Social Engineering CTF at 8:41 AM

Social engineering is back! Did it go away? Not really, but it's back in the mainstream news. One of the competitions at DefCon this year has been a 'social engineering contest', where contestants were given a list of information they have to obtain and a target company that they have to obtain it from.
They were given a limited amount of time to get as much of the information as they could. And the the result? Not good.
We've touch upon Social engineering before and unless (or even if) you're a super-secret organization with highly trained personnel it is something that is damn near impossible to stop. I would imagine it is easier to do against larger companies (such as those targetted in the contest; the likes of Apple, Microsoft, Cisco, Ford, Coke and BP) , especially those with areas that routinely deal with the public and whose staff are encouraged and trained to be helpful and friendly.

Only 3 out of the 50+ employees contacted by the competitors were skeptical enough to hang up without providing information (and all three were women....so much for the skeptical male stereotype!). Apparently:

"People went as far as opening up their e-mail clients, Adobe Reader, versions of Microsoft Word, and clicking on 'Help/About' and giving the exact version numbers of their software," said Aharoni. "For an attacker, the exact version number would provide a much higher level of success," allowing an attack to be tailored to exploit a vulnerability in that exact program.

The contest was sponsored by social-engineer.org who seek to "Exploit the HumanOS".

While I can see the validity of the contest, I hope the details of those called is not released to avoid any punishment or ridicule from their employers or fellow workers. The urge to be helpful is part of human nature and it is a sad fact that there are those who will exploit and manipulate that nature for their own ends.

Time to go and review your Security Awareness training...

Social Engineering in Real-World Computer Attacks at 9:43 AM

Great little article over at SANS on Social Engineering in Real-World Computer Attacks

3G, Public Transport and Information Security at 4:13 PM

This is a post I have been meaning to write for a while and it seems a worthy distraction from the Ethics essay I am currently supposed to be writing (read: Richard is procrastinating).

Something which I think is often underestimated is the risk to corporate data when it leaves the building, be it on backup tapes, other removable media or in a slightly different sense on the screens of employees who catch up on work during their trip to and from the office. Ease of access to the internet afforded by technologies such as 3G mean that people are more and more using their daily commute to carry on business activities. The benefit of dedicated office space, even open plan, is that it affords a level of physical security for an organisation’s information; it is much harder for an outsider to read over someone’s shoulder in the office than on the train. This situation is not limited to public transport, cafes and fast food outlets with wireless access points are subject to this weakness too. It is amazing the information that one can glean sitting next to someone naively tapping away at an email on their laptop, I have seen people reading marketing and sales reports (the most recent example was a survey post a product recall) as well as business email and other documents that their employer would probably regard as sensitive. If you watch carefully you will be able to observe addresses for SSL VPNs, Outlook Web Access and other webmail pages, usernames and internal software in use, even source code for internal applications and web pages, all useful to an attacker in one way or another.

Obtaining information in this way can be of use to both the opportunistic attacker, casually observing that company X is about to launch an advertising campaign to pre-empt some negative publicity or is using an out-dated version of a particular piece of software, and the attacker with a specific target in mind tasked with obtaining information about a competing company. The approach each takes will be somewhat different but the end result is the leakage of information from a company’s network that Data Loss Prevention systems are currently unable to protect against and which the target may never be aware of.

This lack of physical security facilitates compromises which require no technical hacking skills (after all, the target is doing the hard work of gaining access to the network for you, though granted, you are limited to what they are accessing at the time), are very difficult to detect and have the potential to be extremely damaging. This type of compromise is in fact a form of social engineering attack and while there is a certain amount of subtlety required, it is surprisingly little in most cases. As with any social engineering the best form of defence is awareness and education, you are not going to stop people from working on the way home (it’s much more appealing that doing it when you get home) but if they are aware of the possibility perhaps they will think twice before opening that strategy email.

I’m sure that this kind of surveillance is nothing new but it is, perhaps, something which is underestimated when considering the protection of sensitive information.

Facebook Privacy at 6:54 PM

Alot has been said about Facebook privacy (or lack thereof). A friend passed along this fascinating link that graphically illustrates the evolution of privacy on facebook (or should that be devolution?)

Social networking contains all kind of dangers, from the typical social engineering and scamming to getting fired for 'chucking a sickie' and things far, far worse.

Of course, facebook, myspace or linkedin aren't responsible for the crimes that may be committed by users of their service, but sites like facebook they aren't helping matters by proclaiming 'privacy is dead' and purposely making more information public.

It has been said before, but bears repeating: don't put anything on the internet that you wouldn't want everyone to know. While I don't agree with mark Zuckerburg that 'privacy is dead', I do agree that for all intensive purposes, 'privacy is dead on the internet'.

And finally if you are a facebook user, here are 10 Privacy Settings Every Facebook User Should Know, or if you're tired of the whole social netowrking thing, how to delete your facebook profile in 5 minutes (and by the way, apparently you're not alone).

Extreme Pentest at 6:53 PM

I recently came across this blog entry from the SNOsoft research team (aka NetraGard) describing in some detail a rather extensive penetration test for a 'mid-sized' bank.

The pentest was undertaken to not to identify all points of risk, but instead was to identify how deeply the pentesters could penetrate. The unusual approach and the use of social networking reconnaissance and social engineering that caught my eye:

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

From there they were able to identify key employees and eventually email a dodgy trojan pdf that could evade the companies AV and eventually capture the DCs. Game Over.

I doubt many companies would have an external party go to this extreme to test their defences, even banks. I wonder how many companies would have sufficient defences to resist this type of assault?

They also have an interesting blog post entitled “FaceBook from the hackers perspective“ that is worth a read.

More Aurora at 3:02 PM

I was pointed to some more information on Aurora by a Uni classmate. HBGary have a slightly more in-depth threat review of Aurora here [pdf] and are offering a 'Aurora inoculation shot' with details here. The inoculation does not address the social engineering aspect of the attack, it is more of a scanner to tell if you're already infected and help clean the infected machine (which to me seems like more of an after-the-fact action than the name 'inoculation' implies).

One thing in the HBGary report is the CRC algorithm used is claimed to "indicate the malware package is of Chinese origin". This was originally announced by Joe Stewart and widely reported, but there has since been some dispute as to whether the CRC is a 'smoking gun' indicating China.

We may never know...

On a somewhat related topic (malware in general), I often use virustotal to scan 'suspect' files, but a colleage recently pointed me to a coupleof other sites that provide a similar service: virusscan.jotti.org and threatexpert.com. All three are worth investigating if you haven't seen them before.

PIN Numbers at 5:37 PM

Recently I bought a new phone. I stayed on the same carrier, so it was just an upgrade of my call plan and a new piece of hardware. As part of the identity verfication process in the phone store, I was asked my name, the phone number and the PIN number I had provided the company with when I first signed up for my previous phone. This PIN number was also used in the past to verify my identity over the phone when I had a mobile phone stolen and needed it call blocked. It is essentially a shared secret to identify me as me.
It's little different than the password I get asked for at the local video store when I rent a dvd, although they also require I provide then with my membership card (multifactor authentication!)
Back to the phone, I dutifully provided the PIN number and began the process of filling out forms and signing my life away on a new phone contract. While filling in details I noticed at the top of the form there was a box (filled in by the sales clerk) for my PIN. He had dutifully written my PIN in the box as part of application.
I asked him if this was the norm, if this 'secret' number was commonly written in large friendly digits on the applcation forms and he applied in the affirmative.

I did ask his opinion on writing this 'secret' number on a form that is kept in triplicate (one copy to me, one for the store and one sent off to a central office) but he didn't seem interested in discussing the ins and outs of how they secure their data or prevent impersonation.

I guess in the end I got my phone and have to hope one of the three copies of the form with my name, address, date of birth and PIN number don't fall into the wrong hands and someone decides to cancel my account or report my phone as stolen. Although thinking about it, I imagine with a name, address and date of birth alone you could use some social engineering to effective DoS someone's phone. Hmmmm. When is Richard's birthday?