Reflected herein is a study by the Florida State University researchers pertaining to the analysis of social engineering from a psychological perspective.
We’re going to talk about social engineering, and perhaps how you can use it to have more fun next week, if you’re not stuck doing work all the time.Social engineering is essentially any act where you try to manipulate another person to accomplish a goal. The goal may or may not be in that person’s interests. So, in the realm of security a common goal for a hacker is get the victim to disclose information to him. It’s often used leveraging already known reconnaissance information for, basically, open source intelligence gathering.
Reconnaissance is the first little stage in the pentester and hacker-like lifecycle. It’s essentially exploration and probing to discover vital information about your target and their resources, and the layout of the terrain of the network.And so, social engineering can be used in actually any aspect of this terrain (see right-hand image). A very interesting use of it is in post-exploitation: I’m sure a lot of you guys have been getting emails from FSU helpdesk saying: hey, go to this Google document and give us your FSU ID number, your password and your other stuff. I got a well-crafted email from FSU helpdesk. It pointed me to a Google document, and the Google document was a form that just logged everything. And so I traced it down: I opened it up in my malware analysis VM to be safe, and they’re just logging all this to a spreadsheet that is hidden in the background. That’s pretty hilarious.
There are a lot of instances other than that where once attackers gain, say, access to someone who has a lot of authority in a network, like email, they will send an email to some other people saying: “Hey, I need this”, or “could you tell me about this, I forgot?” And because it’s sent with an account that has authority, and there’s a substantial amount of social engineering finesse and skill used in this spear phishing email, they often succeed with pretty high rate. That leads to compromising more of a network and more of system’s information.
So, in terms of intelligence gathering there’re three really main ones that pertain to penetration testing. There’s open source intelligence, there’s signals intelligence, and there’s human intelligence gathering.
1. Open Source Intelligence (OSINT)OSINT (see right-hand image) is essentially your standard Google search; searching perhaps even the company’s website, searching social media like LinkedIn, searching public records, especially financial records, searching DNS records, so that you basically know where the web servers are and what other IPs are registered to that DNS record.
Social media is interesting: you can find a lot by just looking at Facebook pages for employees of the company, looking at LinkedIn pages, and perhaps, if you want to get dirty, you can go on online dating websites and probably find some people there too.
But what people do with this sort of intelligence gathering is that they basically use maybe Python or Perl script, and they find everyone working for this company, and they scrape every single word off these pages, and they put each word online in a dictionary file and they use this to supplement any brute-forcing that they need to do to perhaps guess passwords. And it actually works with really high effect. People will list their likes and interests on their Facebook page, like I love this band and I love cats and I love everything else and all this other stuff. And so basically you take these things that they like and you permute them however you want. And you actually have a high chance of guessing someone’s password with this dictionary file that you’ve just gotten off of their social media page. And so that’s something that pentesters actually actively use nowadays.
Internet archive searches are very important: you can see perhaps an old version of a website, and that may reveal some backend data that wasn’t properly protected, like the IP, perhaps the name of the database behind it or some other information that was changed over time.
And also something that is really important to look into is partners of your target company and any news of the target company, perhaps merging with someone, because I’ve seen a number of successful social engineering competitions where someone would call the target company and say: “Hey, I’m Bob from Company B, we’re merging in a month, I want to make sure we’re on the same page with our security policy so we’ll hit the ground running”. It’s a pretty effective way to gain or disclose a lot of information that you shouldn’t disclose.
Another thing that is commonly done that I’m pretty sad about – it’s actually being done here – is that the management and the security of critical information, specifically sensitive information, is often outsourced to companies that sell these services. If you’ve noticed and got email registration for next semester for Summer and Fall – that’s been outsourced to some company in Ohio, and they’ll have your Social Security Number and all these other things, and they didn’t ask you before sharing it. So, in order to get this information, you’re not just limited to one target, you can get it in two places. But that’s more interesting for bad guys – obviously, pentesters are restricted by ethics and laws, and hunting for Social Security Numbers is not usually the specific goal of a penetration test.
2. Signals Intelligence (SIGINT)So, signals intelligence, or SIGINT, really delves into the realm of Wi-Fi scanning, looking for access points at the company to hack into their Wi-Fi and get behind their firewall. It also falls into the realm of SMS eavesdropping – there’s no security in SMS and you can eavesdrop on text messages. If you go to Defcon, they have a wall of shame, where they have a projector on a 20-foot wall with really interesting text messages that they’ve seen fly across the wire in a casino, and you’ll find some really horrible ones, like: “Man, I got so drunk last night I woke up with this girl, I don’t know what happened”, and it’s like “Oh, man, this is pretty embarrassing.” And that’s just being posted there.
And also there is a lot of tools you can find and put together yourself to track other people’s phones if you just know their phone number and their IP address; you can GPS-track their phone. Phones, smartphones are like the greatest things for bad guys. They’re so good.
3. Human Intelligence (HUMINT)And then human intelligence – this is basically the realm of this talk on social engineering. There’re different types of intelligence you can gather (see right-hand image). You can gather direct observations – say I can snoop over your shoulder and see that you’re running Windows 8 and IE 10; I can see that just by directly seeing it. There’re indirect observations, like I can say: “Hey, are you running a version of Windows… does your Internet Explorer have tabs?” If you say “Yes”, that tells me it’s either version 9 or 10. So it’s an indirect observation I can make. And inferential observations are pretty self-explanatory.