Social Engineering is the "art of personal manipulation", and is the reason why corporations should develop a paranoid approach to building security policy. Many vulnerabilities (including all of the denial of services ones) involve techniques used to promote levels of access but only through social engineering.
The author would, at this point, like to state there is nothing "artful" or even legal about social engineering, its basically the "dirtiest game of pool" one can play. However, because it relates to computer security, it is being described in this document to make people aware of the problem, and how it applies to computer vulnerabilities.
Internal Spying
Information Fishing
It has been the general consensus of hackers and penetration people in general that people can be very susceptible to being conned out of private information. And in most cases, it can be rather simple for a hacker to get information from someone. Sometimes, there just isn't any other way to get information about a network without trying to socially engineer it, and so in cases where vulnerabilities require personal interaction, here are brief examples of common problems:
Gaining Access
The ideal desire of social engineering is to give access to computer systems simply by talking people out of information. By pretending to be an employee, lots of implied information can be acquired. Employees are privileged for some information, and most companies have a policy where employees are allowed to repair their own equipment. Thus, some margin for social engineering does exist.
"I forgot my password!"
The classic attack for which there is very little cure, the classic situation where someone lost, mistyped, forgot, or just plain broke their password is a prime target for social engineering. Administrators are faced with this problem every day. Here is a quick example how such a conversation may go:
[Keep in mind every computer Center I've ever worked with has had someone named "Chuck", so I've concluded people named Chuck are believable Engineers, even if nobody has ever heard of the name from that computer center before. Al and Bill work side-by-side with Chuck, so all these names have a good chance of working.]
Intruder: <dials a random number on the telephone inside of a medium to large company> Unsuspecting Person: This is Unsuspecting Person, how may help you?
Intruder: I'm Chuck from the Computer Center, I'm currently monitoring the network lines and I only need to know if your on the network right now and what your account ID is.
Unsuspecting Person: <thinks about it, but can't see how an ID would hurt anything> Uh, okay, my ID is UPERSON. This isn't going to crash my computer, is it? Intruder: It shouldn't. Thanks. Intruder: <hangs up>
Intruder: <try to log in 3-5 times on the account to make sure it gets locked out, more believable the better>
Intruder: <calls computer center>
Computer Center: This is the Computer Center, how may I help you?
Intruder: This is Unsuspecting Person, I've forgotten by password - I tried to remember it but I locked out my account. My account is UPERSON.
Computer Center: <makes judgement call - if the excuse pans out, they'll probably just give you a new password over the phone. Because the account was locked out, and the name and account match, that usually causes no suspicion to be raised.>
Computer Center: Okay, I unlocked your account. What would you like your new password to be? Intruder: Okay, let me think... How about "I-J-H-Y-S-C-C-H-H" Computer Center: Okay. You're all set. Need anything else? Intruder: Nope, I'm happy! Have a good day! Computer Center: You too, bye. Computer Center or Intruder: <hang up>
There are several things an administrator can do to protect against this sort of attack. To tighten down security, the following measures would be ideal:
• Require proof of ID. Social Security Number, Employee Number, and home phone number are good choices.
• Require that all password changes are done in person to verify identity.
• Require changes be done with approval from their supervisor.
• Require a callback to their current telephone location
Because some vulnerabilities allow the assumption of someone's identity on the network (such as compromising their email account on one machine) just taking e-mail authentication as proof is not good enough. People should never reply to any online entity requesting any information asking for a password.
"What is your password?"
I wish I could say that there is absolutely no way this could work - but it does. An unbelievable offer followed by a quick question usually can lead to easy access. Here is a common way people lose passwords to a wily (?) hacker.
Intruder: Hey, what are you working on?
Victim: I'm working on <xxx>, I've been doing it for hours. I hate doing this, blah blah. Intruder: I know a way you can do that instantly with this cool program called Super <xxx>. My friend did what you are doing in 5 minutes, and then we hung around in bars for the rest of the day. Best of all, I've got it here if you want it. I'll just give it to you.
Victim: COOL!! Can you mail it to me?
Intruder: Nope, my mail is broken. Just give me your account and I'll transfer it to you. Victim: Uhh, okay. My account is Victim and my password is china. Intruder: Okay, I'll send it over right away.
This variant happens under a somewhat non-trusted situation, but if the same hacker had reached this point by gaining access to the host and pretended to be someone they know, the victim may never know what happened. Usually it only requires a little bit of trust to be established. After all, nobody expects this sort of an opener from a hacker:
Intruder: Bob, I've just got a great deal on cruise tickets, only $399 for a 7 day cruise. The wife and I are going to go to the Caribbean. My travel agent set me up, if you want I can show you a brochure tomorrow.
The only real way to correct a problem like this is education. Even the most menial of accounts on a typical computer network can lead to colossal compromises, even if people think there is very little at risk. People often mistake that since there is nothing on their account at the time that they have nothing to lose by giving out their account and password - this is very far from the truth. The majority of ways to promote access through vulnerabilities on a host require a regular user account.
Computer Vulnerabilities
Social Engineering
Fishing for Information
Many things can be learned by calling the Computer Center of a large business. The following things are usually extremely easy to learn about a company simply by posing as an employee and asking:
• The pool of modems used for people to call in, to get access via telephone.
• The proper format for email addresses for the company, showing a possible Internet route in.
• The IP address of the file server, mail server, firewall, CD-ROM server, development and source code repository, the HR server, the R&D server, and the Financial server. This can simply the attack plan.
• The correct configuration to talk to the network (many of the Computer Center employees can recite this by heart by now.)
• The phone number of the computer center, giving an idea where other telephone access points may
be.
• Current products -- just ask a sales representative. This can be used to identify possible attack targets.
It may be ideal for a policy to be set that requires people in the company to never configure computers themselves. Windows NT computers can prevent such configurations from being tampered, but by leaving it as a responsibility of the employee to fix problems leaves the possibility for the questions above to be commonplace to a computer center. By forcing all repairs to be done by technicians and never by telephone, these details can remain hidden.
Trashing
"One man's trash is another man's treasure." Proven true in many respects, intruders have often times stolen the garbage from a company and investigated it for sensitive information such as broken but salvageable media, papers and documents describing computer design, names of users, accounts and potential passwords. A lot about the security of a company can be learned by investigating the garbage.
Considered one of the sneakier methods of getting an items out of a secured complex while being under surveillance is to throw away a piece of equipment while inside the complex, and fish it from the garbage afterwards. That way a simple office tour may be turned into a serious security problem. One can consider the damage of just stealing a back-up tape to a Windows NT server - account information, server contents, and network configuration information are all contained on a single, easily stolen item.
Janitorial Right
It has been surmised that the janitor is the individual with the greatest power over the company's security, as they are normally hired as a low trust level and have physical access to virtually everything. If a person attempts to get hired at a business as a janitor, they often times can claim unbelievable amounts of stolen information and resources because they are usually alone on duty and can open virtually every office.
Criminal Sabotage
The other sections were just a warm up for this section, which relates specifically to vulnerabilities presented earlier. Without going into great detail, the basic truth of Criminal Sabotage is that you are trying to make yourself look better by making someone else look worse.
Corporate Sabotage
Basically a situation where one company is going to damage another company, either for revenge or for profits. Here is an example situation how denial-of-service attacks could be used to accomplish this:
An Internet Service Provider (ISP) is having problems gaining customers. In order to gain more, they decide they are going to make themselves look more reliable than their competition. So, using untraceable denial-of-service attacks against the competing ISP, the criminal ISP will appear to be better.
Internal Sabotage
When employees start getting over-competitive, or people become hate or revenge motivated, sabotage may come into play. Here are a few possibilities of what can happen:
1. Documents may be altered to contain erroneous facts, insulting comments, or even grammatical errors.
2. Documents may be lost or destroyed
3. Computers may be crashed forcing deadlines to be missed
4. Computers may be crashed to make the equipment to look unreliable
5. Computers may be crashed to make the administrator or user look unreliable
Using sabotage is done in cases that can only be described as mean-spirited, and chances are law-enforcement authorities may be called into play. However, these events still remain common and even unnoticed in many cases by everyone except the intended victim.
In an off-computer-related story, a real-life (but very minor) internal sabotage situation happened to me at a drive-in window fast-food restaurant where the teenage girl at the window asked me if I wanted any sauces. I said "sure", and she continued to collect pieces of my order. She then told the manager from halfway across the store that someone named "Brenda" was messing up her job again, and that she was giving away too many packages of sauce. When the manager turned away, she shoved about 100 packages into my bag (filled it half-the-way to the top) and handed it to me.
Like this fast food story, I'm sure that real life sabotage situations follow the same basic theme as to how much damage a person can do to influence someone's life without actually getting law-enforcement involved. Very low damage, very little "Brenda" can do about the problem, and the sneaky fast food attendant will probably drive "Brenda" away.
Extortion
Probably the most deeply criminal of Social Engineering, extortion has been used in combination with many computer vulnerabilities to force money from large institutions that cannot afford to have operations disrupted. It has been documented that many banks have been willing to pay hackers up to $100,000 in US Currency in order for hackers to stay away. No wonder, given the complexity of the task to keep them from sabotaging operations. Most of these situations are swept under the table, hidden because of the possible panic that can occur if people found out their money wasn't safe in that bank. Of course, it probably isn't safe in ANY bank, but that wouldn't be public perception.
No comments:
Post a Comment