Low Tech Hacking: Street Smarts for Security Professionalsby Jack Wiles, Terry Gudaitis, Jennifer Jabbusch, Russ Rogers
Criminals using hacking techniques can cost corporations, governments, and individuals millions of dollars each year. While the media focuses on the grand-scale attacks that have been planned for months and executed by teams and countries, there are thousands more that aren't broadcast. Low Tech Hacking focuses on the everyday hacks that, while simple in/i>… See more details below
Criminals using hacking techniques can cost corporations, governments, and individuals millions of dollars each year. While the media focuses on the grand-scale attacks that have been planned for months and executed by teams and countries, there are thousands more that aren't broadcast. Low Tech Hacking focuses on the everyday hacks that, while simple in nature, actually add up to the most significant losses. Attackers are using common techniques like social engineering, wireless hacking, and targeting and surveillance to gain access to valuable data. This book contains detailed descriptions of potential threats and vulnerabilities, many of which the majority of the information systems world may be unaware. Author Jack Wiles spent many years as an inside penetration testing team leader, proving these threats and vulnerabilities exist and their countermeasures work. His contributing authors are among the best in the world in their respective areas of expertise.
- Contains insider knowledge of what could be your most likely Low Tech threat
- Includes timely advice from some of the top security minds in the world
- Covers many detailed countermeasures that you can employ to improve your security posture
- Elsevier Science
- Publication date:
- Sold by:
- Barnes & Noble
- NOOK Book
- File size:
- 3 MB
Read an Excerpt
Low Tech HackingStreet Smarts for Security Professionals
By Jack Wiles Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther
SYNGRESSCopyright © 2012 Elsevier, Inc.
All right reserved.
Chapter OneSocial engineering: The ultimate low tech hacking threat
INFORMATION IN THIS CHAPTER
How Easy Is It?
The Mind of a Social Engineer
The Mind of a Victim
Tools of the Social Engineering Trade
One of My Favorite Tools of the Trade
Social Engineering Would Never Work against Our Company
What Was I Able to Social Engineer out of Mary?
The Final Sting—Two Weeks Later—Friday Afternoon
Why Did This Scam Work?
Let's Look at a Few More Social Engineering Tools
Let's Look at That Telephone Butt-in Set on My Tool Belt
Meet Mr. Phil Drake
Meet Mr. Paul Henry
Do You Have a Guest User of Your Credit Card?
A Few Possible Countermeasures
Some of the things I will discuss in this chapter have been on my mind since the mid-1980s. I believe it's time that I put them in writing and share a few of my thoughts on what I believe could be the most effective and dangerous threat to any security plan: social engineering! It has, in my opinion, become the low tech hacker's most valuable and effective tool. This age-old threat has taken on a new meaning as what I collectively call "bad guys" have continued to use the art of the con to gain access to intellectual property and if necessary the buildings that house that property.
This chapter, or the rest of the book for that matter, isn't meant to be read as a complete story from beginning to end. Social engineering and ways to prevent it are subjects with many meanings. This will be more of a potpourri of tips, tricks, vulnerabilities, and lessons learned from my thirty plus years of dealing with these issues. As an inside penetration team leader, I was constantly looking for more innovative ways to conduct a successful inside penetration test. It was during those years of physical and technical penetration testing that I gained most of my social engineering experience. These skills helped me to eventually hang up my dumpster diving penetration team jersey and retire from the tiger team (a term sometimes used for penetration testing) world UNDETECTED! Although I came close several times, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that's what I effectively was.
As you read this chapter, if you think that it has a strong risk management flavor, that was intentional. Just about every area of concern with security today involves managing the risks associated with staying safe and secure. This chapter, and most of the other chapters in this book are chock full of what I like to call techno tidbits of useful risk management countermeasures. Hopefully, many of them will be topics that you might not have considered in the past as you put together your security plan. External, internal, and information systems auditors will find information on a few new potential vulnerabilities that they can recommend countermeasures for.
I've included discussions about social engineering in each of my former books. I've also used the term social engineering as a partial title for many of my presentations over the past 15 years. My most popular presentation to date is titled "Social engineering: Here's how I broke into their buildings." Following these presentations, I frequently have people come up and talk to me about some of the things that I discussed. Many of these people are longtime friends and attend pretty much every session that I give at the yearly events where I present. What has been encouraging to me this past year is the number of people who come to me after the presentation saying that they incorporated some of what they learned and that they are now con- ducting some of their own corporate penetration tests to help protect their companies from the threat of social engineering. Each of them seemed to have experienced the same things that I have over the years of using social engineering as a training tool and somewhat of a hobby. They find that it is often way too easy to get people to give them access to places where they are not supposed to be able to easily access and to things that they should not see.
HOW EASY IS IT?
Way back in 1988, I was a part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear some of the conversations that went on when a "black hat" (in this case malicious) group targeted victims by calling them on the phone. They were using social engineering skills to gain access to proprietary information including passwords. I'll never forget what I heard one of the experienced black hats say to another black hat in training: "Social engineering is the easiest way to break into a system." He then followed up that comment by saying, "The stupidity of the average system administrator amazes me."
That was almost 25 years ago, and that was the first time I had heard the words social engineering. Why do I think of it as a tool that could be used by any bad guy from a black hat hacker to a terrorist? Social engineering is what I believe could be the most effective and dangerous outsider–insider threat to any security plan.
In the first three chapters of this book, I will be talking about social engineering, physical security, and a little bit more about locks. If we look at physical security as the target of an attack and locks as the gatekeeper for the entrance into the target, social engineering is often the way that we are able to gain access to the keys that open those locks and possibly the rest of the building. It is often the people who have those keys who become the victims of social engineering. We'll take a much closer look at that as we progress through the book.
THE MIND OF A SOCIAL ENGINEER
Although I've been using and teaching social engineering for almost two decades now, the true extent of the impact of social engineering really became clear to me about 9 years ago. When I was out in L.A. for a meeting on financial crimes security (what else?), I purchased a very interesting book titled The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick and William L. Simon.
Just above the title on the cover of the book in red letters are the words Controlling the Human Element of Security. I found the book to be very well written and full of a lot of good examples of how social engineering works and how companies can try to defend against its use. I also learned quite a bit about a few approaches to targeting a potential victim than I had ever thought of before. A social engineer will continuously learn more clever ways to take advantage of how our minds work in order to perform the illusion or deception. The more that I used social engineering as one of my tools during my penetration testing days, the bolder I became in its use during those tests. After years of success in pretending to be something or someone that I wasn't, I just KNEW that whatever I said to the people that I encountered during the tests would be believed, and it was!
THE MIND OF A VICTIM
Any one of us, at any time, could easily become the victim of some form of social engineering. I personally believe that it is not possible to completely eliminate the risk. There are some things that can and should be done to reduce the risk as much as possible and I'll address some of them in the rest of this chapter. Without some form of training (and practice) in learning how to prevent being a victim of social engineering, you could easily become a victim and not even know it.
Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might not ever be considered. This is what social engineers count on. Without awareness of the problem and without an understanding of how our minds can be fooled, there is little defense against social engineering. For this awareness training to be of any benefit for an organization, it must include every employee of every organization.
We see things all day long and we don't pay close attention to certain details because they are too familiar to us. That's exactly how the illusions that magicians call magic work and also why so many magic tricks are related to simple everyday things like a deck of cards. I use magic in much of my training and it really adds a lot to the attention span of the people in front of me. They are all so used to seeing those 52 cards that they don't even begin to think about how the different card gimmicks being used in most card tricks work. Most of these illusions are self-working yet almost mind boggling to the unsuspecting mind.
TOOLS OF THE SOCIAL ENGINEERING TRADE
If you would join me in taking a look at Figure 1.1, you will see a picture of the social engineering bag that I used for roughly 10 years. It was a pretty expensive bag to purchase. I spent around $200 for it, but it was money well spent. I often thought of it as something similar to those clown cars that you see in the circus. It is very deceptive how much will fit in that bag. Not only could I put all of my social engineering tools in the bag, but also there was a lot of room left over for the things I was able to take out of the buildings once my penetration test was successful. On the outside it simply looks like a briefcase that pretty much anyone within that organization would be carrying to and from work. On the inside were some slightly different items from what you would normally see someone bringing to work.
I took the time to put the contents of the bag on the table for you to see in Figure 1.2. This is the first time that I've ever done that. Not that what I have in the bag is anything special; it's just that I've never shared the contents with anyone in quite this way, especially in a book.
I wish that I had taken a picture of the bag as I was leaving some of these buildings with everything in it. It even amazed me how much that bag could expand and still look comparatively normal. Some of these things are tools that I have had for more than 40 years. Each has its own purpose and I'll explain some of that as we progress through the book. I know what you're thinking. There's no way that he has a pair of bolt cutters in that bag. Well, they were in there, and I had them with me everywhere I went. On most of our penetration tests the only limitation that was imposed on us by the company hiring us was that we were not allowed to use forced entry. We never used the bolt cutters as a part of our attack, but we did show how easy it would be to bring bolt cutters into the building if someone intended to use them. Most of the items you see were designed to get past various locks we encountered as our team attempted to get into a client's building or to use after we were in there. All right, here's a little quiz just to see if anyone is actually reading this. Anyone who sends me an e-mail listing all of the items that are shown in that picture will be sent a special gift. We will be revisiting some of these tools in Chapter 3.
ONE OF MY FAVORITE TOOLS OF THE TRADE
Most of my social engineering tools come from yard sales, thrift stores, flea markets, pawn shops, and eBay. I highly encourage all of you to take up the hobby of going out to these places and looking for things. As I describe some of these tools, I'll tell you how much I paid for them and where I got them. These are all tools that I used in one way or another for my social engineering exploits. Figure 1.3 is a picture of the front cover of the manual for a key machine that I purchased a number of years ago at a yard sale for $10.00. What was so nice about this key machine was that it was very small and very accurate, and it had a code micrometer as a part of the machine. This will allow keys to be cut by code if you know the code for that key or the depth of the bitings (sometimes called cuts by senior locksmiths). Machines of this size are available new for around $395. I frequently see them for sale on the Internet for anywhere between $95 and $250. If I could borrow a master key for a few minutes and had some of the key blanks that fit the keyway of a given lock, I could duplicate the key (as described in Chapter 3) and get it back to the person that I borrowed it from (typically using a little social engineering) very quickly. I know what you are thinking. How did I know what the correct key blank was for that lock? I knew because I was in that building once before and also managed to borrow the key briefly during my first visit. I learned over the years that social engineering attacks work best (at least they did for me) when they were two-part attacks. During the first visit our team mostly probed the target just to see how trusted we would be if we were able to gain entry. Normally we were never questioned about anything once we were inside. It was just assumed that if we were in the building, we belonged there. That was not a good assumption.
It's time for my first war story. After you read the following description of this social engineering attack, ask yourself if you think you would have fallen for this. This is a perfect example of how a two-part attack can seem so innocent yet be so deadly.
Excerpted from Low Tech Hacking by Jack Wiles Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther Copyright © 2012 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Meet the Author
Jack Wiles is a security professional with over 40 years' experience in security-related fields. This includes computer security, disaster recovery, and physical security. He is a professional speaker, and has trained federal agents, corporate attorneys, and internal auditors on a number of computer crime-related topics. He is a pioneer in presenting on a number of subjects, which are now being labeled "Homeland Security" topics. Well over 10,000 people have attended one or more of his presentations since 1988. Jack is also a co-founder and President of TheTrainingCo., and is in frequent contact with members of many state and local law enforcement agencies as well as Special Agents with the U.S. Secret Service, FBI, IRS-CID, U.S. Customs, Department of Justice, The Department of Defense, and numerous members of High-Tech Crime units. He was also appointed as the first President of the North Carolina InfraGard chapter, which is now one of the largest chapters in the country. He is also a founding member of the U.S. Secret Service South Carolina Electronic Crimes Task Force. Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967-68, where he was awarded two Bronze stars for his actions in combat. He recently retired from the U.S. Army Reserves as a lieutenant colonel and was assigned directly to the Pentagon for the final seven years of his career.
Terry Gudaitis, Ph.D., is the CyberIntelligence Director at Cyveillance. Terry gained a foundation for her expertise as an operations officer and behavioral profiler at the CIA's Counter Terrorist Center. At CIA, she was responsible for developing terrorist profiles, assessments of informants, and managing targeting teams. In addition to her corporate-related work, Terry has served on the United States Secret Service Advisory Board for Insider Threat, regularly presents at national and international conferences, and has authored publications in numerous security-related journals and books.
Jennifer Jabbusch, CISSP, CISO, HP MASE, JNCIA-AC, is a network security engineer and consultant with Carolina Advanced Digital, Inc. Jennifer has more than 15 years' experience working in various areas of the technology industry. Most recently, she has focused in specialized areas of infrastructure security, including Network Access Control, 802.1X and Wireless Security technologies. Ms. Jabbusch has consulted for a variety of government agencies, educational institutions, and Fortune 100 and 500 corporations and has spoken at a variety of conferences including DeepSec, SecTor, TechnoSecurity, RSA®, InfoSec World, CSI, and many others. In addition to her regular duties, she participates in a variety of courseware and exam writings and reviews, including acting as subject matter expert in the Cryptography domain of the official (ISC)2® CISSP® courseware (v9). You can find more security topics and musings on her security blog at http://SecurityUncorked.com.
Russ Rogers (CISSP, CISM, IAM, IEM, Hon. Sc.D.), author of the popular "Hacking a Terror Network: The Silent Threat of Covert Channels" (Syngress, ISBN: 978-1-928994-98-5), co-author of multiple books, including the best-selling "Stealing the Network: How to Own a Continent" (Syngress, ISBN: 978-1-931836-05-0) and "Network Security Evaluation Using the NSA IEM" (Syngress, ISBN: 978-1-59749-035-1), and former editor-in-chief of The Security Journal, is currently a penetration tester for a federal agency and the co-founder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. Russ has been involved in information technology since 1980 and has spent the past 20 years working as both an IT and InfoSec consultant. Russ has worked with the U.S. Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world in Amsterdam, Tokyo, Singapore, São Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master's degree in computer systems management from the University of Maryland, a bachelor of science degree in computer information systems from the University of Maryland, and an associate's degree in applied communications technology from the Community College of the Air Force. He is a member of ISSA and (ISC)2® (CISSP). Russ also teaches at and fills the role of professor of network security for the University of Advancing Technology (www.uat.edu).
Sean Lowther is the President and Founder of Stealth Awareness, Inc. (www.stealthawareness.com). Sean is an independent consultant who brings years of experience designing and implementing information security awareness programs at the highest level. He founded Stealth Awareness, Inc. in 2007. Sean worked at Bank of America for over seven years, managing the enterprise information security awareness program. The program received the highest rating from its regulators and was consistently rated "world class" by industry peer groups. Sean has worked with BITS, the Financial Services Roundtable Task Force on Privacy, prior to the enactment of the Gramm-Leach-Bliley Act. He produced the video "It's Not If, But When" for the Financial Services Sector Coordinating Council in partnership with the U.S. Treasury Department with the goal to improve critical infrastructure protection and Homeland Security.
and post it to your social network
Most Helpful Customer Reviews
See all customer reviews >