Penetration Testing mailing list archives
Re: Social Engineering Data set
From: "Magdelin Tey" <crux80 () hotmail com>
Date: Fri, 13 Oct 2006 16:45:46 +1000
Hi all, just to share some social engineering examples.i was doing a penetration test for a customer, and couldnt seem to get into the system. they were pretty well hardened and all the high security controls were in place. I tried to do a little social E by asking an admin to log into the system to check for some patches, and true enough, from my guess, the root password was an easy one. so, a little Social E, with a little shoulder sniffing, i manage to get into the system using the root password. Amazing how small little things like this can bring massive problems to a highly secure network. it all boils down to people and proper security education.
Not using this as an example for people to rely heavily on Social E and not perform the necessary PT steps. but it can be helpful when all other means of exploiting a system is gone.
Just my 2 cents M
From: xun dong <xundong () cs york ac uk> To: CTaylor 2121 <ctaylor2121 () hotmail com>CC: Frynge Customer Support <frynge () frynge com>,pen-test () securityfocus com, security-basics () securityfocus comSubject: Re: Social Engineering Data set Date: Thu, 12 Oct 2006 23:23:42 +0100 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.27]) by bay0-mc4-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Thu, 12 Oct 2006 23:06:54 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for bay0-mc4-f.bay0.hotmail.com [65.54.244.104]) with ESMTP; Thu, 12 Oct 2006 23:00:19 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 25B28237022; Thu, 12 Oct 2006 23:02:53 -0600 (MDT)Received: (qmail 5779 invoked from network); 12 Oct 2006 23:37:22 -0000 X-Message-Info: LsUYwwHHNt3CJpmzQT6wbp2E8++uFWVz8VeJWVawhIE= Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <pen-test.list-id.securityfocus.com> List-Post: <mailto:pen-test () securityfocus com> List-Help: <mailto:pen-test-help () securityfocus com> List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com> List-Subscribe: <mailto:pen-test-subscribe () securityfocus com> Resent-Sender: listbounce () securityfocus com Errors-To: listbounce () securityfocus com Delivered-To: mailing list pen-test () securityfocus com Delivered-To: moderator for pen-test () securityfocus com X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAA== User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) References: <BAY124-W9C70BDBD47B4371C40F61B1150 () phx gbl> Resent-Message-Id: <20061013050253.25B28237022 () outgoing3 securityfocus com> Resent-Date: Thu, 12 Oct 2006 23:02:53 -0600 (MDT) Resent-From: pen-test-return-1078482722 () securityfocus comReturn-Path: pen-test-return-1078482722-crux80=hotmail.com () securityfocus com X-OriginalArrivalTime: 13 Oct 2006 06:06:54.0418 (UTC) FILETIME=[C8419B20:01C6EE8D]Thanks for your suggestion. I certainly think those attacks are instances of social engineering attacks, and I have included them in the data set already.CTaylor 2121 wrote:What about the one in which a disk or CD is left in the employee rest room with an enticing title written on it? Or the free software (game or program) that is given away at a trade-show? Both would contain trojans. Where would you classify those types of attacks?Thanks, C Taylor CTaylor2121 () hotmail com <mailto:CTaylor2121 () hotmail com> "Retirement is just a PowerBall away" ------------------------------------------------------------------------ > From: frynge () frynge com> To: xundong () cs york ac uk; pen-test () securityfocus com; security-basics () securityfocus com> Subject: Re: Social Engineering Data set > Date: Thu, 12 Oct 2006 00:19:27 -0600 > > Social Engineering Attack examples > > Social engineering attacks are usually done to exploit the laziness of> people, or people with good manners, or even people that want to help you. > This is what makes it very hard to guard against a SE attack because the > people involved may not realize that they are being fooled and will never> admit this to anyone. The SE attempts to persuade someone to provide> information that will allow them to use your system or resources as if they > were his own. This is most commonly referred to as the "confidence trick".> > These are the 5 main attacks that I know of > > 1: Personal approaches including the confidence trick > 2: Online attacks (includes all the email phishing attacks) > 3: Telephone > 4: Waste management > 5: Reverse Social engineering > > > 1: Online Attacks > > They include: > A) Email threats like phishing > B) Confidence tricks and attacks > C) Online pop up attacks > D) Instant messaging > > Here is one example > > Pop ups or dialog boxes >> One of the most popular goals is to embed a mail engine within your computer > environment through which the hacker can launch phishing or other e-mail> attacks on other companies or individuals.> The phishing attack will show a hyperlink that appears to link to a secure > account management site, while the status bar shows that it takes the user > to, is the hacker's site. Hackers can suppress or reformat the status bar> information to whatever they want. Most people will not look or know to> look. This way, the hacker is given the information via a neat form they > have created. All this was done from a simple email, that the hacker sends> impersonating the company. > > > 2: Telephone > > Attacks on AOL >> Aol was attacked and approximately 200 accounts were compromised. It was a > simple human SE attack in which the hacker would talk to tech support for a > long time. It seemed the longer the hacker talked, the more confident and> friendly the employee became. >> At the point of most confidence the hacker mentions that he had a car for > sale at a great price. The employee had shown interest and then it was as > simple as sending an email. The hacker then sent an email with an executable > trojan backdoor instead of the picture of the car. Upon viewing the email > it executed. The email basically said, that he may have did something wrong> by sending the picture, did you get it? At this point the damage has > already been done and the system compromised. >> This trojan backdoor then opens a port from AOL through the firewall. It > was then an open door for the hacker to come back at a later date in order > to check out the system, gather passwords and hide the evidence. This is a> common way to gain entrance to a secure system. Why go through all the > defences created, when they let you in the backdoor :) > > > This next example below includes these techniques > 1: confidence attack > 2: reverse engineering > 3: waste management > 4: telephone SE attacks >> Reverse social engineering describes a situation where the TARGET will offer> the hacker the information. This may seem unlikely, but people of> authority, often receive vital personal information, such as user IDs and> passwords, because they are above suspicion. > > Example 2: >> A group of hackers walk in to a large shipping firm and walked out with the> entire companies corporate network. > > What did they do? >> This technique is called the syphon. Small amounts of information, can be > useless, but to a hacker, bit by bit, you can collect a large portion of the> puzzle. The key is to gather this from different employees. >> You will see as in the last example, its not through the bars of the prison> they come, but through its weakness, which is its employees. >> First, there was a small period of data collecting on the company. Calling, > going through trash that is set outside. (waste management) They also need > to get familiar with the roles, they must know who they are dealing with.> It is very important to become the person or become your role. They had> learned key employees' names by simply calling the company and inquiring > about shipping and receiving (telephone SE attacks). Next, they pretend to> lose their key to the front door and as simple as that, they are in the > front door :) (confidence SE attacks) >> Then they lost their identity badges when entering a very secure area, they > just smiled, were very calm and a friendly employee let them right in. Most> will not assume you shouldnt be there or your not who you say you are. > (again confidence or personal SE attacks) >> The hackers already had known previously, that the CFO was out of town, so> they knew which offices to enter before hand. They went in to obtain> financial data off his computer. The went through the trash which is a very > common practise and you would be surprised what you can find in the trash,> the people do not shred. (waste and trash management) After getting all> types of useful documents, they asked a janitor for a garbage pail and then > placed all the data in this and carried it straight out of the building with> permission. > > The hackers had talked previously to the CFO and knew his voice and > mannerisms. So they then called up, pretending they were the CFO in a> hurry, and desperately needed the network password. From there, they used> regular hacking techniques and tools to gain super user access to the > system, with not one person the wiser. (telephone reverse engineering > attacks) >> In this case, the "hackers" were network consultants performing a security > audit for the CFO without any other employees' knowledge. They were never > given any privileged information from the CFO but were able to obtain all > the access they wanted through social engineering. (This story was recounted > by Kapil Raina, currently a security expert at Verisign and co-author of> mCommerce Security: A Beginner's Guide, based on an actual workplace > experience with a previous employer.) >> Security is all about trust. Trust in protection and authenticity. Generally > agreed upon as the weakest link in the security chain, the natural human> willingness to accept someone at his or her word, leaves many of us > vulnerable to attack. > > Kelly Sigethy > http://www.frynge.com > > ----- Original Message ----- > From: "xun dong" <xundong () cs york ac uk> > To: <pen-test () securityfocus com>; <security-basics () securityfocus com> > Sent: Wednesday, October 11, 2006 4:31 AM > Subject: Social Engineering Data set > > > > Hello list; > >> > I am currently doing research on Social Engineering Attacks. Unlike the > > technical hack, I found that there is few useful and well documented SE > > attack examples on the Internet. So I decided to create a data set for SE> > attacks, and I am willing to publish it for free on the Internet. > >> > However, I think only my own experience would not be able to make this > > dataset as comprehensive as possible. So I would like to ask for help on > > this list. If you think you have SE attack examples, you can email me. Of > > course for confidential reason you should not use the real name in your > > example. If you don't mind I will also publish your name along with the > > example you provided. Thanks a lot in advance. I hope this could be a step> > forwards in protecting against SE attacks. > > > > -- > > Xun Dong > > Research Associate > > Department of Computer Science > > University of York > >> > ---------------------------------------------------------------------------> > This list is sponsored by: Norwich University > > > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE> > The NSA has designated Norwich University a center of Academic Excellence> > in Information Security. Our program offers unparalleled Infosec> > management education and the case study affords you unmatched consulting > > experience. Using interactive e-Learning technology, you can earn this> > esteemed degree, without disrupting your career or home life. > > > > http://www.msia.norwich.edu/secfocus> > ---------------------------------------------------------------------------> > > > > > > >> ------------------------------------------------------------------------> This List Sponsored by: Cenzic > > Need to secure your web apps? > Cenzic Hailstorm finds vulnerabilities fast. > Click the link to buy it, try it or download Hailstorm for FREE.> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW > ------------------------------------------------------------------------> ------------------------------------------------------------------------Check the weather nationwide with MSN Search Try it now! <http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG>------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Social Engineering Data set xun dong (Oct 11)
- RE: Social Engineering Data set Mustafa YĆ¼celgen (Oct 12)
- Re[2]: Social Engineering Data set Matthew Leeds (Oct 12)
- Re: Social Engineering Data set xun dong (Oct 12)
- Re[2]: Social Engineering Data set Matthew Leeds (Oct 12)
- Re: Social Engineering Data set Lee Lawson (Oct 12)
- Re: Social Engineering Data set Frynge Customer Support (Oct 12)
- <Possible follow-ups>
- RE: Social Engineering Data set Thomas W Shinder (Oct 12)
- RE: Social Engineering Data set Craig Wright (Oct 12)
- Re: Social Engineering Data set xun dong (Oct 12)
- Re: Social Engineering Data set Magdelin Tey (Oct 13)
- Re: Social Engineering Data set xun dong (Oct 12)
- Re: Social Engineering Data set qxlr (Oct 20)
- RE: Social Engineering Data set Mustafa YĆ¼celgen (Oct 12)