Social Engineering

General technological topics without their own forum go here

Social Engineering

Post by libernull on Sat Jun 29, 2013 10:00 am
([msg=76265]see Social Engineering[/msg])

With computer security, the question arises as to how one defends against social engineering attacks.

If one cannot crack a computerised network system by technical means, is there a way to gain access simply by going up to someone and asking them nicely if they wouldn't mind awfully if we could full and unlimited access to their systems? Something of a simplification perhaps, but it does show that the human element of computer security can prove to be the weakest link. And if used in conjunction with other techniques, I'm sure, it would prove to be very effective.

So how would you as a master of security defend against a social engineering attack? How would you go about running a social engineering penetration test?

What kind of training could you employ as an organisation to defend against social engineering attacks.

In my research into social engineering, the only material available seems to be anecdotal. So yes, I have already read Kevin Mitnick. Does anyone know where I can find more material on this subject?
Attitude is no substitute for competence.
User avatar
libernull
New User
New User
 
Posts: 3
Joined: Tue May 08, 2012 9:54 am
Blog: View Blog (0)


Re: Social Engineering

Post by caracarn001 on Sat Jun 29, 2013 12:28 pm
([msg=76266]see Re: Social Engineering[/msg])

I don't know about reading material, but it looks to me that most, if not all, social engineer attacks can be prohibited with just a few "simple" steps:

  • user training: A user should know how to recognise a social engineering attack. (Don't give away your password, especially not to strangers)
  • protocols: eg: when a guest arrives on grounds, he has to identify himself and say who he's visiting. The visitor waits at reception until he is picked up by the one he's supposed to visit. Under no circumstance let a stranger roam the buildings unattended.
  • need to know: keep clasified information classified. A user who doesn't know classified information can't give it away.

I'm sure this doesn't nearly cover everything, but just make sure employees use their heads.
User avatar
caracarn001
New User
New User
 
Posts: 42
Joined: Thu Nov 04, 2010 5:23 am
Blog: View Blog (0)


Re: Social Engineering

Post by brutal_hacker on Sat Jun 29, 2013 5:59 pm
([msg=76270]see Re: Social Engineering[/msg])

Social engineering is not taught from a book or online material it is more of a gift, of course you can learn the fundamentals behind it. I have personally questioned staff at my own business over the phone because they come across false or worried its all about how you portray yourself and you really need to come across like a real member of staff from that company or in some cases a customer who's having trouble.

At the end of the day you can never fully protect your company from these kinds of attacks as they can be completely random lets take o2 or any other mobile network. I could phone up the help desk wanting to get some information now I know the telephone number address and name of the customer i have misplaced my letter with my account number. Now i want the account number or to change my address but I do not have the security question's answer oh noes what to do. Sure I could guess it but why bother they would probbaly block me after 3 tries on different phones ( you would think so ) just call the company and keep trying till someone new, someone who cannot be bothered or feels sympathetic gives you access so you can change your address or w/e.

I did this with an old account and I didn't have the security answer or account number but the helpful lady gave me all my information. What can I say Ive been told I have a good phone voice.... and plus it pays to chat to the member of staff.

As the saying goes your only as weak as your weakest link and normally that is your help desk. The only way to fight against this is to do random checks on your staff and to really test them and make them aware of the threats of social engineering.

If it was me to protect against these kind of attacks I would incorporate a pin system that is randomized by the desktop support now once this pin is activated by the help desk they can see account information this activation of the pin would then be sent to an incident report section where depending on how many times this account has had activation then certain actions would take place.

1 - Email / text / letter - to the customer - Should get there attention of the unauthorized access of the account( damage may be done but may have enough time to act on it.)
2 - repeat email / letter - phone call - The phone call is normally a good way to get attention from your customers
3- temporay suspension of account user confirmation to unlock. - Locks any further damage

Something along them lines perhaps? and maybe investigate customer service that unlock these accounts as to why they are not getting correct information before unlocking. But this is just for accounts.

Also tell your staff to know the IT supports names and have a passkey before accepting requests off of them. Its far too easy to pretend to be admin saying "this is so embarrassing but we have accidentally deleted you off the payroll we just need confirmation of your user name and password so we can add you back to the payroll so you get paid on time and in full" - We all know you could gain the username/real name and contact number of a member of staff easily. Shot in the dark but something along these lines can gain access.

Wont be long before there adding voice confirmation or voice phrases to unlock accounts to try and combat the problem.
brutal_hacker
Experienced User
Experienced User
 
Posts: 58
Joined: Fri Apr 19, 2013 1:03 pm
Blog: View Blog (0)


Re: Social Engineering

Post by anarchy420x on Sun Jun 30, 2013 1:48 am
([msg=76278]see Re: Social Engineering[/msg])

Brilliant posts!

Like said before, avoiding attacks on social engineering is about staying vigilant, not assuming you are safe. If you acquire a bill from Comcast, you have all the information you need to make changes to their account on that bill. You just have to use confidence, and be direct. Great sales people are masters at social manipulation, which is the cousin to social engineering, the major difference being the application.
A broken clock is right twice a day, however, I am neither up that early nor up that late...
anarchy420x
Poster
Poster
 
Posts: 279
Joined: Thu Oct 16, 2008 12:43 am
Blog: View Blog (0)


Re: Social Engineering

Post by libernull on Sun Jun 30, 2013 7:20 am
([msg=76281]see Re: Social Engineering[/msg])

ok, so let's explore this further:

Let's assume you were doing a live action penetration test, let's say this company: http://www.maersk.com/pages/default.aspx
(that's not an invitation by the way, I take no responsibility if you go in there and get caught)
Let's say you have been tasked with accessing their bank account.

How would a social engineer best be employed as part of a team, what could the social engineer do that others cannot, and what would be his/her limitations? This is in the context of getting access to maersk's bank account. What other team members would you want for a pen test like this?

I just want to reiterate that this is a hypothetical question.
Attitude is no substitute for competence.
User avatar
libernull
New User
New User
 
Posts: 3
Joined: Tue May 08, 2012 9:54 am
Blog: View Blog (0)


Re: Social Engineering

Post by brutal_hacker on Mon Jul 01, 2013 5:15 pm
([msg=76307]see Re: Social Engineering[/msg])

Now there is the million dollar question. Sadly I do not tell people how to gain bank account information. There bank account will not be on the same level as there in house team unless there retarded.
brutal_hacker
Experienced User
Experienced User
 
Posts: 58
Joined: Fri Apr 19, 2013 1:03 pm
Blog: View Blog (0)


Re: Social Engineering

Post by anarchy420x on Tue Jul 02, 2013 1:55 am
([msg=76310]see Re: Social Engineering[/msg])

even for a hypothetical question, that would be treading some boundaries. Why don't you give an idea of what you would do, then we'll formulate opinions based on that.
A broken clock is right twice a day, however, I am neither up that early nor up that late...
anarchy420x
Poster
Poster
 
Posts: 279
Joined: Thu Oct 16, 2008 12:43 am
Blog: View Blog (0)


Re: Social Engineering

Post by libernull on Tue Jul 02, 2013 9:09 am
([msg=76319]see Re: Social Engineering[/msg])

The target is the accounting department computers. the plan is get direct physical access and plant a usb drive, programmed to allow remote access, and with various keylogger programs.

information gathering:
go to the building itself between 8-10am and 4-6pm to see how tight security remains while there are numerous employees entering the building. if they have a gated entry system, is it possible to shoulder surf entry.

If entry is possible, find the accounting department, and inspect it. having previously searched a contact for maersk within accounting from linkedin, contact the switchboard and ask for the direct number for this contact. Then phone them and explain that you are calling from tech support, we need to come and look at his computer. If an opportunity arises to gain access then take it, if not, find more information about how to gain access.

If entry is not possible, look at cleaning staff uniforms, get a replica and give some sort of excuse to security (if necessary), and then get inside and grab it.

And if access is still not possible, approach one of the cleaning staff and offer 100 euros for putting the usb stick in the accounting department.

I'm trying to look at security from the human point of view and find and exploit vulnerabilities. Then how to demonstrate these vulnerabilities to security officers, and how to compile a security review that is relevant and meaningful.

Thanks for the replies, they are giving me food for thought.
Attitude is no substitute for competence.
User avatar
libernull
New User
New User
 
Posts: 3
Joined: Tue May 08, 2012 9:54 am
Blog: View Blog (0)


Re: Social Engineering

Post by brutal_hacker on Tue Jul 02, 2013 4:35 pm
([msg=76324]see Re: Social Engineering[/msg])

Your reading too much into this your method is something you would do as a 2nd resort. Think simple think email address think tables. Think testing user response to emails, gain acess read emails you might get lucky. Or fool the employee to accept a corrupt file / link.

If that draws up a brick wall then you can try to take over the server and hope that passwords work or you gain acess to a program or bit of information relating to the bank account information. But even then once your on the LAN you can plant whatever you want.

But your version is a way more fun way of doing things but that's more about social deception than the social engineering we do over phones/online.

But remember this is against the law mate and if your planning on doing anything like this without permission you will do time for it. Especially deception of this level. I'm all up for testing company's with permission its a great way to get staff on there toes.
brutal_hacker
Experienced User
Experienced User
 
Posts: 58
Joined: Fri Apr 19, 2013 1:03 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests