here since I don’t want to  receive some sort of Gestapo take-down order.

Last Thursday the hacking group GNUCitizen announced that they found a critical flaw in Adobe PDF documents that allow an attacker to compromise any Windows operating system.  This requires the user to execute a malicious specially-crafted file.  It has been said that the flaw affects Windows XP with Service Pack 2.

There wasn’t any Proof-of-Concept code released with the announcement.  According the the founder they are not releasing the POC because it may take a while for Adobe to fix the product.