asoa's blog

This is the details of a social engineering attack pulled on Dhiraagu (for a good cause again).

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

A friend of mine has called me to help him with his ADSL connection which keeps on dropping the signal every 2 seconds. They have recently moved to this new building and Dhiraagu has moved their ADSL also to this new building. I went to meet at him around 17:30 hrs on a Thursday.

I asked my friend for the username and password of the ADSL router which he has in order to find out what could be wrong. He didn’t have that information as usual with most of us who doesnt keep those type of information in a safe place. I then asked him whether he has the ADSL username and password in case if I have to reset the router back to factory settings to access it. He didn’t have that either.

I called up Dhiraagu 123 from my mobile (which has no relation to the address where the ADSL was connected) and directly told the guy that I don’t have my username and password of my ADSL connection and the only information which I can give him is the address where the ADSL is connected to.

The Direct Attack: Just Asking for It

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with the support person.

The guy looked up the database and simply gave me the username, I then asked for the password, he gave me the same. Then I asked him for the username of the ADSL router (which Dhiraagu provides), he gave me the username and password for the router too.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

What if somebody uses Social Engineering to harm these organisations and its customers?

A few days back I have been assigned a project to get back a domain from a couple of guys who took over it. The project also has a limited time to complete.

The main purpose of me attending to this job is to prove to my friends, colleagues and associates that anything can be achieved if you set it in your mind no matter how difficult the process is. Also this was an opportunity for me to try and test my social engineering (for a good cause) and technological skills.

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The following is a real case of social engineering. I have changed the names of the domain, the registrar and some other things in order not to reveal the real identities involved. The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

Project: Getting back the domain.com
Project Code Name: domain
Type of work: Combination of Technology and Social Engineering.

Details:

Domain.com has been taken over by someone and it has to be retrieved back at the earliest.

Tasks:
1. Getting the domain back

How it was done:

Looking at the situation from different angles, it was believed that the best approach to this task would be to attempt a combination of technology and social engineering attack rather than a technological one alone.

Getting the Domain.

Contacted the Domain Registrar to see how the Administrative email can be changed as soon as possible to retrieve the password for the domain.

Played the sympathy role with a story of an ex administrator taking away all the passwords when he left the company. Also played dumb to get the support guy to give me specific information on how to fill in the form to reset the administrative account.

Can You Help Me?

The attacker asking the organisation’s support personnel to walk him through the steps of carrying out a form filling process he didn’t know how to do. A powerful and effective turning of the tables, this is equivalent of asking the owner of a store to help you carry a box containing items you’ve just stolen from his shelves out to your car.

The Administrative email was successfully changed and the domain password was retrieved. After login to the system using this password, I came to know I was in for more trouble as this domain account resides in another main account (known as One Click Domain Manager or OCDM account). The password to this OCDM account still resides with the guys who took over this domain.

The next attempt was to see how powerful this so called OCDM account is. In order to learn about this OCDM account, its capabilities and how the total system works, I created my own OCDM account. This led me to learn all the capabilities of this OCDM account.

After using the OCDM account for a couple of minutes, I found out that a domain can be imported into an OCDM if I know the password of that domain. Since I have the password to the domain.com, I tried importing it into my OCDM account and came to know that the domain domain.com has to be first removed from the original OCDM account in which it resides now. Then only I would be able to import it into my OCDM account.

I took advantage of the above by finding out the details of how the OCDM accounts work and the lingo and asking directly for it.

Trust:

It’s natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, customer and who knows the company procedures and lingo.

I called up Domain Registrar support again and told the support guy that I am having problems logging into my OCDM and that I have been managing my domain from the domain password. Also I have explained to him that I have created another OCDM and that I need to move my domain (domain.com) into it. I then explained to him that I am unable to do so as it resides in the old OCDM account which I am unable to access as I have forgotten the password for it. The very helpful support guy Mr. …… (He feels sorry and bends the rules a little to help the poor customer) had assured to me that he will remove my domain from my old OCDM so that I can import it to my OCDM.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

After waiting for 4 hours for it to be removed from the old OCDM, I called up the Domain Registrar support again and told the support guy that I need to get my domain removed from the old OCDM and that I have been assured by his colleague Mr. ….. before 4 hours that he will do it and but it has not been done yet. (Feeling guilty about what his co-worker couldn’t do, he bends the rules a little to help out a fellow employee who couldn’t provide support to this customer). This support guy assured to me that it will be done in 5 minutes and he proved that by removing it from the old OCDM. At last I was able to move the domain to my new OCDM and become the total control for the domain.

Using Sympathy, Guilt and Intimidation

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with two different support personnel.

Now that the domain is in my full control and that the job is completed.

Conclusion

The impossible was made possible after all with a few tricks of social engineering and learning a bit of technology.

During this process, I found out that every organization or company be it government or private is vulnerable to such social engineering attacks. The organization for which I did this work was also vulnerable to such attacks.

The Art of Deception or the Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.

What is Social Engineering ?

Basically, social engineering is the art and science of getting people to comply to your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behaviour and it is far from foolproof.

It also involves far more than simply quick thinking and a variety of amusing accents. Social engineering can involve a lot of ‘groundwork’, information gathering and idle chit chat before an attempt at gaining information is ever made. Like hacking, most of the work is in the preparation, rather than the attempt itself.

You may think this talk may seem to be a weak excuse to demonstrate how these techniques can be used for hacking. OK, fair enough. However, the only way to defend against this sort of security attack is to know what methods may be used. With this knowledge it is possible to pick-up on these techniques being used against either you or your company and prevent security breaches before anyone gets near your data. A CERT style security alert with few details is pointless in this case. It would simply boil down to “Some people may try to get access to your system by pretending some things are true. Don’t let them.” As usual, no help what-so-ever.

So What ?

Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers are vulnerable.

Also, the human part of the a security set-up is the most essential. There is not a computer system on earth that doesn’t rely on humans. This means that this security weakness is universal, independent of platform, software, network or age of equipment.

Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach.

A big problem ?

Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it, because as I stated before, there isn’t a computer system on earth that does not have humans as a part of it.

Almost every human being has the tools to attempt a social engineering ‘attack’, the only difference is the amount of skill used when making use of these tools.

Methods

Attempting to steer an individual towards completing your task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete your task directly. Although least likely to succeed, this is the easiest method and the most straightforward. The individual knows exactly what you want them to do.

The second is by creating a contrived situation which the individual is simply a part of. With more factors than just your request to consider the individual concerned is far more likely to be persuaded, because you can create reasons for compliance other than simply personal ones. This involves far more work for the person making the attempt at persuasion, and almost certainly involves gaining extensive knowledge of the ‘target’. This does not mean that situations do not have to be based in fact. The less untruths the better.

One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field. To illustrate this I am going to perform a small demonstration….

[Demonstration here. This basically showed that with social pressure an individual will conform to a group decision, even if it is obviously the wrong choice.]

Conformity

Even in cases where a person is sure they are right it is possible to cause them to act in a different manner. If I had simply asked the last person on their own what the middle word was they would have given me the correct answer and no matter how much I tried to persuade them they probably wouldn’t have changed their mind.

However, this group setting was a vastly different situation. This situation had what psychologists called ‘demand characteristics’, that is this situation had strong social constraints on how the participants should act. Not wishing to offend the other people, not wanting to look dozy in front of a large audience and not undermining the views of the other well respected participants all lead to a decision to ‘go with the flow’. Using situations with these characteristics is an effective way of guiding people’s behaviour.

Situations

However, most social engineering is conducted by lone individuals and so the social pressure and other influencing factors have to be constructed by creating a believable situation which the target feels emmersed in.

If the situation, real or imaginary has certain characteristics then the target individual is more likely to comply with your requests. These characteristics include:

• Diffusion of responsibility away from the target individual. This is when the individual believes that they are not solely responsible for their actions.

• A chance for ingratiation. Compliance is more likely if the individual believes that by complying they are ingratiating themselves with someone who may give them future benefits. This is basically getting in with the boss.

• Moral duty. This is where an individual complies because they feel it is their moral duty to. Part of this is guilt. People prefer to avoid guilt feelings and so if there is a chance that they will feel guilty they will if possible avoid this outcome.

Personal persuasion

On a personal level there are methods that are used to make a person more likely to co-operate with you. The aim of personal persuasion is not to force people to complete your tasks, but enhance their voluntary compliance with your request.

There is a subtle difference. Basically, the target is simply being guided down the intended path. The target believes that they have control of the situation, and that they are exercising their power to help you out.

The fact that the benefits that the person will gain from helping you out have been invented is irrelevant. They target believes they are making a reasoned decision to exchange these benefits for a small loss of their time and energy.

Co-operation

There are several factors, which if present will increase the chances of a target co-operating with a social engineer.

The less conflict with the target the better. Co-operation will be more readily gained when the softly-softly approach is used. Pulling rank (or invented rank), annoyance or orders rarely work for effective coercion.

The ‘foot in the door’ factor is where the focus of a persuasion attempt already knows a you or has had experience of dealing with you. This is a particularly effective and was known by con men as the ‘confidence trick’. Psychological research showed that people are more likely to comply with a large request if they have had previously complied to a far smaller one. If this ‘foot in the door’ includes a positive history of co-operation, where things have gone well in the past, then the chances of co-operation are greatly increased.

The more sensory information a target can gain from a social engineer the better. This is especially true of sight and sound, you are more likely to be believed if the target can see and hear you than if they can just hear your voice over the fone. Unsurprisingly ASCII text communications are do not lend themselves to persuasion. It is very easy to refuse someone via a IRC style chat.

Involvement

However, success does depend a lot on how involved a person is in the request you are making. We can say system administrators, computer security officers, technicians and people who rely on the system for essential work tools or communication are highly involved in most social engineering attacks by hackers.

Highly involved people are persuaded better by strong arguments. In fact the more strong arguments you give them the better. Suprisingly its not the same for weak arguments. Someone highly involved in the attempt at persuasion is less likely to be persuaded if you give them weak arguments. When someone is likely to be directly affected by a social engineering attempt, weak arguments tend to generate counter arguments in the targets head. So for highly involved people, the rule is more strong arguments, less weak arguments.

People are classed as low involvement if they have very little interest in what you are asking them to do. Relevant examples might be security guards, cleaners, or receptionists at a computer system site. Because low involvement people are not likely to be directly affected by a request, they tend not to bother analysing the pros and cons of persuasive banter. Instead it is common for a decision to agree with your request or not to be made based on other information. Such information could be the sheer number of reasons the social engineer gives, the apparent urgency of the request or the status of the person trying to do the persuading. The rule of thumb here is simply the more arguments or reasons the better. Basically, people who aren’t involved in what a social engineer is trying to achieve will be more persuaded by the number of arguments or requests rather than how relevant they are.

One important point to note is that less competent people are more likely to follow more competent models. In the case of computer systems this is likely to be low involvement people. The moral of these points is, don’t try and social engineer the sysadmin, unless of course the sysadmin is less competent than you are, which as we all know is very unlikely.

Securing against human attacks

With all this information how would someone go about making their computer system more secure ? A good first step would be to make computer security part of everyone’s job whether they use computer or not. This will not only boost their self perceived status with no extra cost to you but will make staff more vigilant. If you make someone involved in keeping your computer system secure they are more likely to pay closer attention to unauthorised individuals trying to gain access to a system.

However, the best defence against this, as with most things, is education. Explaining to employees the importance of computer security and that there are people who are prepared to try and manipulate them to gain access is an effective and wise first step. Simply forewarning people of possible attacks is often enough to make them alert enough to spot them. Remember, to give both sides of the story when educating people about computer security. This isn’t just my personal bias. When individuals know both sides of an argument they are less likely to be disuaded from their chosen position. And if they are involved in computer security, their chosen position is likely to be on the side of securing your data.

There are attributes which people less likely to comply with persuasion tend to have. Less compliant people tend to be pretty bright, highly original, able to cope with stress and reasonably self confident. Stress management and self confidence can be taught or at least enhanced. Self assertion courses are often used for management employees, this training is excellent in reducing the chances of an individual being socially engineered, as well as having many other employment benefits.

What this comes down to is making people aware and involved in your security policy. This takes little effort and gives great rewards in terms of the amount of risk reduction.

Conclusion

Contrary to popular belief, it is often easier to hack people than sendmail. But it takes far less effort to have employees who can prevent and detect attempts at social engineering than it is to secure any unix system.

Sysadmins, don’t let the human link in your security chain let your hard work go to waste. And hackers, don’t let sysadmins get away with weak links, when it is their chains that are holding your data.