News
2019 2015 2014 2012 2011 2010 2009 2008
Phone Rippers
12 November 2012
Author: Roman Romachev — CEO, The Private Intelligence Company “R-Techno” http://r-techno.org
FOR THREE
YEARS THE US HAVE BEEN HOME TO A RATHER EDUCATING ANNUAL EVENT – A SOCIAL ENGINEERING
CONTEST THAT WOULD PROBABLY BE A GOOD EVENT TO VISIT FOR TOP MANAGERS AND CHIEF
SECURITY OFFICERS FROM LARGE RUSSIAN COMPANIES.
Many
companies today are obsessed with IT security while clearly underestimating the
risk of confidential corporate data leakage caused by hacking via a regular
phone call.
Business
intelligence professionals refer to this phenomenon as HUMINT - human
intelligence. It is company’s own employees who often work as the weakest link
in the security system developed by the company.
The
American social engineering contest is part of Defcon, a large hacker
convention held in Las Vegas. The event has a rather civil focus: IT hackers probe IT security systems for
their weak spots, social engineers hack large American corporations by engaging
their employees in phone conversations and extracting corporate secrets from
them. All of this happens in front of guests, some of whom rank rather high – among
them are senior officials from the FBI, NSA, US Department of Defense and
Department of Justice. What I think is interesting is that social engineers achieve
their goal faster and more efficiently than their IT counterparts, and
sometimes even help them out with tips for an efficient computer attack on the
target company.
The contest
has a simple procedure. The organizers distribute a list of ten random
organizations picked out of the Fortune 500 ranking, and a list of flags – the
data that the competitors must obtain. Hackers have two weeks to choose their target,
research it using publicly available data, analyze its weaknesses and develop a
legend. During the contest they take their places in a transparent soundproof booth
set on a stage, and have the phone number dialed for them, with the
conversation audible through speakers to the audience to demonstrate the social
engineering skills of the hacker. Each hacker has 20 minutes to collect as many
points as possible.
Many
episodes of the latest contest held in June could be included into competitive
intelligence anthologies. John Carruthers who chose to attack a Target store
chain was first of the competitors to claim leadership. During the time
allowed, he has interacted with several IT officers from the stores all over
the country, posing as a systems administrator for a Target data center in
Minnesota and asking why they hadn’t deployed an important patch to the
company’s supplier software. While getting ready for the contest, John
Carruthers noticed that in building its website, Target has unwittingly made
public important corporate information – internal store IDs. They ended up
included in the URL of the respective pages of all stores within the
chain. And if the Target employees
expressed any doubts whether they were actually talking to the systems
administrator of their company, he would just quote their respective store ID
and that was enough to make the ‘friend-or-foe’ system work to his advantage
and make the further process go like clock-work.
Engineers
posing as analysts carrying out marketing research and journalists found the
task to be more difficult.
SOCIAL
ENGINEERING IT’S AN AGE-OLD PHENOMENON, BUT ITS ‘HEROES’ USUALLY CHOOSE TO STAY
IN THE SHADE. COMPETITORS OF THE SOCIAL ENGINEERING CONTEST ARE EXCEPTIONS. IN
FACT, MOST OF THEM ARE PROFESSIONAL SECURITY SYSTEMS ‘AUDITORS’ WORKING FOR
LARGE CORPORATIONS
The
championship of the contest has, for the second time, been claimed by Shane
MacDougall who had impressively pulled to pieces the security system of the
Wal-Mart store located in a Canadian town. Shane called the store manager and
posed as a logistics executive from the Wal-Mart headquarter. He said that he
was going to visit the town soon as he was selecting ‘pilot’ stores for a
program that would be implementing a large government contract that was about
to be awarded to Wal-Mart – but he wanted to clarify certain operating details
on the phone. Falling for the legend, the store manager has started giving up the
flags one by one, lightly and without a shadow of doubt, even blundering out many
of the things he was not asked about: shift schedule, the OS and antivirus
software installed in his office PC, name of the cleaning services provider,
personnel compensation scheme, etc. Finally, MacDougall asked him to go to an
external website and fill in a questionnaire there (“To help me get ready for
the trip”, MacDougall said). The store manager was willing to do that as well;
the only reason he couldn’t do it was because the corporate IT system has
blocked the website recommended by the hacker.
Following the successful hack, MacDougall told the CNNMoney reporters that his favorite target are sales employees: “As soon as they think there's money, common sense goes out the window”. The winning hacker went on to voice another important idea: “I see all these CIO that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”
Social
engineering is a very old phenomenon, but its ‘heroes’ usually choose to stay
in the shade. Competitors of this social engineering contest are exceptions. In
fact, most of them are professional security systems ‘auditors’ working for
large corporations and are therefore interested in demonstrating their skills
to the public. If I were to name a famous social engineer of America’s past who
did not shy away from using the morally ambiguous methods to their advantage,
the only name to come to mind would be the legendary editor of Chicago’s
American Harry Romanoff. He managed to source almost all of his sensations via
the phone, posing as the chief of police, or the governor, or the chief of a
fire department. (History tells of a ‘Romanoff’s mistake’ he made when he
called a house that was a crime scene where an investigation team was working. “This is Coroner O'Bannion.
How many dead ones you got?” Harry asked. After a pause, the voice replies,
“No, this is Coroner O'Bannion. Who the hell are you?”)
The business
community must realize that the work of social engineers of today is much
easier: it’s easier to target an employee, to collect a dossier, to understand
the professional and personal relations within a corporations, the hierarchy of
its business divisions and its corporate culture. They have access to social
networks where the majority of employees – from juniors to seniors – will have
personal accounts. There they can take their time to interact with their target
and learn their professional language to be able to talk the same language to
the target.
Other
social engineers choose to not go the obvious way and do not try to obtain
confidential information from the most obvious source in the company that
possesses such information. It’s not necessary to target an IT officer to learn
about IT security, or the accountant – to learn about the company’s finances. Classical
example of business intelligence is to use a cleaning lady who removes waste
paper from the waste basket in the CEO office. Such waste paper can be a source
of commercially important information.
Phone calls
are an extremely convenient tool for a social engineer. As long as the
information obtained is not used to the detriment of any particular person or
the company, the social engineer bears no criminal responsibility: it’s not
illegal to talk to someone. In this case, the other party of the discussion
must be mindful of their responsibility. For example, if an accountant
discloses, even if unwittingly, any data
on the phone that then ends up in the possession of the company’s competitors,
such an act can result in criminal prosecution under the Federal Law “On Trade
Secrets”.
IT IS THE
COMPANY’S OWN EMPLOYEES THAT OFTEN WORK AS THE WEAK LINK IN THE CORPORATE
SECURITY SYSTEM. THAT IS WHY IT IS CRUCIAL TO REMEMBER EVEN IN THIS IT-DRIVEN
EPOCH THAT YOU COMPETITORS CAN USE HUMAN INTELLIGENCE TO GET TO YOU
A rather
typical situation: an accountant receives a call from a man claiming to be an
official within a statistical agency and requests that the accountant replies
to the inquiry sent out to the corporate mail. The document raises no
suspicions as it is executed in accordance with all standards. There are
different scenarios of what happens next. One accountant will probably reply to
the inquiry and unwittingly send it to the company’s competitors. Another
accountant will demand an original copy, call the agency to find out why they
send their inquiries vie e-mail… Guess which scenario is the right one.
It’s
important to understand that technology-based security will not guarantee
protection on its own. Apart from the expensive and complex IT systems, people
working in a company should be responsible for the protection of its data. That is administrative security, which requires continuous awareness development.
Any company must have written
regulations on management of confidential information, and every new employee
must sign a non-disclosure agreement when hired. There must be corporate
trainings or seminars at least once a year. Company management must clearly
state what constitutes confidential information and how it should be protected.
Education is the way to prevent data leaks.
Social
networks have long become the place where black hackers carry out their ‘human
research’. There have been instances when they made an account posing as a
director general of a company and started actively networking with the
employees, extracting the information they needed. Certainly this kind of hack will
mostly work with the companies where the management is somewhat distanced from
its employees, either it terms of geography or management hierarchy. In this
case there’s no risk that the director will learn about his interaction with
the employees online. Prudent management makes sure that its staff ignores the
fake account by making the confirmed account of the director general known to
it. And it works. But a hacker can just as easily create an account of the
manager’s wife and to interact with everyone related to the company, thus
gradually finding out more and more. So how can a company protect itself? The
solution is to maintain the highest level of awareness within a company,
ensuring that the staff has the general idea of who to hold correspondence with
and what topics to discuss.
Source: www.business-magazine.ru/trends/darkside/pub346254
Published
in Business Magazine Online, September 10, 2012.