Our professional penetration-testing team has been conducting security reviews for the best part of 20 years, from both inside and outside organisations. Throughout our ethical hacking experiences, several issues have cropped up which, whilst apparently unrelated, contribute to the failure of most organisations to protect their information assets from opportunistic attack. In this series of network hacking articles, let's look at some of the likely routes that an attacker can take to compromise enterprise network security.
It's important to note that not everything in these articles is about technical hacks or technical mitigation strategies. Most business people go about their day without a security-related thought in their heads, blissfully ignorant of how easy it is to steal information merely by tricking people. As ethical hackers, we're often given the task of finding creative ways to target a particular organization, and it's typically the unwary employee who is the way in. Here's an example from our real-world experience.
Consider a "pay as you go" mobile phone, which guarantees anonymity and ensures a realistic test of a potential attacker's ability to gain information over the phone since the client, or target, organisation wont have prior knowledge of the phone's number. After purchasing the phone, it is possible to call the freely available switchboard number of the target company and ask for the names and email addresses of the IT project leaders of interest -- perhaps those in charge of payroll and payment systems. In our experience, apart from asking whether we are a recruitment company (not the most successful vetting process!), there are no checks; the receptionist is happy to give us this information over the phone.
Next, after careful study of the firm's website, a spoof webpage can be created in the same style as the corporate site, even using the same images and logos by embedding the real image paths in the code. This spoof page may ostensibly be a questionnaire on staff awareness of the firm's information security policy, with a few simple questions on how passwords are chosen, whether or not they were written down, and so on.
Then, using the source email address of the firm's information security manager, the targeted project managers are emailed. The phony message requests the recipients complete a short questionnaire using the Web link to the spoofed page. Many people would be suspicious about these fairly obvious questions, except for the fact that they see a legitimate-looking webpage, and the request appears to come from their own information security manager.
Even better, when they click on the link, the first thing they are asked to do is identify themselves with their username and password. This, of course, is the scam, since the rest of the questionnaire is irrelevant to the attacker (although perhaps interesting) since all that is wanted is their network credentials.
Using this method, it's possible to rapidly harvest some valuable network credentials with no risk whatsoever to us (the simulated criminals) and without ever going anywhere near the target organisation. When the scam is subsequently exposed by a more alert individual, and all the passwords have been changed, it's too late, since the credentials have already been used to log in remotely to their extranet, steal valuable information and even set up another "back door" account.
It's also possible, using a similar technique, to ask for the names, job titles and direct dial numbers of the senior IT staff. After compiling the list, each staff member's number can be called until an "out of office" message is received. This will be the stooge: the person whose identity can be temporarily assumed.
So returning to the phone once more, after being kindly put through by the switchboard operator, of course, our social engineer can then simply explain that he (or she) is working at home, but screwed up his remote login and forgotten the password to his corporate laptop. After, he can make up an excuse, perhaps telling the help desk operator that he has to go out to collect his son from the nursery, and ask the help desk to please reset his account and text him the new password. Of course, the number given is the new, untraceable mobile phone. Within 15 minutes, they text not only the password, but also the account name for good measure. It's a good thing we're ethical and employed to do this as a test!
If switchboard staff were forbidden to give out information about members of staff and help desk personnel were given clear guidelines about how to validate requests for password resets, perhaps by using PIN codes or cherished information, then this type of telephone social engineering would fail most of the time.
Preventing these and most other varieties of social engineering attacks depends on staff awareness and training. Passwords and credentials should never be given out. It is all too easy to impersonate a senior IT staff member, not only via the telephone, but also going so far as to use fake business cards and uniforms to gain physical access to a targeted building, and once inside, install keyloggers that steal more credentials. Proper physical security checks on visitors are also important to prevent this kind of deceptive cybercrime. An alert staff should be able to report a person or group of people wandering around an office without badges or supervision. Tests of this type almost always reveal an absence of controls and policies, resulting in an horrific potential security breach.
About the author:
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. He is a world-renowned security evangelist, speaking at conferences and seminars on ethical hacking techniques and social engineering. He has appeared in documentaries for BBC television, provided commentary on security issues for TV and radio and written many articles on a variety of security topics. He has also been rated the British Computer Society's number one speaker.