Network Nightmare #1 - Telephone Social Engineering
Over the past ten years, I have taken part in a large number of penetration tests, from both inside and outside organisations. Over this period several important themes have emerged, which, whilst apparently unrelated, contribute to the failure of organisations to adequately protect their information assets. My ‘top five network nightmares’ are a distillation of these ethical hacking experiences of the past ten years and represent my view of the most likely route an attacker would take to compromise your network security.
As you might expect, not all issues in these articles are about technical controls. This is a broad picture of network security, grounded in the real world and informed by hundreds of tests over many years. Surprisingly not much has changed in the vulnerability landscape over this ten year period – the same mistakes are made and similar problems are exposed time after time. Take a look at the issues I raise in this series of articles and check for yourself whether your organisation is unwittingly participating in my top five network nightmares.
Network Nightmare #1
Social engineering used to be virtually unknown in the IT community – except, that is, amongst its practitioners. The recent wave of phishing scams (spoofed e-mails designed to harvest your credit card details) has raised awareness, as has the publication of books such as Kevin Mitnick’s The Art of Deception. However, most people go about their daily business without a paranoid thought in their heads, blissfully ignorant of how easy it is to steal information just by fooling people.
Technique #1
Here’s a typical example from our real-world experiences as ethical hackers. Firstly we buy a ‘pay as you go’ mobile phone in our local high street. Then we call the switchboard number of our target organisation, which is freely available on the web of course. We ask for the names and e-mail addresses of the IT project leaders for the areas we are interested in – mostly to do with payroll and payment systems. Apart from asking whether we are a recruitment company, there are no checks and the receptionist is happy to give us this information over the phone.
Next we study the firm’s website and create a spoof web page in the same style as the corporate site, even using the same images and logos by embedding the real image paths in our code. This spoof page is ostensibly a questionnaire on information security policy, based around BS 7799 (now ISO 27001 – the standard for information security management), with a few simple questions on how you choose your password, whether or not you would write it down, and so on.
Then we individually e-mail each of our target project managers, using a spoof source e-mail address, and claiming to be the firm’s information security manager, requesting them to complete a short questionnaire and giving them the web link. Most people would be suspicious about these fairly obvious questions, except for the fact that they see a legitimate-looking web page and the request appears to come from their own information security manager.
Even better, when they click on the link the first thing they are asked to do is identify themselves with their username and password. This of course, is the scam, since the rest of the questionnaire is irrelevant to us (although perhaps interesting) since all we want are their network credentials.
Using this method we rapidly harvest some valuable network credentials with no risk to us whatsoever and without ever going anywhere near the target organisation. When the scam is subsequently exposed by a more alert individual and all the passwords have been changed, it’s too late since we have already used the credentials to log in remotely to their extranet and set up our own ‘back door’ account.
Technique #2
Another technique which involves little or no risk of exposure, and gives almost instant access to the network, goes like this. The first stage is very similar to the previous scam. Again we use our ‘pay as you go’ mobile phone and call the switchboard number of our target organisation. This time we ask for the names, job titles and direct dial numbers of the senior IT staff. Having compiled our list, one of my colleagues calls the firm’s help desk claiming to be one of the senior people.
He explains that he is working at home, using his corporate laptop but has screwed up his remote login and forgotten his password. He tells the help desk operator that he has to go out to collect his son from the nursery, so could they please reset his account and text him the new password. Of course, he gives them the number of his new, untraceable mobile phone. Within 15 minutes they text him not only the password but also the account name for good measure. It’s a very fast ‘game over’ indeed as we log in remotely, using this senior person’s privileged account and grab all the information we want.
The Solutions
If reception staff were forbidden to give out information about members of staff and helpdesk personnel were given clear guidelines about how to validate requests for password resets, then the type of telephone social engineering I describe would fail immediately.
The Author
Peter Wood is Chief of Operations at First Base Technologies, an ethical hacking firm based in the UK. His contact details are:
Tel: +44 (0)1273 454525
E-mail:
peterw@firstbase.co.uk