bill's blog

Just another WordPress weblog

Browsing Posts tagged Social engineering

So what kind of attack are there?

Straight-out dictionary attacks – guess the words people may use for a password.

Hybridization – Which is similar to the above but includes the substituting of letter for symbols or adding numbers to a common word.

Brute Force attacks – This uses all possible combinations of letters numbers and symbols.

Shoulder Surfing – Looking over a persons shoulder while they type a password.

Keyloggers – Hardware or software that captures key strokes as they are toyed on a keyboard.

Social Engineering- actually asking the end-user for their password.

Sniffing- Watch the TCP traffic on the wire looking for unencrypted passwords (pop,telnet,ftp,etc) Grabbing the password file

Social Engineering… the term always brings up my reading of Ken Metnick’s books. They are a true study of the art form. We as human want to be seen as helpful and trusting. However the reality is the world back be a not so nice place. People can and will take advantage of us. Really… social engineering is about convincing people to willingly hand over information. Often times the social engineer will use… impersonation, bribery, deception, conformity and reverse social engineering. to get what they are looking for. They will use small pieces of information to get more valuable information. Very often the victim does not know that they are helping a “bad” guy.

Sales people use social engineering all the time. I get hundreds of cold calls a week. Often I tell the sales person they have reached the wrong place. That same sales person will call one of my colleagues and say they spoke with Bill in the XYZ department. This gives the illusion that the sales person actually knows me. My colleague may be tempted to give out more information based of the fact that the sales person know me. Unbeknownst to the sales person when when say “Yeah I spoke to Bill in XYZ department” It’s a signal to my colleague that I actually do not know this person.

Lying… trickery… duping… all words for the same thing. Words that have taken on a new meaning in the world of the on-line… connected… human! Words that have evolved into high stakes games on misinformation, fraud and identity theft. Words that have taken on the new moniker of social engineering!

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying (wikipedia.org, 2010). So what does this all mean? Well how many times have you answered the phone and the person on the other end of the line starts asking you questions about your mortgage? Wanting to help you reduce your rates! They start by asking benign questions and then move onto more personal information… such as your date of birth or heaven forbid your social security number. You’re happy to give away that information in exchange for $200 dollars off your monthly expenditures!

Or how about that cold call asking if you’re in charge of the network infrastructure at your place of employment? Or perhaps they want to know about what routers you use or the brand of toner purchase. Sure they may be mere cold calls… BUT they could be so much more. Social engineering in not about knocking at one door to see who answers but rather it’s about gathering as much information and using the information gathered in previous calls to further the manipulators efforts to make inroads into an organization.

In his book the Art of Deception, Kevin Metnick goes to great lengths to illustrate the ways in which we can be tricked into revealing information that may be common place within an organization but to an outsider can be very damaging if used inappropriately. In an interview in 2006 with Tom Espiner, Kevin Metnick shared his thoughts on what signs to looks for in a possible social-engineering attack.

Mostly, it’s gut instinct–if something doesn’t look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that’s a red flag. If they make a request that’s out of the ordinary, that’s a red flag. If they make a request for something sensitive, that’s when verification is necessary, depending on company policy (Espiner, 2006).

Honestly, the Art of Deception should be required reading for anyone responsible for security in any kind of organization… especially IT and HR departments! Social engineering needs to be addressed. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions (Coffee, 2006). Employees need to be educated to the various forms phishing another social engineering practices both when using the Internet as well as answering the phones (Heese, 2007).

At the end of the day, humans have a need to help others. It ingrained within each of us. We have to get in touch with our inner selves… That part of us the screams out that something is wrong. We need to listen to that voice and heed its warning.

Resources:

Coffee, Peter (2006, August 14). Security Success Depends on Good Management, Retrieved on July, 6th, 2010, http://www.eweek.com/article2/0,1895,2001478,00.asp

Espiner, T., (2006, June 14th), Kevin Mitnick, the great pretender, Retrieved on July, 6th, 2010 from http://news.cnet.com/Kevin-Mitnick,-the-great-pretender/2008-1029_3-6083668.html

Heese, W., (2007, February 21), Computer system security policies – key trends, Retrieved on July 6th, 2010 from http://weblog.randomdog.net/?p=942

Various, (2010, July 4th), Social Engineering (security), Retrieved on July6th, 2010 from http://en.wikipedia.org/wiki/Social_engineering_(security)

Another wonderful malware day… Well not exactly, but a beautifully executed social engineering attack! Today a lot of my users called to say that they were getting emails from friends asking them to join tagged. A classic phishing attack and I can’t tell you how many people fell for it! In this case it wasn’t as bad as some of the ones asking for bank PINS & passwords but it’s another example of people not using common sense! Now I can’t say for certain what information they asked for but one should never give any person information.

tagged_1

The information age has made the exchange of data common place. Many of the things like our social security number and mother’s maiden name are so freely available that credit card companies already know the answers before you ever speak with them.

http://www.consumerfraudreporting.org/phishing_Tagged_dot_com.php

It seems that this particular scam has been circulating since 2007. SO my big question is why did it get past DefenderSoft? So for all you network admins out there the lesson learned is there is a big difference between companies that offer SPAM protection.

Password enumeration while not related to phishing should be mentioned.

A couple of things to keep in mind is never just click and email link and expect that is brings you to the site that is advertised in the email. When signing up at legitimate social networking sites be careful of allowing them access to your address book.

Luckily for me… a lot of the emails came from other employees so they were able to verify that the email was a scam.

The date April 8, 2009 is one that should have never come. It has been reported that ‘cyberspies’ have gained access to the US power grid and could take control at anytime. Seems to me that this could have been avoided. Why? Because the United States has known this could happen as early as June 1997! During that second week of June, The NSA (or National Security Agency) sponsored cyber-warfare exercise called Operation: Eligible Receiver. The Objective of the exercise was for the NSA “RED Team” to take control of the computer systems of the US Pacific Command. The NSA was successful at compromising their ‘primary’ objective and additionally was able to compromise various systems controlling the US power grid. Lastly, they were able to compromise the systems controlling the 911 emergency call network. The scary thing about Operation: Eligible Receiver was the vectors of attack were not overly complicated. The attackers were able to use the following:

• DOS (Denial of Services) attacks
• Email spoofing
• Brute-force/dictionary password cracks
• Brute-force/dictionary password cracks
• Mis-configured services
• Social engineering attacks

The lessons learned from the exercise showed serious problems with defending critical information systems and infrastructures, on which the DoD (and the nation) depend (Janczewski, et. al., 2008). If that were not enough to draw some attention to the serious nature of the problem, in February of 1998, computers within the Navy, Marine Corps, and Air Force came under real attack. Solar Sunrise (as the attack came to be known as) exploited a well-known vulnerability in the Solaris operating system and was believed to have originated from, the Middle East.

As part of the Wall Street Journal’s online presence, polls are taken of readers for reader reactions to major articles. The poll for April 8th was, “How worried are you that a cyber attack could damage U.S. infrastructure?”

wsj_poll
Source: Wall Street Journal Online.

Incredibly, 940 votes were cast indicating that they were not very worried about an attack against our electric infrastructure here in the US. How can you not be! The sad thing is that the companies that maintain these systems were not the ones that discovered the compromise! The discovery was made by U.S. intelligence agencies. NERC (or the North American Electric Reliability Corporation) is an international, independent, self-regulatory, not-for-profit organization, whose mission is to ensure the reliability of the bulk power system in North America (nerc.com, 2009). As part of the organization’s role in fulfilling its mission is the publication of compliance standards to help minimize the risk of cyber-attacks. NERC Standard CIP–002–1 deals with the identification of critical assets within the bulk Electrical Delivery Systems. Just yesterday, Michael Assante, Vice President and Chief Security Officer for NERC released a memo urging members to take a “fresh comprehensive look” at the evaluation of their Critical Assets. The memo was prompted in part because of the results of a recent survey that suggests that certain qualifying assets may not have been identified as “Critical” (Assante, 2009). It seems as though many suppliers are not identifying critical components in the delivery system leaving them exposed to these types of cyber-attacks.

SO why are we dealing with this today? …Because these systems are not government resources. These systems are private networks. Congress approved $17 billion in funding to protect government networks. The bill did not disclose which systems/networks would benefit from the funding however a senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage (Gorman, 2009).

Now some may say this is the stuff of science fiction but let’s take a look:

Worchester Airport, Massachusetts, 1997 – A hacker was able to gain access to the communication system there disabling the radio transmitter that activated the approaching runway lights.

Arizona, 1998 – A 12 year-old gains access to the SCADA systems controlling Roosevelt Dam (though this has been disputed).

Queensland Australia, 2000 – Vitek Boden hacks into the Maroochy Shire Wastewater System and releases raw sewage into the parks, rivers and grounds surrounding the Hyatt Regency hotel.

Titan Rain, Nov. 14, 2004 – Chinese hackers compromised computers at U.S. Army Information Systems Engineering Command in Fort Huachuca, Ariz., the Defense Information Systems Agency in Arlington, Va. and the U.S. Army Space and Strategic Defense installation in Huntsville, Ala (zdnet.com, 2005).

Estonia, 2007 – A distributed denial of service attack was launched against the websites of the Estonian parliament and the national bank.

San Francisco, California, 2008 – Terry Childs is accused of tampering the city’s email system and locking out network administrator from the city’s FiberWAN network. Child’s gained access to the root password on the city’s routers and could effectively turn-off the city’s network.

This is not the first time a power grid has been the object of a hacker’s attack. CIA analyst Tom Donahue told utility engineers at a conference last year that in other countries, hackers had broken into electric utilities and demanded payments before disrupting power – in one case turning off the lights in multiple cities (ap.org, 2009). In the case of the recent discovery the SCADA (Supervisory Control And Data Acquisition) systems were said to be compromised. SCAA is a standardized and open solution that is used in the operations of many industrial control systems. Systems that use SCADA processes include:

• Electrical distribution facilities
• Drinking water distribution centers
• Sewer treatment plants
• Oil and gas pipelines systems
• Nuclear power plants
• Airports

Protecting the electrical grid and other infrastructure is a key part of the Obama administration’s cyber-security review, which is to be completed next week. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more (Gorman, 2009).

OK we’ve lived through blackouts before… the government will fix this BUT… The point is the government has known about this for years and yet it happened. The Cybersecurity Act of 2009, gives the President of the United States the authority to declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal government or United States critical infrastructure information system or network (section 18, paragragh 2). Now, the United States Government control vast amounts of the Internet… definitely critical infrastructure! BUT… where does that end? For certain any of the above mention SCADA systems but how about systems in hospitals? Or how about financial systems? A little over-reaching? Perhaps! BUT maybe we should look at fixing the systems not pulling the plug!

BTW, The systems that were comprised are said to have been ‘purged’ of all installed malware.

Resources:

Assante, M., (2009, April7), Critical Cyber Asset Identification, Retrieved on April 8th, 2009 from http://www.nerc.com/fileUploads/File/News/CIP-002-Identification-Letter-040709.pdf

Espiner, T., (Nov 23, 2005), Security experts lift lid on Chinese hack attacks, Retrieved on April 8th, 2009 from http://news.zdnet.com/2100-1009_22-145763.html

Gorman, S., (2009, April 8 ) Electricity Grid in U.S. Penetrated By Spies, Retrieved on April 8th, 2009 from http://online.wsj.com/article/SB123914805204099085.html

Janczewski, L., & Colarik, A., (2008), Cyber Warfare and Cyber Terrorism, IGI Global, Hershey PA

Robertson, J., & Sullivan, E., (2009, April 8 ), Spies compromised US electric grid, Retrieved on April 8th, 2009 from http://hosted.ap.org/dynamic/stories/T/TEC_ELECTRIC_GRID_HACKING?SITE=AZPHG&SECTION=HOME&TEMPLATE=DEFAULT

Unknown, (2009), North American Electric Reliability Corporation, Retrieved on April 8th, 2009 from http://www.nerc.com/page.php?cid=1|7|10

Various, (2009, April 9), (POLL) How worried are you that a cyber attack could damage U.S. infrastructure?, Retrieved on April 9th, 2009 from
http://forums.wsj.com/viewtopic.php?t=5653