BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Hacked in 20 Minutes: Social Engineering Done Right

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 21 Feb 2014 19:29:20 -0700
http://securitywatch.pcmag.com/security/320913-hacked-in-20-minutes-social-engineering-done-right

How long would it take for an attacker to break into a business? Get on the
corporate network as an authenticated user? If you think it would take a
few days or even a few hours, you are way, way off.

Try 20 minutes.

It took David Jacoby, a senior security researcher with the Global Research
and Analysis Team at Kaspersky Lab, three minutes to sneak into the
building, four minutes to get network access, five minutes to get
authenticated access to the network, and ten minutes to install a backdoor
onto the corporate network. He was able to download and walk away with
"gigabytes of data" from the company, he told attendees at last week's
Kaspersky Lab Security Analyst Summit.

Jacoby was invited by a company come in and tests its defenses. As it
turned out, he didn't need any fancy hacks or zero-days to get through. It
was all social engineering.

"They spent so much money [on security], and I still got in," Jacoby said.

Being Nice to Tailgaters
The company required employees to use a badge to enter and leave the
building. Jacoby waited for other employees to go inside, and just hurried
in after them. Most people want to be polite and will hold the door open if
someone is going in at the same time--something most tailgaters take
advantage of. Jacoby went a step further, in case the employee thought to
ask to see the badge. He dressed up a bit to look a little managerial and
held a cell phone up to his ear as if he was having a conversation with
someone. As he was going through the door, he said, "I am right in the
lobby. I will be up in a minute."

No one will interrupt a phone call, and if you convey the impression that
you are someone important heading off to meet someone important, most
people won't stop to question you, Jacoby said.

There's Always a Hub
Surely, getting on the network had to be a little more difficult, right? It
turned out Jacoby didn't bother trying to get on the corporate wireless.
Instead, he went straight to the printer room, where there is invariably a
network hub for the printer. He plugged his laptop into the hub and as easy
as that, he was on the network.

Getting on the network as a valid user took more talking than hacking.
Jacoby found an employee sitting next door to the printer room and
explained he was having trouble with the network. He asked if he could
borrow the employee's computer. When he sat down, the employee was still
logged in, which meant he could do whatever he wanted on the network.

At this point, he installed a backdoor on the network, giving him full
control. He no longer needed the employee's computer or credentials.

Every Step Matters
It's really hard to defend against social engineering because it's human
nature to want to be nice and helpful. We want to give people the benefit
of doubt and not assume everyone is out to cause harm, but it's exactly
this human emotion that makes us fail at security. While it's important to
remind users repeatedly that they should log out before letting someone
else use the computer and have signs asking employees to not let people
tailgate into the office, people will default to being nice and helpful.

It's also important to remember that small businesses aren't immune. In
fact, they may be even more susceptible to these attacks, if the employee
thinks the person is an IT contractor or electrician.

This is why it's so important to use technology to secure the network.
Instead of letting just any device plugged into the hub get on the network,
administrators can enable MAC Address Restrictions, so that only known
devices get a valid IP address. After getting access to the network, Jacoby
found that the network was segmented incorrectly, so sensitive systems were
easily accessible. He found outdated and vulnerable software. He also found
300 user accounts with passwords set to never expire. All these things made
his job, as an attacker, much easier.

Think like an attacker. You will be surprised at just how vulnerable your
organization may be.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: