BreachExchange mailing list archives
Hacked in 20 Minutes: Social Engineering Done Right
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 21 Feb 2014 19:29:20 -0700
http://securitywatch.pcmag.com/security/320913-hacked-in-20-minutes-social-engineering-done-right How long would it take for an attacker to break into a business? Get on the corporate network as an authenticated user? If you think it would take a few days or even a few hours, you are way, way off. Try 20 minutes. It took David Jacoby, a senior security researcher with the Global Research and Analysis Team at Kaspersky Lab, three minutes to sneak into the building, four minutes to get network access, five minutes to get authenticated access to the network, and ten minutes to install a backdoor onto the corporate network. He was able to download and walk away with "gigabytes of data" from the company, he told attendees at last week's Kaspersky Lab Security Analyst Summit. Jacoby was invited by a company come in and tests its defenses. As it turned out, he didn't need any fancy hacks or zero-days to get through. It was all social engineering. "They spent so much money [on security], and I still got in," Jacoby said. Being Nice to Tailgaters The company required employees to use a badge to enter and leave the building. Jacoby waited for other employees to go inside, and just hurried in after them. Most people want to be polite and will hold the door open if someone is going in at the same time--something most tailgaters take advantage of. Jacoby went a step further, in case the employee thought to ask to see the badge. He dressed up a bit to look a little managerial and held a cell phone up to his ear as if he was having a conversation with someone. As he was going through the door, he said, "I am right in the lobby. I will be up in a minute." No one will interrupt a phone call, and if you convey the impression that you are someone important heading off to meet someone important, most people won't stop to question you, Jacoby said. There's Always a Hub Surely, getting on the network had to be a little more difficult, right? It turned out Jacoby didn't bother trying to get on the corporate wireless. Instead, he went straight to the printer room, where there is invariably a network hub for the printer. He plugged his laptop into the hub and as easy as that, he was on the network. Getting on the network as a valid user took more talking than hacking. Jacoby found an employee sitting next door to the printer room and explained he was having trouble with the network. He asked if he could borrow the employee's computer. When he sat down, the employee was still logged in, which meant he could do whatever he wanted on the network. At this point, he installed a backdoor on the network, giving him full control. He no longer needed the employee's computer or credentials. Every Step Matters It's really hard to defend against social engineering because it's human nature to want to be nice and helpful. We want to give people the benefit of doubt and not assume everyone is out to cause harm, but it's exactly this human emotion that makes us fail at security. While it's important to remind users repeatedly that they should log out before letting someone else use the computer and have signs asking employees to not let people tailgate into the office, people will default to being nice and helpful. It's also important to remember that small businesses aren't immune. In fact, they may be even more susceptible to these attacks, if the employee thinks the person is an IT contractor or electrician. This is why it's so important to use technology to secure the network. Instead of letting just any device plugged into the hub get on the network, administrators can enable MAC Address Restrictions, so that only known devices get a valid IP address. After getting access to the network, Jacoby found that the network was segmented incorrectly, so sensitive systems were easily accessible. He found outdated and vulnerable software. He also found 300 user accounts with passwords set to never expire. All these things made his job, as an attacker, much easier. Think like an attacker. You will be surprised at just how vulnerable your organization may be.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Hacked in 20 Minutes: Social Engineering Done Right Audrey McNeil (Mar 03)