Friday, March 14, 2008

How to be a con artist aka social engineer

Con job, pretexting, social engineering – the art and science of manipulating human beings for nefarious ends – goes back as far as the origin of the species. The techniques have been practiced and perfected by a rogue's gallery of flimflam artists, from legendary carnival operator P. T. Barnum to infamous FBI mole Robert Hanssen.

[ For more of Andrew Brandt’s wisdom, see: Stupid hacker tricks ]

But in our modern, security-centric world, this ancient craft poses an ever-present danger: Despite technological advances that present an illusion of security, we are as vulnerable as ever to the con.

IT security pros frequently employ social engineering when analyzing a company's overall security strategy. After all, even a completely locked-down computer network won't protect your company's secrets if someone can "tailgate" a group of employees through the front door, plug a remote-access device into an open network port, and walk out again. And the sad fact is, even a social engineering amateur can be successful. People are gullible, and without a real-world test, you'll never know how vulnerable your company really is.

With that in mind, we spoke to security experts in the field who perform these kinds of physical penetration tests on a regular basis to learn the tricks they use to bypass security. Armed with this knowledge, you stand a better chance at preventing a real attacker from stealing the recipe to your company's secret sauce.

Do: Research your target before you make contact
If you're going to do a realistic test, you need to do your homework. Going to school on a target – whether a person or a company – is a fundamental first step to any social engineering project. Why go to the trouble to sneak into a building if, once inside, you find that the info you're looking for resides elsewhere?

"What you've got to do is learn [as much as you can] about the target itself, and what information is valuable to the target," says Ira Winkler. And Winkler should know: Author of "Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day" and "Zen and the Art of Information Security," Winkler is among the foremost experts in the art and science of social engineering.

Winkler makes a crucial point, because even white hat social engineers can get into trouble. One penetration tester interviewed for this story, who asked that his name not be used, admitted that a lack of preparation early in his career nearly got him arrested.

The task, commissioned by a U.S.-based firm to get inside its London office, seemed simple enough, but he had no idea that the same building that housed the company that hired him also housed Britain's domestic intelligence agency, MI5.

"They had spotted me when I was still a block away, followed me [using CCTV cameras], and picked me up just before I was able to approach a female employee and ask her to let me into the building," he said.

In other words, a successful social engineering hack is no snatch-and-grab job. It requires real diligence. "If you're going to be doing this work, you have to have a detailed plan," Winkler says. "The less training you have, the more detailed the plan you have to follow."

Do: Play on common interests when conversing with your target
Spies don't just walk up to random people on the street and ask them to divulge their country's secrets. They take weeks, months, or even years to develop a rapport with a target, gradually asking them to release increasingly more sensitive information. Security experts call this process "elevating the situation."

But when it comes to social engineering, time is generally of the essence. Nobody can strike up a deep, confiding friendship in the course of one conversation or phone call. And here is where context and intuition come in.

From the beginning of your white hat social engineering hack, pay close attention to your target, assimilating as much as you can about him or her as quickly as possible. A keen sense of observation and a knack for profiling can help tip you off to topics of conversation that will resonate with your dupe. Last weekend's game, raising children, something else likely to be of interest to the victim … whatever it takes to convince the target that you share a common experience or outlook.

Proving you are a member of the same "tribe" is essential to earning trust quickly and ensuring you are more deserving of assistance than some stranger off the street.

Do: Exploit human nature
Human beings – social creatures that we are – are taught from a very early age that helping others is a worthwhile practice, especially those with whom we most identify. For the social engineer, nothing helps a black-bag job go more smoothly than the victim's innate desire to be helpful.

In your role as sham bad guy, remember that an effective social engineer doesn't just get what he or she wants without arousing suspicion. The other objective is to make victims feel good about themselves, even as they hand over the crown jewels.

And when it comes to penetrating the workplace, playing off employee's inclination to be useful is a worthwhile strategy. After all, bosses do it all the time.

People want to feel like they are fulfilling their job duties effectively, says Dan Kaminsky, director of penetration testing at security firm IOActive. A good con artist feeds this sense of accomplishment back to the victim so that the victim is left off guard, unaware that he or she has compromised company security in exchange for feeling some momentary sense of satisfaction at having done a good job.

Do: Assume the target is at least as smart as you are
If you're going to play social engineer, remember that underestimating the intelligence of your target can get you in trouble fast. Although in many cases, a social engineer can call a help desk, pretend to be a hapless user, and get a password over the telephone, you can't always assume that will be the case.

Depending on the organization, you might be asked for a code word or an employee ID number. Flying by the seat of your pants in hopes of outwitting someone who "just answers the phones" is no way to approach such situations. The best way to get what you want is to bring as much knowledge to the table as possible – and to be aware that the person you're social engineering probably has experience parrying many of the usual tricks in the book.

This is where your advance research comes in handy: If you know the organization requires additional proof that you are who you say you are, you can recon the kinds of countermeasures in place. Then you can formulate a way to finagle that information so that you can proceed to the next step.

Of course, that said, if you're testing a company's security arrangements, it's often a good idea to probe that all-too-often weakest link. "Any idiot can call up an IT desk and get them to reset a password," laments Winkler. "Sadly, most of the time, it'll work."

And it's not always a lack of intelligence that proves to be the soft spot. Laziness, complacency, or disgruntlement may play a part, too. And of course, without training or testing, a social engineering attack may well be the furthest thing from an employee's mind. That's where you come in.

Do: Use the pretext that best suits the situation
To run a successful social engineering test, you need to perform a fast, on-the-fly analysis of the situation and respond accordingly.

The best and most experienced social engineers have a repertoire of well-rehearsed fictions from which to draw what they need when they need it. The ability to quickly identify a victim's personality type is also essential to choosing the best pretext for the job.

Over time, and with experience, accomplished social engineers can make such a determination within seconds. Sometimes, the situation may require you to make friends with and chat up an administrative assistant or receptionist. Other times, vinegar might get the job done better than honey: Winkler once managed to convince an IT worker to overnight him a laptop capable of connecting to a company's network simply by posing, over the telephone, as an angry executive on a business trip whose laptop had died.

In another example, Winkler explains, "I went into an organization and wanted to plant taps inside the network routers in this facility. I found this guy who had keys to the rooms," and pretended to be a corporate bigwig making an unannounced visit from the home office.

Winkler asked the IT guy for a tour, and as he showed Winkler each of the networking cabinets, Winkler managed to install the snooping hardware inside each. But then, suddenly, he thought he'd been made.

"This guy from security called, and asked the IT guy who I was," Winkler says. "He said I was this guy from corporate headquarters. The security guy comes over and asks, 'How come I wasn't informed that you were coming?' He didn't know me, didn't check that I was a real employee, and was more concerned with the internal politics of his company and those communication issues than the security issue of a random guy walking in off the street and getting a tour inside their facility."

Do: Anticipate how to react if caught, and prepare an exit strategy
If you test security defenses using social engineering long enough, without fail, you will at some point arouse suspicion and perhaps even get nabbed. To make sure you come away unscathed so that you can test again another day, consider in advance all the possible circumstances in which you might get caught and give thought to how you should respond.

The one universal is to never reveal your true motives or actions. For example, if you're pretending to be a contractor, you could feign ignorance of internal procedures, but you should do so without breaking character.

"If you've got to disengage [from a social engineering attempt] as someone would who is legitimate, you don't stop the act," Kaminsky says.

It's also essential to be aware of local laws so that you'll know what you're up against when performing a pretexting test. If you don't know the law, you could put yourself in a surprising degree of jeopardy. "In California, for example, you could be guilty of felony identity theft even if you have permission from the organization [to take credentials under false pretenses]," Winkler says.

Don't: Arouse suspicion by moving too quickly
Gaining the confidence of the target is an essential skill, but zeroing in too fast in your social engineering test can set off alarms in the target's head.

Because of this, it is essential to keep a cool head and pace yourself. After all, many of those whose identity you might assume to pull off your job – a contractor, a hapless corporate user, or a disgruntled employee – don't necessarily go about their own work quickly.

Think of the process as being more like a dance than a race, says Kaminsky – one in which you're leading the victim, guiding his or her path, but avoiding a sudden shove in a particular direction. "Everyone has to perceive that you're doing what you're supposed to be doing," he says.

Don't: Put on an act that's too perfect
Somewhere between truly honest behavior and the artifice of a ruse, people may begin to intuit that something isn't right.

Academics who study human perception have a name for the point at which the mind begins to pay more attention to, for example, the slightly unnatural motion in a computer-generated animation than to the rich, lifelike detail it presents: They call it the Uncanny Valley.

Social engineering experts also refer to the Uncanny Valley – it's the moment in a social engineering attempt when everything looks and works just a bit too perfectly and therefore arouses the target's suspicion.

The solution, of course, is simple: Be imperfect. Don't be too polished or quick to answer questions as you perform your social engineering test. Remember, you're trying to convince your target that you're just another working Joe or Jane.

Don't: Panic if you think the jig is up
If you start to get the feeling that you've aroused suspicions, stay calm. It's natural for people to lapse into leeriness from time to time when dealing with people they don't know particularly well. And besides, you have a leg up on the real bad guys, since the only bad consequences for you will be a failed test.

The most important thing to remember when you feel your blood rising is that fleeing from a target works only in the opening sequence of a James Bond movie. In real life, a look of panic or a sudden departure almost always raises a red flag and should be avoided at all costs.

Rest assured that there are many ways to get out of a situation quickly without giving yourself away. It could be as simple as making up a plausible excuse to get off the phone or to just calmly walk away from an irksome employee. Subdue the natural tendency to panic, and easy exits will present themselves clearly. Then you can wait a while, come back, and test from another angle.

Don't: Let the other person think about their actions too much
Interspersing requests for sensitive information with casual conversation can distract the target and help prevent them from catching on to what you are trying to achieve – especially when they are performing an essential task at your request as part of your social engineering test.

"You're trying to desensitize the person to their actions," Winkler says. "Change the way the person thinks by reframing the action."

For example, if you're trying to get the target to copy some data for you, you could explain to the target that they aren't stealing anything, they're just making a copy of it, and that the data will still be there when the company needs it.

"One of my strategies is to bore people to death over the phone," Winkler says, "so they give me something quickly, just to get off the phone with me."

Don't: Dawdle once you've got what you want, but don't run for the door, either
Winkler adds a subtle, but important, point gleaned from his long experience testing defenses. "You probably want to move on once you've got the thing you need, but you don't want to sprint for the door if it might raise suspicions," he says. "It's a situational thing."

In other words, heading straight for the door after your target gives you the sensitive information you've been seeking is a sure way to raise a huge red flag and leave everyone patting themselves down to see whether they still have their wallets.

That's not to say that you should invite your target to the lunch room for a cup of coffee, either. Striking the right balance between slipping away quickly with the goods and not blowing your cover by breaking a sweat requires a keen ability to ascertain what's appropriate in any given situation. If you're going to play the role of a pro, act like a pro.

Don't: Act irresponsibly with the data you get
Professional security analysts typically perform social engineering attacks as part of a wide-ranging analysis of an organization's overall security measures. The goal of these tests isn't to demonstrate how much you can damage a company's operations, but to help the company improve its internal procedures and policies, and address the weaknesses you discover.

However, "some people perform social engineering very irresponsibly," Winkler says.

"There have been times where I saw police called, or [where a penetration tester] caused operational disruptions by changing the password of a trader at a large brokerage firm," he recounts. "The trader wasn't able to do trades because he wasn't able to log in to his system."

It's OK to enjoy the rush of pulling off your con successfully, but don't let it cloud your vision as to the task at hand.

"As a consultant, you have to know where to go, and where to stop," Winkler adds. "You can't just create the effect to say, 'Ha ha,' but a lot of consultants do. In the field, people get excited and they don't [behave] professionally."

Instead of demonstrating disaster, Winkler suggests that at the end of your penetration test you simply present your findings and note any plausible fallout. For example, if you were able to obtain a username and password, provide the two pieces of data along with a list of scenarios in which the information could have been misused or abused by a truly malicious attacker, as well as the kinds of data exposed in this manner.

And it always helps to frame your prevention advice in terms of cost. "You say, 'Here's what I could have done with that password'," Winkler says. "'If you would have had these things in place, you would have been able to mitigate these things at low cost.'"

--Abhiz

No comments: