Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Social Engineering Data set

From: "Magdelin Tey" <crux80 () hotmail com>
Date: Fri, 13 Oct 2006 16:45:46 +1000
Hi all,

just to share some social engineering examples.
i was doing a penetration test for a customer, and couldnt seem to get into the system. they were pretty well hardened and all the high security controls were in place. I tried to do a little social E by asking an admin to log into the system to check for some patches, and true enough, from my guess, the root password was an easy one. so, a little Social E, with a little shoulder sniffing, i manage to get into the system using the root password. Amazing how small little things like this can bring massive problems to a highly secure network. it all boils down to people and proper security education.
Not using this as an example for people to rely heavily on Social E and not perform the necessary PT steps. but it can be helpful when all other means of exploiting a system is gone. 

Just my 2 cents

M



From: xun dong <xundong () cs york ac uk>
To: CTaylor 2121 <ctaylor2121 () hotmail com>
CC: Frynge Customer Support <frynge () frynge com>,pen-test () securityfocus com, security-basics () securityfocus com 
Subject: Re: Social Engineering Data set
Date: Thu, 12 Oct 2006 23:23:42 +0100
MIME-Version: 1.0
Received: from outgoing.securityfocus.com ([205.206.231.27]) by bay0-mc4-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Thu, 12 Oct 2006 23:06:54 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for bay0-mc4-f.bay0.hotmail.com [65.54.244.104]) with ESMTP; Thu, 12 Oct 2006 23:00:19 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQPid 25B28237022; Thu, 12 Oct 2006 23:02:53 -0600 (MDT) 
Received: (qmail 5779 invoked from network); 12 Oct 2006 23:37:22 -0000
X-Message-Info: LsUYwwHHNt3CJpmzQT6wbp2E8++uFWVz8VeJWVawhIE=
Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <pen-test.list-id.securityfocus.com>
List-Post: <mailto:pen-test () securityfocus com>
List-Help: <mailto:pen-test-help () securityfocus com>
List-Unsubscribe: <mailto:pen-test-unsubscribe () securityfocus com>
List-Subscribe: <mailto:pen-test-subscribe () securityfocus com>
Resent-Sender: listbounce () securityfocus com
Errors-To: listbounce () securityfocus com
Delivered-To: mailing list pen-test () securityfocus com
Delivered-To: moderator for pen-test () securityfocus com
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
References: <BAY124-W9C70BDBD47B4371C40F61B1150 () phx gbl>
Resent-Message-Id: <20061013050253.25B28237022 () outgoing3 securityfocus com>
Resent-Date: Thu, 12 Oct 2006 23:02:53 -0600 (MDT)
Resent-From: pen-test-return-1078482722 () securityfocus com
Return-Path: pen-test-return-1078482722-crux80=hotmail.com () securityfocus com X-OriginalArrivalTime: 13 Oct 2006 06:06:54.0418 (UTC) FILETIME=[C8419B20:01C6EE8D]
Thanks for your suggestion. I certainly think those attacks are instances of social engineering attacks, and I have included them in the data set already. 

CTaylor 2121 wrote:
What about the one in which a disk or CD is left in the employee rest room with an enticing title written on it? Or the free software (game or program) that is given away at a trade-show? Both would contain trojans. Where would you classify those types of attacks? 


Thanks,
C Taylor
CTaylor2121 () hotmail com <mailto:CTaylor2121 () hotmail com>
"Retirement is just a PowerBall away"


------------------------------------------------------------------------
> From: frynge () frynge com
> To: xundong () cs york ac uk; pen-test () securityfocus com; security-basics () securityfocus com 
> Subject: Re: Social Engineering Data set
> Date: Thu, 12 Oct 2006 00:19:27 -0600
>
> Social Engineering Attack examples
>
> Social engineering attacks are usually done to exploit the laziness of
> people, or people with good manners, or even people that want to help you. > This is what makes it very hard to guard against a SE attack because the > people involved may not realize that they are being fooled and will never 
> admit this to anyone. The SE attempts to persuade someone to provide
> information that will allow them to use your system or resources as if they > were his own. This is most commonly referred to as the "confidence trick". 
>
> These are the 5 main attacks that I know of
>
> 1: Personal approaches including the confidence trick
> 2: Online attacks (includes all the email phishing attacks)
> 3: Telephone
> 4: Waste management
> 5: Reverse Social engineering
>
>
> 1: Online Attacks
>
> They include:
> A) Email threats like phishing
> B) Confidence tricks and attacks
> C) Online pop up attacks
> D) Instant messaging
>
> Here is one example
>
> Pop ups or dialog boxes
>
> One of the most popular goals is to embed a mail engine within your computer > environment through which the hacker can launch phishing or other e-mail 
> attacks on other companies or individuals.
> The phishing attack will show a hyperlink that appears to link to a secure > account management site, while the status bar shows that it takes the user > to, is the hacker's site. Hackers can suppress or reformat the status bar 
> information to whatever they want. Most people will not look or know to
> look. This way, the hacker is given the information via a neat form they > have created. All this was done from a simple email, that the hacker sends 
> impersonating the company.
>
>
> 2: Telephone
>
> Attacks on AOL
>
> Aol was attacked and approximately 200 accounts were compromised. It was a > simple human SE attack in which the hacker would talk to tech support for a > long time. It seemed the longer the hacker talked, the more confident and 
> friendly the employee became.
>
> At the point of most confidence the hacker mentions that he had a car for > sale at a great price. The employee had shown interest and then it was as > simple as sending an email. The hacker then sent an email with an executable > trojan backdoor instead of the picture of the car. Upon viewing the email > it executed. The email basically said, that he may have did something wrong 
> by sending the picture, did you get it? At this point the damage has
> already been done and the system compromised.
>
> This trojan backdoor then opens a port from AOL through the firewall. It > was then an open door for the hacker to come back at a later date in order > to check out the system, gather passwords and hide the evidence. This is a 
> common way to gain entrance to a secure system. Why go through all the
> defences created, when they let you in the backdoor :)
>
>
> This next example below includes these techniques
> 1: confidence attack
> 2: reverse engineering
> 3: waste management
> 4: telephone SE attacks
>
> Reverse social engineering describes a situation where the TARGET will offer 
> the hacker the information. This may seem unlikely, but people of
> authority, often receive vital personal information, such as user IDs and 
> passwords, because they are above suspicion.
>
> Example 2:
>
> A group of hackers walk in to a large shipping firm and walked out with the 
> entire companies corporate network.
>
> What did they do?
>
> This technique is called the syphon. Small amounts of information, can be > useless, but to a hacker, bit by bit, you can collect a large portion of the 
> puzzle. The key is to gather this from different employees.
>
> You will see as in the last example, its not through the bars of the prison 
> they come, but through its weakness, which is its employees.
>
> First, there was a small period of data collecting on the company. Calling, > going through trash that is set outside. (waste management) They also need > to get familiar with the roles, they must know who they are dealing with. 
> It is very important to become the person or become your role. They had
> learned key employees' names by simply calling the company and inquiring > about shipping and receiving (telephone SE attacks). Next, they pretend to 
> lose their key to the front door and as simple as that, they are in the
> front door :) (confidence SE attacks)
>
> Then they lost their identity badges when entering a very secure area, they > just smiled, were very calm and a friendly employee let them right in. Most 
> will not assume you shouldnt be there or your not who you say you are.
> (again confidence or personal SE attacks)
>
> The hackers already had known previously, that the CFO was out of town, so 
> they knew which offices to enter before hand. They went in to obtain
> financial data off his computer. The went through the trash which is a very > common practise and you would be surprised what you can find in the trash, 
> the people do not shred. (waste and trash management) After getting all
> types of useful documents, they asked a janitor for a garbage pail and then > placed all the data in this and carried it straight out of the building with 
> permission.
>
> The hackers had talked previously to the CFO and knew his voice and
> mannerisms. So they then called up, pretending they were the CFO in a
> hurry, and desperately needed the network password. From there, they used 
> regular hacking techniques and tools to gain super user access to the
> system, with not one person the wiser. (telephone reverse engineering
> attacks)
>
> In this case, the "hackers" were network consultants performing a security > audit for the CFO without any other employees' knowledge. They were never > given any privileged information from the CFO but were able to obtain all > the access they wanted through social engineering. (This story was recounted > by Kapil Raina, currently a security expert at Verisign and co-author of 
> mCommerce Security: A Beginner's Guide, based on an actual workplace
> experience with a previous employer.)
>
> Security is all about trust. Trust in protection and authenticity. Generally > agreed upon as the weakest link in the security chain, the natural human 
> willingness to accept someone at his or her word, leaves many of us
> vulnerable to attack.
>
> Kelly Sigethy
> http://www.frynge.com
>
> ----- Original Message -----
> From: "xun dong" <xundong () cs york ac uk>
> To: <pen-test () securityfocus com>; <security-basics () securityfocus com>
> Sent: Wednesday, October 11, 2006 4:31 AM
> Subject: Social Engineering Data set
>
>
> > Hello list;
> >
> > I am currently doing research on Social Engineering Attacks. Unlike the > > technical hack, I found that there is few useful and well documented SE > > attack examples on the Internet. So I decided to create a data set for SE 
> > attacks, and I am willing to publish it for free on the Internet.
> >
> > However, I think only my own experience would not be able to make this > > dataset as comprehensive as possible. So I would like to ask for help on > > this list. If you think you have SE attack examples, you can email me. Of > > course for confidential reason you should not use the real name in your > > example. If you don't mind I will also publish your name along with the > > example you provided. Thanks a lot in advance. I hope this could be a step 
> > forwards in protecting against SE attacks.
> >
> > --
> > Xun Dong
> > Research Associate
> > Department of Computer Science
> > University of York
> >
> > --------------------------------------------------------------------------- 
> > This list is sponsored by: Norwich University
> >
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The NSA has designated Norwich University a center of Academic Excellence 
> > in Information Security. Our program offers unparalleled Infosec
> > management education and the case study affords you unmatched consulting > > experience. Using interactive e-Learning technology, you can earn this 
> > esteemed degree, without disrupting your career or home life.
> >
> > http://www.msia.norwich.edu/secfocus
> > --------------------------------------------------------------------------- 
> >
> >
> >
>
>
> ------------------------------------------------------------------------ 
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW > ------------------------------------------------------------------------ 
>

------------------------------------------------------------------------
Check the weather nationwide with MSN Search Try it now! <http://search.msn.com/results.aspx?q=weather&FORM=WLMTAG> 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------





------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: