A security researcher says there is a 100-percent success rate any time pen-testing uses social engineering to target victims. Here are some of the techniques used.
Many
of us in the security industry feel that the last couple of months have
been a very busy time, centered primarily around the technological
means that the NSA, along with other government agencies, are using to
break security, get into our private networks, and read our data. We've
also covered how criminals and other bad guys can harness that same
technology to accomplish basically the same thing, but with a much more
mundane goal typically to make money on the back of our own users.
However, it's important to remember that most break-ins historically,
and many still to this day, have nothing to do with technology. In fact
they are carried out by people who rely primarily on the human factor,
not devious code or malware creation. This is what the Social Engineer
Capture the Flag contest is all about, and now the report about the latest version, which was held at DEF CON 21, has just been released.
The
contest itself is organized by Social-Engineer Inc, a team sponsored by
many security groups, and which hosts this event at the security
conference every year. This year, 198 people and groups of social
hackers entered the contest, and the selection team picked 10 men and 10
women to test their skills against real Fortune 500 companies,
including popular brands like Apple, Boeing, Exxon, Walt Disney, and
more, to see if they could get in by using social engineering. The goal
of these events is to raise awareness of the threat of social
engineering against our security, a threat that many organizations have a
hard time understanding. Providing a budget for a new firewall or IDS
is something that can easily be quantified, but putting hard numbers on
social threats is much harder.
Social engineering techniques
The
goal of the people entering the contest is to gain access to flags, or
specific pieces of information, inside of these particular companies.
The 20 contestants were randomly assigned companies, with one male and
one female social engineer per target. The EFF provided a legal advisory
for how far the contest could be pushed. Each contestant had two weeks
to gain intelligence on their target company, and could only use Open
Source Information (OSI) through popular sources like Google, Facebook,
Twitter, LinkedIn, etc. During DEF CON 21 at Las Vegas, the contestants
then had a short period to do live calls to the target company.
Various
techniques could be used including Caller ID Spoofing, and a panel of
judges decided the scoring. Points were given to contestants who could
gain a variety of information, like whether IT is being sourced in-house
or elsewhere, whether the company uses wireless networks, what browser
and other software programs are being used, trying to get one of their
employees to go to a target URL, and so on. Some of the results were
expected, and others gave an insight as to what social engineers would
use to gain what they are after. Here is a table of sites used by the
contestants during the information gathering phase according to the
report:
Pretexting
is another common tactic that was heavily used, where contestants would
impersonate a corporate employee to gain additional information. In 65%
of cases, the pretext employed was an employee, in 10% of cases a
student, 10% a survey, 10% a vendor, and 5% a job seeker. While both
male and women contestants scored fairly closely during the information
gathering phase, the report shows that women had a much easier time
gaining the advantage during live calls.
Operation "Facebook hottie"
To further illustrate the validity of these findings, a research team at RSA Europe just presented their own doozy of a penetration-testing experiment that
successfully socially-engineered an unnamed US government agency into
handing over the "crown jewels" of its network. ZDNet's Violet Blue
describes the path the researchers took: by using fake social media
accounts and emails from an attractive young woman posing as a new
employee, members of the agency were fooled into all sorts of lapses,
including:
- Opening a malicious holiday card link that helped the pen-testers to "gain administrative rights, obtain passwords, install applications and [steal] documents with sensitive information - some of which, according to the hackers, included information about state-sponsored attacks and country leaders"
- Bypassing the usual controls for issuing a company laptop and access to the network
Researcher
Aamir Lakhani had the chilling quote to sum it all up: "Every time we
include social engineering in our penetration tests we have a hundred
percent success rate."
The weakest link
In the end,
what these experiments demonstrate is that social engineering is still a
major threat today. Even in the controlled environment of pen-testing
agreements, the DEF CON contestants and RSA research team members
managed to gain access to most of the information that they needed. This
includes the huge amount of private information that can be gathered
from simple web queries. The winner of the DEF CON contest was not even a
professional social engineer and scored most of her points through
extensive information gathering.
The report goes on to talk about
some of the steps organizations can take to mitigate this problem.
First, information handling is critical. Too often, private information
ends up on publicly available servers, even social networks. Consistent,
real world education is an important mitigation factor, and so is
regular penetration testing.
Would your users and employees be
duped by these exploits? Is there a balance to be found between
instilling the right amount of paranoia into users and not having daily
routines grind to a halt?
0 comments:
Post a Comment
Appreciate your concern ...