From: Magdelin Tey (crux80@hotmail.com)
Date: Fri Oct 13 2006 - 02:45:46 EDT
Hi all,
just to share some social engineering examples.
i was doing a penetration test for a customer, and couldnt seem to get into
the system. they were pretty well hardened and all the high security
controls were in place.
I tried to do a little social E by asking an admin to log into the system to
check for some patches, and true enough, from my guess, the root password
was an easy one.
so, a little Social E, with a little shoulder sniffing, i manage to get into
the system using the root password. Amazing how small little things like
this can bring massive problems to a highly secure network. it all boils
down to people and proper security education.
Not using this as an example for people to rely heavily on Social E and not
perform the necessary PT steps. but it can be helpful when all other means
of exploiting a system is gone.
Just my 2 cents
M
>From: xun dong <xundong@cs.york.ac.uk>
>To: CTaylor 2121 <ctaylor2121@hotmail.com>
>CC: Frynge Customer Support <frynge@frynge.com>,pen-test@securityfocus.com,
>security-basics@securityfocus.com
>Subject: Re: Social Engineering Data set
>Date: Thu, 12 Oct 2006 23:23:42 +0100
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.27]) by
>bay0-mc4-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Thu,
>12 Oct 2006 23:06:54 -0700
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> via smtpd (for bay0-mc4-f.bay0.hotmail.com [65.54.244.104]) with
>ESMTP; Thu, 12 Oct 2006 23:00:19 -0700
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid
>25B28237022; Thu, 12 Oct 2006 23:02:53 -0600 (MDT)
>Received: (qmail 5779 invoked from network); 12 Oct 2006 23:37:22 -0000
>X-Message-Info: LsUYwwHHNt3CJpmzQT6wbp2E8++uFWVz8VeJWVawhIE=
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Resent-Sender: listbounce@securityfocus.com
>Errors-To: listbounce@securityfocus.com
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>X-BrightmailFiltered: true
>X-Brightmail-Tracker: AAAAAA==
>User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
>References: <BAY124-W9C70BDBD47B4371C40F61B1150@phx.gbl>
>Resent-Message-Id: <20061013050253.25B28237022@outgoing3.securityfocus.com>
>Resent-Date: Thu, 12 Oct 2006 23:02:53 -0600 (MDT)
>Resent-From: pen-test-return-1078482722@securityfocus.com
>Return-Path:
>pen-test-return-1078482722-crux80=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 13 Oct 2006 06:06:54.0418 (UTC)
>FILETIME=[C8419B20:01C6EE8D]
>
>Thanks for your suggestion. I certainly think those attacks are instances
>of social engineering attacks, and I have included them in the data set
>already.
>
>CTaylor 2121 wrote:
>>What about the one in which a disk or CD is left in the employee rest room
>>with an enticing title written on it? Or the free software (game or
>>program) that is given away at a trade-show? Both would contain trojans.
>>Where would you classify those types of attacks?
>>
>>
>>Thanks,
>>C Taylor
>>CTaylor2121@hotmail.com <mailto:CTaylor2121@hotmail.com>
>>"Retirement is just a PowerBall away"
>>
>>
>>------------------------------------------------------------------------
>> > From: frynge@frynge.com
>> > To: xundong@cs.york.ac.uk; pen-test@securityfocus.com;
>>security-basics@securityfocus.com
>> > Subject: Re: Social Engineering Data set
>> > Date: Thu, 12 Oct 2006 00:19:27 -0600
>> >
>> > Social Engineering Attack examples
>> >
>> > Social engineering attacks are usually done to exploit the laziness of
>> > people, or people with good manners, or even people that want to help
>>you.
>> > This is what makes it very hard to guard against a SE attack because
>>the
>> > people involved may not realize that they are being fooled and will
>>never
>> > admit this to anyone. The SE attempts to persuade someone to provide
>> > information that will allow them to use your system or resources as if
>>they
>> > were his own. This is most commonly referred to as the "confidence
>>trick".
>> >
>> > These are the 5 main attacks that I know of
>> >
>> > 1: Personal approaches including the confidence trick
>> > 2: Online attacks (includes all the email phishing attacks)
>> > 3: Telephone
>> > 4: Waste management
>> > 5: Reverse Social engineering
>> >
>> >
>> > 1: Online Attacks
>> >
>> > They include:
>> > A) Email threats like phishing
>> > B) Confidence tricks and attacks
>> > C) Online pop up attacks
>> > D) Instant messaging
>> >
>> > Here is one example
>> >
>> > Pop ups or dialog boxes
>> >
>> > One of the most popular goals is to embed a mail engine within your
>>computer
>> > environment through which the hacker can launch phishing or other
>>e-mail
>> > attacks on other companies or individuals.
>> > The phishing attack will show a hyperlink that appears to link to a
>>secure
>> > account management site, while the status bar shows that it takes the
>>user
>> > to, is the hacker's site. Hackers can suppress or reformat the status
>>bar
>> > information to whatever they want. Most people will not look or know to
>> > look. This way, the hacker is given the information via a neat form
>>they
>> > have created. All this was done from a simple email, that the hacker
>>sends
>> > impersonating the company.
>> >
>> >
>> > 2: Telephone
>> >
>> > Attacks on AOL
>> >
>> > Aol was attacked and approximately 200 accounts were compromised. It
>>was a
>> > simple human SE attack in which the hacker would talk to tech support
>>for a
>> > long time. It seemed the longer the hacker talked, the more confident
>>and
>> > friendly the employee became.
>> >
>> > At the point of most confidence the hacker mentions that he had a car
>>for
>> > sale at a great price. The employee had shown interest and then it was
>>as
>> > simple as sending an email. The hacker then sent an email with an
>>executable
>> > trojan backdoor instead of the picture of the car. Upon viewing the
>>email
>> > it executed. The email basically said, that he may have did something
>>wrong
>> > by sending the picture, did you get it? At this point the damage has
>> > already been done and the system compromised.
>> >
>> > This trojan backdoor then opens a port from AOL through the firewall.
>>It
>> > was then an open door for the hacker to come back at a later date in
>>order
>> > to check out the system, gather passwords and hide the evidence. This
>>is a
>> > common way to gain entrance to a secure system. Why go through all the
>> > defences created, when they let you in the backdoor :)
>> >
>> >
>> > This next example below includes these techniques
>> > 1: confidence attack
>> > 2: reverse engineering
>> > 3: waste management
>> > 4: telephone SE attacks
>> >
>> > Reverse social engineering describes a situation where the TARGET will
>>offer
>> > the hacker the information. This may seem unlikely, but people of
>> > authority, often receive vital personal information, such as user IDs
>>and
>> > passwords, because they are above suspicion.
>> >
>> > Example 2:
>> >
>> > A group of hackers walk in to a large shipping firm and walked out with
>>the
>> > entire companies corporate network.
>> >
>> > What did they do?
>> >
>> > This technique is called the syphon. Small amounts of information, can
>>be
>> > useless, but to a hacker, bit by bit, you can collect a large portion
>>of the
>> > puzzle. The key is to gather this from different employees.
>> >
>> > You will see as in the last example, its not through the bars of the
>>prison
>> > they come, but through its weakness, which is its employees.
>> >
>> > First, there was a small period of data collecting on the company.
>>Calling,
>> > going through trash that is set outside. (waste management) They also
>>need
>> > to get familiar with the roles, they must know who they are dealing
>>with.
>> > It is very important to become the person or become your role. They had
>> > learned key employees' names by simply calling the company and
>>inquiring
>> > about shipping and receiving (telephone SE attacks). Next, they pretend
>>to
>> > lose their key to the front door and as simple as that, they are in the
>> > front door :) (confidence SE attacks)
>> >
>> > Then they lost their identity badges when entering a very secure area,
>>they
>> > just smiled, were very calm and a friendly employee let them right in.
>>Most
>> > will not assume you shouldnt be there or your not who you say you are.
>> > (again confidence or personal SE attacks)
>> >
>> > The hackers already had known previously, that the CFO was out of town,
>>so
>> > they knew which offices to enter before hand. They went in to obtain
>> > financial data off his computer. The went through the trash which is a
>>very
>> > common practise and you would be surprised what you can find in the
>>trash,
>> > the people do not shred. (waste and trash management) After getting all
>> > types of useful documents, they asked a janitor for a garbage pail and
>>then
>> > placed all the data in this and carried it straight out of the building
>>with
>> > permission.
>> >
>> > The hackers had talked previously to the CFO and knew his voice and
>> > mannerisms. So they then called up, pretending they were the CFO in a
>> > hurry, and desperately needed the network password. From there, they
>>used
>> > regular hacking techniques and tools to gain super user access to the
>> > system, with not one person the wiser. (telephone reverse engineering
>> > attacks)
>> >
>> > In this case, the "hackers" were network consultants performing a
>>security
>> > audit for the CFO without any other employees' knowledge. They were
>>never
>> > given any privileged information from the CFO but were able to obtain
>>all
>> > the access they wanted through social engineering. (This story was
>>recounted
>> > by Kapil Raina, currently a security expert at Verisign and co-author
>>of
>> > mCommerce Security: A Beginner's Guide, based on an actual workplace
>> > experience with a previous employer.)
>> >
>> > Security is all about trust. Trust in protection and authenticity.
>>Generally
>> > agreed upon as the weakest link in the security chain, the natural
>>human
>> > willingness to accept someone at his or her word, leaves many of us
>> > vulnerable to attack.
>> >
>> > Kelly Sigethy
>> > http://www.frynge.com
>> >
>> > ----- Original Message -----
>> > From: "xun dong" <xundong@cs.york.ac.uk>
>> > To: <pen-test@securityfocus.com>; <security-basics@securityfocus.com>
>> > Sent: Wednesday, October 11, 2006 4:31 AM
>> > Subject: Social Engineering Data set
>> >
>> >
>> > > Hello list;
>> > >
>> > > I am currently doing research on Social Engineering Attacks. Unlike
>>the
>> > > technical hack, I found that there is few useful and well documented
>>SE
>> > > attack examples on the Internet. So I decided to create a data set
>>for SE
>> > > attacks, and I am willing to publish it for free on the Internet.
>> > >
>> > > However, I think only my own experience would not be able to make
>>this
>> > > dataset as comprehensive as possible. So I would like to ask for help
>>on
>> > > this list. If you think you have SE attack examples, you can email
>>me. Of
>> > > course for confidential reason you should not use the real name in
>>your
>> > > example. If you don't mind I will also publish your name along with
>>the
>> > > example you provided. Thanks a lot in advance. I hope this could be a
>>step
>> > > forwards in protecting against SE attacks.
>> > >
>> > > --
>> > > Xun Dong
>> > > Research Associate
>> > > Department of Computer Science
>> > > University of York
>> > >
>> > >
>>---------------------------------------------------------------------------
>> > > This list is sponsored by: Norwich University
>> > >
>> > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
>> > > The NSA has designated Norwich University a center of Academic
>>Excellence
>> > > in Information Security. Our program offers unparalleled Infosec
>> > > management education and the case study affords you unmatched
>>consulting
>> > > experience. Using interactive e-Learning technology, you can earn
>>this
>> > > esteemed degree, without disrupting your career or home life.
>> > >
>> > > http://www.msia.norwich.edu/secfocus
>> > >
>>---------------------------------------------------------------------------
>> > >
>> > >
>> > >
>> >
>> >
>> >
>>------------------------------------------------------------------------
>> > This List Sponsored by: Cenzic
>> >
>> > Need to secure your web apps?
>> > Cenzic Hailstorm finds vulnerabilities fast.
>> > Click the link to buy it, try it or download Hailstorm for FREE.
>> >
>>http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>> >
>>------------------------------------------------------------------------
>> >
>>
>>------------------------------------------------------------------------
>>Check the weather nationwide with MSN Search Try it now!
>><http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG>
>
>------------------------------------------------------------------------
>This List Sponsored by: Cenzic
>
>Need to secure your web apps?
>Cenzic Hailstorm finds vulnerabilities fast.
>Click the link to buy it, try it or download Hailstorm for FREE.
>http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>------------------------------------------------------------------------
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:12 EDT