Concluding her talk at DeepSec Conference, Sharon Conheady tells the audience about her most interesting real-world cases and depicts her vision of the future of social engineering.
So again, about the future of social engineering. It’s always gonna be the same tricks repeated again and again with different technology. It has become a lot more sophisticated and a lot more targeted, frequently because of social networking which has provided us with a whole new attack surface and so much more information about our potential targets. There is more and more technology that will help you improve or automate your social engineering attacks. And now we’ve got social engineering ‘as a service’. Of course for me that means that social engineering has become an even bigger problem lately. And there is going to be a lot more social engineering testing.
So that’s it from me on the issue, but I would like to share some cases with you that happened to me and which I liked. So I really like the physical social engineering attacks when you actually physically have to break into an office or a data center, because you get such an adrenaline rush while you are doing them. I am a pen tester as well, so when you penetrate a system online or you get into a web application – you get a bit of a buzz, but it’s nothing like social engineering when you have people after you in the office. You are in somewhere, and the security guys could be right there, they may know you are in there, so you get such a buzz.
For example I was in one place, and they were recruiting temporary workers for an event that they were throwing that weekend. So the reception was very busy because people were filling in application forms. So I just went in and I sat there, and I had my laptop with me. I saw that there were lots of network points around the room, I plugged my laptop into several of them but they were dead.
There were about 3 security guards at the reception desk in this room but they were quite busy, so they didn’t see me. But they had a computer where they registered everybody coming into the organization and that was just standing in the middle, and it was obviously plugged into the network, so I thought it was obviously live. So I went straight up to the security guards and I said: “Do you mind if I check my email? It only takes a second, just need to take your network cable out for about 2 minutes.” And he said: “Yes, no problem at all.” And he brought me over a chair. So I really liked that.
For remote attacks, I was quite proud of an attack I did when I found on the company website that they had some people who entered the charity marathon the previous week. So I spoofed an email that looked like it came from the marathon organizers and I said: “Congratulations to Joe and John who came 8th and 9th in the marathon; if you want to see where you came, please see the attachment.” It was pretty successful, it was targeted.
And we should be very careful about not stopping any business services. I was once in an office and I sat in the team meeting with 6 other people, and surprisingly no one asked me what I was doing there. And they were having their meeting and again, I took the network cable out of one of their computers, I’m not sure what service it was used for. And half-way during the meeting this guy goes: “Oh, I don’t have Internet access anymore.” And I said: “I am really sorry, seems I’ve taken your network cable, but here you go.” And he didn’t care at all.
But you do have to be careful, we have really tight statements of work that outline exactly what we are going to do, and what the client wants us to target, and what kind of trophies we are to gather. So sometimes they don’t even want us to plug in to the network, sometimes it might be a case of leaving some evidence in there, like a sticker saying: “Sharon was here on a certain date.” Sometimes they want you to plug in and simply get an IP address to prove you’ve been in there, or more often than not it’s just a question of sniffing some network traffic for 10 minutes – just as a proof of concept.
Another example from my early days of social engineering, so I decided I’d pretend to be a fire warden from the local council. So I went in with my clipboard, because sometimes the local councils actually do spot-checks to make sure you’ve got all your fire equipment in place. So I went in and I had the document printed off which the council would usually have, because it is on their website. I went into the office, went through it, ticked everything off, and I asked them whether they had some specific fire emergency policy. They said: “We do, but we can’t find it now.” So after I was gone they decided to ring the local council to say they had the policy, and asked where Sharon was as they wanted to send it in. So that’s when I found out that impersonating public officials is illegal. I don’t do that anymore.