Read an Excerpt
Low Tech Hacking
Street Smarts for Security Professionals
By Jack Wiles Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther
SYNGRESS
Copyright © 2012 Elsevier, Inc.
All right reserved.
ISBN: 978-1-59749-666-7
Chapter One
Social engineering: The ultimate low tech hacking threat
INFORMATION IN THIS CHAPTER
• How Easy Is It?
• The Mind of a Social Engineer
• The Mind of a Victim
• Tools of the Social Engineering Trade
• One of My Favorite Tools of the Trade
• Social Engineering Would Never Work against Our Company
• What Was I Able to Social Engineer out of Mary?
• The Final Sting—Two Weeks Later—Friday Afternoon
• Why Did This Scam Work?
• Let's Look at a Few More Social Engineering Tools
• Let's Look at That Telephone Butt-in Set on My Tool Belt
• Meet Mr. Phil Drake
• Meet Mr. Paul Henry
• Do You Have a Guest User of Your Credit Card?
• A Few Possible Countermeasures
Some of the things I will discuss in this chapter have been on my mind since the mid-1980s. I believe it's time that I put them in writing and share a few of my thoughts on what I believe could be the most effective and dangerous threat to any security plan: social engineering! It has, in my opinion, become the low tech hacker's most valuable and effective tool. This age-old threat has taken on a new meaning as what I collectively call "bad guys" have continued to use the art of the con to gain access to intellectual property and if necessary the buildings that house that property.
This chapter, or the rest of the book for that matter, isn't meant to be read as a complete story from beginning to end. Social engineering and ways to prevent it are subjects with many meanings. This will be more of a potpourri of tips, tricks, vulnerabilities, and lessons learned from my thirty plus years of dealing with these issues. As an inside penetration team leader, I was constantly looking for more innovative ways to conduct a successful inside penetration test. It was during those years of physical and technical penetration testing that I gained most of my social engineering experience. These skills helped me to eventually hang up my dumpster diving penetration team jersey and retire from the tiger team (a term sometimes used for penetration testing) world UNDETECTED! Although I came close several times, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that's what I effectively was.
As you read this chapter, if you think that it has a strong risk management flavor, that was intentional. Just about every area of concern with security today involves managing the risks associated with staying safe and secure. This chapter, and most of the other chapters in this book are chock full of what I like to call techno tidbits of useful risk management countermeasures. Hopefully, many of them will be topics that you might not have considered in the past as you put together your security plan. External, internal, and information systems auditors will find information on a few new potential vulnerabilities that they can recommend countermeasures for.
I've included discussions about social engineering in each of my former books. I've also used the term social engineering as a partial title for many of my presentations over the past 15 years. My most popular presentation to date is titled "Social engineering: Here's how I broke into their buildings." Following these presentations, I frequently have people come up and talk to me about some of the things that I discussed. Many of these people are longtime friends and attend pretty much every session that I give at the yearly events where I present. What has been encouraging to me this past year is the number of people who come to me after the presentation saying that they incorporated some of what they learned and that they are now con- ducting some of their own corporate penetration tests to help protect their companies from the threat of social engineering. Each of them seemed to have experienced the same things that I have over the years of using social engineering as a training tool and somewhat of a hobby. They find that it is often way too easy to get people to give them access to places where they are not supposed to be able to easily access and to things that they should not see.
HOW EASY IS IT?
Way back in 1988, I was a part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear some of the conversations that went on when a "black hat" (in this case malicious) group targeted victims by calling them on the phone. They were using social engineering skills to gain access to proprietary information including passwords. I'll never forget what I heard one of the experienced black hats say to another black hat in training: "Social engineering is the easiest way to break into a system." He then followed up that comment by saying, "The stupidity of the average system administrator amazes me."
That was almost 25 years ago, and that was the first time I had heard the words social engineering. Why do I think of it as a tool that could be used by any bad guy from a black hat hacker to a terrorist? Social engineering is what I believe could be the most effective and dangerous outsider–insider threat to any security plan.
In the first three chapters of this book, I will be talking about social engineering, physical security, and a little bit more about locks. If we look at physical security as the target of an attack and locks as the gatekeeper for the entrance into the target, social engineering is often the way that we are able to gain access to the keys that open those locks and possibly the rest of the building. It is often the people who have those keys who become the victims of social engineering. We'll take a much closer look at that as we progress through the book.
THE MIND OF A SOCIAL ENGINEER
Although I've been using and teaching social engineering for almost two decades now, the true extent of the impact of social engineering really became clear to me about 9 years ago. When I was out in L.A. for a meeting on financial crimes security (what else?), I purchased a very interesting book titled The Art of Deception: Controlling the Human Element of Security by Kevin D. Mitnick and William L. Simon.
Just above the title on the cover of the book in red letters are the words Controlling the Human Element of Security. I found the book to be very well written and full of a lot of good examples of how social engineering works and how companies can try to defend against its use. I also learned quite a bit about a few approaches to targeting a potential victim than I had ever thought of before. A social engineer will continuously learn more clever ways to take advantage of how our minds work in order to perform the illusion or deception. The more that I used social engineering as one of my tools during my penetration testing days, the bolder I became in its use during those tests. After years of success in pretending to be something or someone that I wasn't, I just KNEW that whatever I said to the people that I encountered during the tests would be believed, and it was!
THE MIND OF A VICTIM
Any one of us, at any time, could easily become the victim of some form of social engineering. I personally believe that it is not possible to completely eliminate the risk. There are some things that can and should be done to reduce the risk as much as possible and I'll address some of them in the rest of this chapter. Without some form of training (and practice) in learning how to prevent being a victim of social engineering, you could easily become a victim and not even know it.
Our minds work in very trusting and predictable ways, and that means that exaggerated deviations from the norm might not ever be considered. This is what social engineers count on. Without awareness of the problem and without an understanding of how our minds can be fooled, there is little defense against social engineering. For this awareness training to be of any benefit for an organization, it must include every employee of every organization.
We see things all day long and we don't pay close attention to certain details because they are too familiar to us. That's exactly how the illusions that magicians call magic work and also why so many magic tricks are related to simple everyday things like a deck of cards. I use magic in much of my training and it really adds a lot to the attention span of the people in front of me. They are all so used to seeing those 52 cards that they don't even begin to think about how the different card gimmicks being used in most card tricks work. Most of these illusions are self-working yet almost mind boggling to the unsuspecting mind.
TOOLS OF THE SOCIAL ENGINEERING TRADE
If you would join me in taking a look at Figure 1.1, you will see a picture of the social engineering bag that I used for roughly 10 years. It was a pretty expensive bag to purchase. I spent around $200 for it, but it was money well spent. I often thought of it as something similar to those clown cars that you see in the circus. It is very deceptive how much will fit in that bag. Not only could I put all of my social engineering tools in the bag, but also there was a lot of room left over for the things I was able to take out of the buildings once my penetration test was successful. On the outside it simply looks like a briefcase that pretty much anyone within that organization would be carrying to and from work. On the inside were some slightly different items from what you would normally see someone bringing to work.
I took the time to put the contents of the bag on the table for you to see in Figure 1.2. This is the first time that I've ever done that. Not that what I have in the bag is anything special; it's just that I've never shared the contents with anyone in quite this way, especially in a book.
I wish that I had taken a picture of the bag as I was leaving some of these buildings with everything in it. It even amazed me how much that bag could expand and still look comparatively normal. Some of these things are tools that I have had for more than 40 years. Each has its own purpose and I'll explain some of that as we progress through the book. I know what you're thinking. There's no way that he has a pair of bolt cutters in that bag. Well, they were in there, and I had them with me everywhere I went. On most of our penetration tests the only limitation that was imposed on us by the company hiring us was that we were not allowed to use forced entry. We never used the bolt cutters as a part of our attack, but we did show how easy it would be to bring bolt cutters into the building if someone intended to use them. Most of the items you see were designed to get past various locks we encountered as our team attempted to get into a client's building or to use after we were in there. All right, here's a little quiz just to see if anyone is actually reading this. Anyone who sends me an e-mail listing all of the items that are shown in that picture will be sent a special gift. We will be revisiting some of these tools in Chapter 3.
ONE OF MY FAVORITE TOOLS OF THE TRADE
Most of my social engineering tools come from yard sales, thrift stores, flea markets, pawn shops, and eBay. I highly encourage all of you to take up the hobby of going out to these places and looking for things. As I describe some of these tools, I'll tell you how much I paid for them and where I got them. These are all tools that I used in one way or another for my social engineering exploits. Figure 1.3 is a picture of the front cover of the manual for a key machine that I purchased a number of years ago at a yard sale for $10.00. What was so nice about this key machine was that it was very small and very accurate, and it had a code micrometer as a part of the machine. This will allow keys to be cut by code if you know the code for that key or the depth of the bitings (sometimes called cuts by senior locksmiths). Machines of this size are available new for around $395. I frequently see them for sale on the Internet for anywhere between $95 and $250. If I could borrow a master key for a few minutes and had some of the key blanks that fit the keyway of a given lock, I could duplicate the key (as described in Chapter 3) and get it back to the person that I borrowed it from (typically using a little social engineering) very quickly. I know what you are thinking. How did I know what the correct key blank was for that lock? I knew because I was in that building once before and also managed to borrow the key briefly during my first visit. I learned over the years that social engineering attacks work best (at least they did for me) when they were two-part attacks. During the first visit our team mostly probed the target just to see how trusted we would be if we were able to gain entry. Normally we were never questioned about anything once we were inside. It was just assumed that if we were in the building, we belonged there. That was not a good assumption.
It's time for my first war story. After you read the following description of this social engineering attack, ask yourself if you think you would have fallen for this. This is a perfect example of how a two-part attack can seem so innocent yet be so deadly.
(Continues...)
Excerpted from Low Tech Hacking by Jack Wiles Terry Gudaitis Jennifer Jabbusch Russ Rogers Sean Lowther Copyright © 2012 by Elsevier, Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
