Information Security, Privacy and Regulatory Compliance - Social Engineering

Social Engineering - It's not a new attack people

nospam@example.com (Keith Pachulski) — Sun, 08 Aug 2010 17:50:00 -0400

We had talked about this briefly on the podcast the other night, but I wanted to go into it further. it's one of those subjects that sticks with me...read into that how you want.

First off, to those of you who are reading this that don't know what social engineering is, here is the popular and generally accepted definition from wikipedia:

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

The most basic form of Social Engineering can be viewed as the "breaking the ice" between a man and a woman. Man engages woman and through various discerned observations attempts to discern some information to further the encounter.

Note: If you`re new to the social engineering game, learn to start random conversations with men and women, regardless of how awkward the situation. Once you find you can enter into conversations with ease as well as exit from them with some useful information gleaned, you're on your way. By useful information I do not mean how the current weather is =)

Women are typically better at the social engineering game than men, though some will likely disagree with me on this. That's fine though, disagree and prove me wrong. No guy that I know of can engage an executive in a short skirt, with some stiletto heels and a low cut top at a bar better than a woman. Male social engineers will typically target, if there is a choice, females. Unless the "attacker" is significantly tuned into the social engineering game, males attempting to extract information from other guys is slightly more difficult. Sex sells, so does alcohol...put the two together and it's game over..why do you think strip clubs, pornography and alcohol are still around....

Yea, this should be addressed in training. Though I've found that discussion of sex and alcohol walk a thin line with some entities. Because you know. God forbid the truth be told and we discuss such "taboo" subjects...seriously, get off the damn high horse...

The most common method social engineers will use, is the telephone. This has as of late been coined Vhishing. For the record, I hate the mass media for diluting the common definition and trying to create new coined phrases to address one portion of the social engineering attacks. Doing so only confuses the issue, so to the guy who made the phrase Vhishing..I hope you get a gaping paper cut and someone dumps lemon juice on it. Anyhow, when creating the social engineering defense training program this must be included in it. It must also be included in the organizational operations procedures along with the required methodology for reporting suspicious phone calls. One thing I recommend in my training on social engineering defenses is should any employee on the phone feel a call has become questionable, engage the internal security team. Let them deal with the phone call and have the employee remain on the line in silent mode, acting as on the job training. These types of encounters should also be included in the internal security training.

Training is where it begins, the training has to be realistic though. Chris Nickerson probably gave one of the best realistic training scenario's when he stood on stage and morphed himself though numerous different personalities without any interruption between each transition. Bearing in mind of course that Chris is an exception to the rule and most social engineers are not at that level of manipulation..yet anyhow.

So what is the point of this you're likely asking yourself at this point. We're establishing the framework for the defense. The defense will typically develop itself in some type of training, whether it be formal or informal. In my experience, executives have been the least receptive to this training. Why, because they feel that they are not able to be manipulated due to their intellectual superiority. If you're an executive and you are reading this and you fall into that category; sorry, you are not superior you are just plain stupid. The most receptive to training have been the line level tech support and engineer type personnel. They are also aware they are typically the individuals being targeted.

The telephone was given much press recently with the DEFCON Social Engineering Contest. This was both a success and a failure. The contest itself was a success as it gave further proof that social engineering as an attack vector is still possible, I know..as if this needed proof right..I`m being gentle. The failure however, was not with DEFCON or the contest, but within the Public and Private Sectors in response to this. In speaking with several people about this, there were a flurry of internal communications just before the contest went off. In general, this is what social engineering is, they use a phone..don't release any information. For real...this is not training people. The other failure was there was, at least to my knowledge, no follow-up training. It was more of a yea, it came..it went..status quo..

FAILURE

Email and IM are other popular methods, email taking the most frequent over IM though. Everyone is aware of it, and amazingly many people are still happy to click on that link or open that email attachment. Again, include the attack vector in your training. There is nothing more annoying than that HR executive click on a link to learn to "optimize" his staff, load the java applet which pushes the reverse shell to some system in china. No names here of course...you know who you are...

Face-to-face encounters, in there numerous forms, are by far the most effective next to the phone calls. We are human, we like to interact, we like to be helpful. Hell, I`ll admit it, I got engineering by two guys last week sitting in a room talking techie..of course it wasn't till after we finished the conversation that I said to myself..shit..I got punk'd. Technical security people are few and far between, we love interfacing with others in the field. Don't fall prey, the training should reflect as such. Never release any interesting information, duh..even me. I admit my flaws..can you =) Good social engineers will flourish in the face to face encounters, smooth talking, well versed in various operational functions from accounting executive to janitor..switch your personality on the drop of a dime. In the end, if the identity of the individual cannot be verified, remove them from the facility. You training and procedures should dictate as such. This is also a requirement under several regulations such as PCI^[?].

General conversation is a relatively easy route, especially when targets are more than happy to speak about sensitive information with their colleagues on the phone or on the Metro/Subway. Loose lips sink ships people..seriously close them. Shoulder surfing falls into this as well. If you're reading, writing discussing it in public you're jeopardizing the security of the information. Address it in the training, enforce and reprimand on violations. Social Networking I like to dump in here as well, don't type it if it doesn't belong there. Training to address the insecurities of social networking sites, their lack of security and privacy as well as the vast methods to obtain the information on these sites....train train train..oh, policies covering it and enforcement of those policies.

Piggy-backing is still very popular, even in highly secure locations I've used this very recently. The smoker, the lost-soul, the I lost my card..all must be addressed. The training and policy must reflect the importance. Employee's must learn to confront those who do not appear as an identifiable badged employee, must confront those with no ID, require internal security to be contacted to verify those who fall into the suspicious. Those employee's allowing others to piggy-back must be reprimanded, even terminated. Again, policy is only as good as the enforcement. If your training and policy state one thing, the enforcement must follow or the policy and training are useless.

Dig through the crap, yes I mean that literally. I have on some occasions, prior to giving a training session, went through dumpsters a day or two before the session was to begin and bring with me any interesting information I found. Of course the interesting information ranged from credit card numbers of customers to ACH transaction receipt with the full account numbers tossed right into dumpsters. On other occasions full medical records of patients who have switched doctors. If you were one of those customers by the way..I love you for making my job easy and I hate you for not following your own policies on the proper disposal of information..but I mean that in the most endearing way =) Also, interesting information can include other tidbits like business cards of vendors..

This was not meant to rehash the overabundance of articles detailing common tactics. This is meant as items you need to address, and that I address, in the internal training programs.

Social Engineering Training
-What is Social Engineering
-How does it occur
--Phone
--Email/IM
--Face-to-face
-Internal Security Team Intro and Points of Contact
-Procedure on reporting Social Engineering Incidents to the Internal Security Team

If your internal policies and procedures do not address Social Engineering in its various states, or you do not have internal policies, now would be a good time to start on that project. If you lack the internal policies and are looking for templates, SANS has a template repository online..check it out.

The policies must address what Social Engineering is from a high level as well as the penalties for not complying with the possible. The defined penalties must be both accepted by executive management and enforceable.

The procedures must be explicit in this is what you need to do if you feel you are the target of a social engineering attack. The procedure must of course reference the policy to note the potential repercussions if the employee does not abide as well the potential impact to the organization for non-compliance.

Policies and Procedures are only as good as they can be enforced..and they must be enforced or they are useless. The training must be as realistic as possible and note the importance for compliance with the policies and procedures. Any deviation will result in a failure of a portion or the entirety of the program.

UPDATED - Money Laundering - The Next Generation

nospam@example.com (Keith Pachulski) — Wed, 28 Apr 2010 22:56:46 -0400

Blog Update: I was directly contacted by one of the "security' personnel from constantcontact. They wanted to assure me that the account in question which had sent these emails had been terminated.

It's amusing at best that money laundering was once something that was kept secretive, in the current generation the launders now actively and openly seek out via spam low end money mules.

Full Email Body Content

Dear Keith Pachulski,

We found your resume on {board removed} . For more than 20 years makes its business by working with non-standard banking services around the world. We are expanding our company and provide a list of new services in the United States. Transfer of money for non U.S. citizens with the US check is one of our new services . For this reason our company has some vacancies, of Manager in USA.

Requirements
-US citizenship
-You should be at least 30 years old
-At least 2 hours of free time a day are necessary
-couple of working hours

Your responsibilities are:
-cash this check
-transfer money to the customer the way he/she chooses

To make a special formed reports on the carried out work for every check

Your benefits :
-salary of at least 8000$
-the income of 50 $ - 300 $ per day
We take care of all the taxes on the transactions you carry out.

If you are interested in the vacancy, please provide us with the following information:
-Your age
-State of your residence
-Contact phone number and the tie when we may contact you (provide your mobile phone number).

Full Headers from Email

Return-Path:
Delivered-To: {email address removed}
Received: (qmail 5776 invoked by uid 89); 28 Apr 2010 08:16:02 -0000
Received: (simscan 1.4.1 ppid 5680 pid 5692 t 2.9715s)
(scanners: spam: 3.2.0 clamav: 0.90.2/m:43); 28 Apr 0110 08:15:59 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.1 on {my server removed}
X-Spam-Status: No, score=3.2 required=8.0 tests=BAYES_99=3.5,
FREEMAIL_FROM=0.001,FREEMAIL_REPLYTO_END_DIGIT=1.151,HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001,RCVD_IN_IADB_DK=-0.095,RCVD_IN_IADB_LISTED=-0.001,
RCVD_IN_IADB_OPTIN=-1.47,RCVD_IN_IADB_RDNS=-0.235,
RCVD_IN_IADB_SENDERID=-0.001,RCVD_IN_IADB_SPF=-0.059,T_ADVANCE_FEE_3_NEW=0.01,
T_TO_NO_BRKTS_FREEMAIL=0.01,URIBL_GREY=0.424 autolearn=no version=3.3.1
X-Spam-Level: +++
Received: from ccm39.constantcontact.com (208.75.123.164)
by 0 with SMTP; 28 Apr 2010 08:15:59 -0000
Received-SPF: pass ((null): domain of ESC1103346610741_1103344271711_1500@in.constantcontact.com designates 208.75.123.164 as permitted sender) receiver=(null); client_ip=208.75.123.164; envelope-from=ESC1103346610741_1103344271711_1500@in.constantcontact.com;
Received: from p2-jb501.ad.prodcc.net (unknown [10.252.0.103])
by ccm39.constantcontact.com (Postfix) with ESMTP id CB6B823900A2
for {email address removed}; Wed, 28 Apr 2010 04:15:58 -0400 (EDT)
Message-ID: <1103346610741.1103344271711.1500.1.11041518@scheduler>
Date: Wed, 28 Apr 2010 04:15:58 -0400 (EDT)
From: Samantha globalnewbusiness
Reply-To: globalnewbusiness1@gmx.us
To: {my email address removed}
Subject: job offer
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_3005027_1552086054.1272442558826"
X-Mailer: Roving Constant Contact 2009 (http://www.constantcontact.com)
List-Unsubscribe: http://visitor.constantcontact.com/d.jsp?p=un&v=001vP4uirOIyh35lN44xphGYhnEF2BT-6dfX7coxuBLAjNG50XLJ2ddAg==
X-Return-Path-Hint: ESC1103346610741_1103344271711_1500@in.roving.com
X-Roving-ID: 1103344271711.1500
X-Lumos-SenderID: 1103344271711
X-Roving-CampaignId: 1103346610741
X-Roving-StreamId: 0

Whois Information

OrgName: Constant Contact, Inc
OrgID: CONST-21
Address: 1601 Trapelo Road
Address: Suite 329
City: Waltham
StateProv: MA
PostalCode: 02451
Country: US

NetRange: 208.75.120.0 - 208.75.123.255
CIDR: 208.75.120.0/22
OriginAS: AS40444
NetName: NET-CC1
NetHandle: NET-208-75-120-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.CONSTANTCONTACT.COM
NameServer: NS2.CONSTANTCONTACT.COM
NameServer: NS3.CONSTANTCONTACT.COM
NameServer: NS4.CONSTANTCONTACT.COM
Comment:
RegDate: 2007-02-22
Updated: 2009-12-17

RAbuseHandle: ABUSE1897-ARIN
RAbuseName: Constant Contact Abuse
RAbusePhone: +1-781-472-8103
RAbuseEmail: abuse@constantcontact.com

RNOCHandle: CCO156-ARIN
RNOCName: Constant Contact Operations
RNOCPhone: +1-781-472-8103
RNOCEmail: arin@constantcontact.com

RTechHandle: CCO156-ARIN
RTechName: Constant Contact Operations
RTechPhone: +1-781-472-8103
RTechEmail: arin@constantcontact.com

OrgAbuseHandle: ABUSE1897-ARIN
OrgAbuseName: Constant Contact Abuse
OrgAbusePhone: +1-781-472-8103
OrgAbuseEmail: abuse@constantcontact.com

OrgNOCHandle: CCO156-ARIN
OrgNOCName: Constant Contact Operations
OrgNOCPhone: +1-781-472-8103
OrgNOCEmail: arin@constantcontact.com

OrgTechHandle: CCO156-ARIN
OrgTechName: Constant Contact Operations
OrgTechPhone: +1-781-472-8103
OrgTechEmail: arin@constantcontact.com

Evolution of the USB Malware Device

nospam@example.com (Keith Pachulski) — Tue, 30 Mar 2010 21:37:00 -0400

The use of USB devices to introduce malware is by no means a new concept. As technology of course changes, the USB device as a delivery mechanism for malicious content has evolved significantly. The latest release of a USB malware delivery platform is bringing an auto-detecting application that executes the moment the USB drive is mounted by the operating system. The moment the mount is complete, the malware determines the type of operating system and executes it's payload based on the detected operating system whether it be Linux, Solaris, windows, OS X 10 or BSD.

Immediately upon determining the operating system, it executes a memory resident, non-persistant, reverse tcp shell connection or reverse VNC connection from the victim computer to a remote system.

The reverse VNC connection pushes the desktop of the affected user to the attacker allowing him to view or take control of the end users system.

The reverse tcp shell pushes either a Windows command prompt or a Unix shell from the affected system to the attacker. Once the attacker has shell access, the attacker can then depending on the payload use the compromised system as a hinge or swivel to other internal systems (I'll be covering hinge and swivel in another post soon).

During some initial testing of the USB software, the only evidence of malicious activity is apparent on Windows systems where a cmd.exe window will appear very briefly then close. The cmd.exe window is only visible for less than a second, so most end users may not even notice it occur.

What can be done to prevent this type of activity from affecting your business environment or home computers you may be asking?

From the desktop perspective on Windows, enable the Windows Firewall and verify User Account Control (UAC^[?]) is enabled. This will stop the payload from first executing through UAC, as long as the person at the keyboard doesn't just click yes to everything that is. The firewall, if configured correctly, is application based by default so will not allow the payload to connect to the destination system.

On *nix based systems though this is a tad more difficult. If the system is a workstation and has iptables/ipf or some other variant enabled, the default ruleset may allow for all outbound connections. Workstations and servers using iptables/ipf should be reconfigured to only allow needed traffic to exit the system. Unfortunately iptables/ipf is not application based, but protocol based so it will require some technical understanding of firewall rules and IP Protocols. This is beyond the scope of this document...maybe I'll write-up an introductory to iptables at a later date...

Signature based Network Intrusion Detection Systems should able to detect the outbound reverse shell. I know Snort has signatures in the default set to detect some of this activity. Host Based Intrusion Detection Systems, if configured to monitor for new processes or processes in operation that are not linked to a binary, will detect this type of payload as well. OSSEC^[?], by default, has this functionality built into it.

Any questions, feel free to ping me...

Update: Social Mining Tools and Sites

nospam@example.com (Keith Pachulski) — Sat, 13 Mar 2010 12:36:00 -0500

Short list of some interesting sites and tools for performing some simple social mining and information gathering...

Social Engineering Toolkit is a tool based around social engineering that integrates into metasploit. I'll be going into this tool more in later entries.

- SET includes some really useful addons such as generating PDF's with metasploit payloads to "autopwn" your targets..download the most recent via svn and check it out

The following sites are good starting points in developing your target base by searching for the specific person or an organization.

- Addict-o-Matic
- Social Mention
- Entity Cube
- Yasni

Facebook Applications

- Advanced Search 2.0 Beta
- Google Social Search

Using the social networks web of trust to gather information

nospam@example.com (Keith Pachulski) — Wed, 28 Oct 2009 19:22:00 -0400

The experiment was a simple one, gather as much sensitive information from a large group of people by doing nothing other than simply asking for it. Seems outrageous doesn't it?

It started by creating a facebook account, befriending one person then systematically going through their friends list and adding all of them as friends. As they accepted, go through their entire friends list and add them all.

Once a large collection of "friends" had been gathered, a survey was created. But this was no average survey. The questions were very carefully chosen from security questions gathered from such places as facebook, yahoo, myspace, a new banks and blizzard entertainment.

Once the questions were compiled, the top 35 questions which carried across the various sites were selected and turned into a "survey".

The survey was then sent to 47 individuals. Of the 47 people, 18 people responded. Responses included some interesting pieces of information such as:

Their email address
Their mothers maiden name
Their first and last name
The city they were born
Their date of birth

I was half tempted to create a new survey and ask for their social security number. It boggles my mind why people would release this type of information in an open survey.