Sharon Conheady, professional social engineer from First Defense Information Security Ltd., shares her experience at DeepSec Conference, talking about the past, present and future of social engineering.
My name is Sharon Conheady. I am based in London where I work as a social engineer, so I trick people, I manipulate people, I try to bypass security controls and ultimately gain access to sensitive information or sensitive facilities. And I think one of my favorite jobs over the last few years was when a client came to me and said: “Sharon, we are a bit concerned about how much our employees are talking in the pub. So, every Friday they go to the same local pub after work. We are really, really worried. So we would like to pay you to go and sit in the pub, and listen to what all our guys are saying about work”. I said: “Fantastic, that’s a great job!” I am Irish, so it’s really, really expensive.
But the next week they came back to me and said: “Yes, that was great, we got loads of information back, we were right. And people also frequently go down to the sports club, and we are a bit concerned about what they are saying when they are sitting in the sauna or sitting in the Jacuzzi. So we would like you to go down and sit in the Jacuzzi and the sauna for the day.” And I had to draw the line there because no way was I giving them the photos of that particular social engineering engagement.
Social engineering refers to efforts to influence popular attitudes and social behaviour on a large scale, whether by governments or private groups.– Wikipedia definition
So today I am going to talk a little bit about where social engineering has come from, and in particular where social engineering is going in the future. So, first of all, the term ‘social engineering’ has been around for quite a while. And it was brought in towards the end of the industrial revolution when a Dutch industrialist named J.C. Van Marken realized that in order to run an industrial plant you needed both the mechanical engineers to look after the machines, and you needed the social engineers to look after the people side of running an industrial plant. So it’s a term from political science that goes back quite some time.
So I am going to give you a tour about social engineering over the ages. We will start with social engineering 100 years ago. And I think the turn of the twentieth century was the golden era of the con artists. There were so many fraudsters, so many con artists, and they had beautiful, beautiful scams. And many of you will be familiar with the film ‘The Sting’ starring Robert Redford, I mean that was a standard scam that they had going around this time.
This is one of my favorite con artists of all time, his name is Victor Lustig (see photo). This guy managed to sell the Eiffel Tower not once, not twice, but several times. So after the First World War, I think it was about 1925, this guy decided he would represent the French government. And he gathered some scrap metal dealers into a fancy room in the Ritz hotel in Paris, and he said: “Look, I am representing government, we are running short on funds, we have just paid for a big war, so we are thinking about dismantling the Eiffel Tower and selling it for scrap metal”. So he got some pretty good offers. And it happened several times, he was successful with this several times because the first couple of times it happened people were too embarrassed to go to the police. So he got away with it. But he was caught eventually.
But really, it was classic social engineering, it used current events. Every second virus that we get today is related to current events, that’s how they get people to open emails in the first place. There is malicious search engine optimization. So for example when the news about the Apple iPad was released, I think the first 3 or 4 results actually linked to malware sites.
So, you know, it’s a similar kind of technique. This guys Victor Lustig impersonated someone in authority. We see that all the time. And of course it was a very, very good deal for buyers. They thought they were getting a bargain, and that technique has worked throughout the ages. And again he was able to execute that attack again and again.
And it still happens today. Some of you might have heard of an English guy, a lorry driver, who was put in prison a couple of years ago because he tried to sell the Ritz hotel in London. And he was pretty close to selling it. It happens all the time.
So 40 – 50 years ago, I would say the most famous social engineer was this guy, Frank Abagnale (the man to the left on the picture). The film ‘Catch Me If You Can’ was based on his cases. So Frank Abagnale was a fantastic social engineer. He is a really, really intelligent guy, he did all his research. He would always play an authoritative role as a lawyer, a doctor, or as he is probably most famous for, playing an airline pilot.
Someone may be wondering if this would still work today. Most definitely, so a Swedish guy was arrested recently because he had been flying passenger airplanes for 13 years without a license (see news report snapshot). He had the right documents, he looked the part, he had his stripes. And the police went in as he sat in the cockpit and was about to take off, the police was going to arrest him and they saw the look of relief on his face to be giving up the deception after 13 years. Just fantastic. It happens all the time, it happened in China as well. Look it up in the news, you will get so many examples.
I fancied trying this myself, I thought I could try my hand at maybe being an airline pilot, or more possible for me, I guess, an air hostess. So Frank Abagnale in his time had big difficulties getting his airline costume. Anybody who has seen the movie will know that he had to go direct to the manufactures and social-engineer them as well.
Well, it’s much easier today. You get the costume on eBay. And eBay actually had a section: Collectables > Transportation > Aeronautica > Airlines > Clothing (see image). They make it really easy for you. You can look it up according to whichever airline you want to be. But I am warning you: these costumes, the air hostess costumes, are really expensive, they sell for hundreds of EUR. Who is buying them? I really don’t know. So I don’t have one yet, but I’ll get one someday.
So 20 years ago, Kevin Mitnick was the big name in social engineering. And he was the first person who kind of brought the term into IT security. This is his definition:
Social engineering is a term used to describe the techniques hackers use to deceive a trusted computer user within a company into revealing sensitive information, or trick an unsuspecting mark into performing actions that create a security hole for them to slip through.
10 years ago, social engineering started to get really interesting. We had the Love Bug virus, which is the first time we received malicious emails from our friends. So because they came in from our friends, why wouldn’t we open them? There was no reason not to. We had never seen malicious emails coming in from our friends.
And of course we had the first phishing attacks, phishers trying to take over AOL accounts. And now, some of the major social engineering headlines of last couple of years, of course the Google.cn story. And what was interesting about this is that the attackers didn’t target Google staff directly. They identified who Google staff friends were on social networks. And they took over their friends’ accounts. Then when they sent a message from the friends’ accounts to the Google staff members, they were far more likely to open it or click on the URL or download the attachment – again, because it came in from a friend.
Then we had the Facebook charges. So people got emails saying Facebook was about to start charging for monthly access. People were really, really angry: “Facebook has always been free, how dare they start charging 4.99 a month for access?” So they objected, they were able to join groups on Facebook to object to this (see image). They were able to click on this Like. They downloaded malware all around the place, so it’s great social engineering.
Anybody recognize this lady (see picture)? Anybody friends with this lady? Because if you are, start worrying. This is supposedly Robin Sage. It was a security project done by Provide Security. They decided to set up a fake profile on social networks for this lady. They set up her profile on Twitter, on Facebook, on MySpace, on LinkedIn. And they decided to give her the title of cyber threat analyst. They let the project run for 28 days during which they tried to connect to various security people around the world.
And they were pretty successful. In the course of 28 days, they connected to over 300 security professionals. They got the photo from an adult website, they thought that this Robin Sage might appeal to many people in the security industry. So over the course of the month, Robin Sage received dinner invitations, job offers, and really, really sensitive information, including troop locations, what time helicopters were taking off.
There were a few clues in Robin Sage’s profile that might have made you suspicious, if you did any research on her at all. So firstly, if she was trying to connect to you, no way do you know her, she doesn’t exist. Robin Sage is actually the name of a military exercise. And Robin Sage said she was 25 years old but that she had 10 years’ professional cyber threat analysis experience. So maybe she did, maybe she was some kind of wiz kid, but the chances are…