Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First-Person Account of a Social Engineering Attack

kdawson posted more than 7 years ago | from the in-by-the-front-door dept.

Security 347

darkreadingman writes, "A penetration tester tells how he broke into a bank's network dressed as a copier repairman. Some good lessons here — many companies spend millions on network security, but don't teach their employees how to challenge a stranger in the building. Social engineering at the company site can be one of the most difficult attacks to defend against." From the article: "Before departing scenes like these, we try to document the effort and provide proof of our success. I usually leave something behind and then contact the person who hired me and direct them to the mark. In this case I wrote his password on a ream of paper and tucked it under the machine."

cancel ×

347 comments

Sorry! There are no comments related to the filter you selected.

Hmm... (5, Funny)

The Zon (969911) | more than 7 years ago | (#17051658)

You know, I was wondering why that guy needed my password to fix the copier.

Re:Hmm... (2, Informative)

Anonymous Coward | more than 7 years ago | (#17052282)

Who modded this insightful?
This is funny mods.. funny. Not insightful

Re:Hmm... (5, Funny)

Anonymous Coward | more than 7 years ago | (#17052336)

Because you don't get karma for Funny moderations any more, so some moderators like to throw in an Insightful moderation for funny comments.

Not quite news (2, Insightful)

otacon (445694) | more than 7 years ago | (#17051660)

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

Re:Not quite news (1)

arun_s (877518) | more than 7 years ago | (#17051822)

But it sure does make for an interesting read :)
Plus, this is a bank that was the victim of the attack. That's pretty worrying, I think. News like this (that illustrate how trivial social engineering can be) should hopefully make more people in important places (like banks) get over their false sense of security.

Not news... but still useful (4, Insightful)

Khomar (529552) | more than 7 years ago | (#17051888)

It's not really news as it is just reaffirmation that the weakest link in security is the human factor. It's been a known problem that someone could just walk in and pretend to be tech support/help desk/repair for as long as their has been computers.

While this is not technically "news", it serves as a good reminder and notice of warning. As mentioned in the article...

Combine catching the bad guy and letting an organization know this type of theft and criminal behavior really exists, and you get one of the best tools in educating employees about vigilance and how to be proactive in security.

Hearing stories like this raises awareness for all of us, and reminds us of different ways that we can be exploited so that we can avoid them. Just like learning from history, it is always better to learn from someone else's mistake instead of learning it the hard way.

Geez (1, Funny)

Anonymous Coward | more than 7 years ago | (#17051698)

There are way too many first person games in the U.S.

Yikes! So much effort! (5, Insightful)

moore.dustin (942289) | more than 7 years ago | (#17051710)

I know for a fact if he came to my office and attempted to get passwords that way, he put in way to much effort. All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor.

I think it goes without saying that anyone getting into your office claiming to be someone they aren't is a threat. Hacker or otherwise, they can easily get information they want with a "hall pass" for the whole building.

Re:Yikes! So much effort! (1)

venicebeach (702856) | more than 7 years ago | (#17051958)

Yes, but this is a bank, not an office. They are in the business of securing money. I think a bank requires a little more awareness on the part of the staff than most offices.

That said, these people do seem to have access to some special equipment:

"Our office at Secure Network Technologies utilizes a proximity card access system, which also serves as an employee identification badge. Conveniently, we have the machine that prints these things.

and

"Using our past experience with copier folks, we put together a giant silver briefcase on wheels, a mini-vacuum cleaner, and a few reams of paper."

So this still takes some degree of effort. Nonetheless, I would be concerned if I were running this bank.

Re:Yikes! So much effort! (1)

EvilTwinSkippy (112490) | more than 7 years ago | (#17052050)

From what I'm seeing, this chucklehead got into the offices and sniffed the network.

When someone bluffs his way into the vault, I'll be shocked. If he tried to monkey with the IT systems, he would probably have been snagged faster than a spawning salmon. Bank, Casinos, etc have people watching the people who watch the people.

Re:Yikes! So much effort! (1)

venicebeach (702856) | more than 7 years ago | (#17052138)

He's not in the vault, true, but he is in the public part of the bank itself, not some separate administrative office building. The people he is interacting with are the same people who have access to the vault and must be aware enough to protect it.

(To find out more, I sent a colleague into the bank to inquire about a checking account. While in the bank she took notice of the various pieces of office equipment, specifically the printers, faxes, and copiers. )

Re:Yikes! So much effort! (4, Insightful)

mallgood (964345) | more than 7 years ago | (#17052196)

My question is why would you ever need to get into the vault? Really. Look at the world, almost nobody uses cash any more. There isn't a reason to. You swipe your card and the transaction is done. All it means is that - tap tap tap - a dozen key strokes later and you have a bunch of money transfered into an account of your liking. Now whether you are smart enough to transfer it into the account of someone you don't like rather than your own is a different question.

Re:Yikes! So much effort! (1, Funny)

Anonymous Coward | more than 7 years ago | (#17052540)

Some of us are blind you insensitive clod! We have a hard enough time [slashdot.org] with regular money, cards are completely useless!

Re:Yikes! So much effort! (3, Insightful)

rvw14 (733613) | more than 7 years ago | (#17052248)

Why would you want to get into the vault? The amount of money a bank keeps on-hand is very small, and the penalty for getting caught is huge.

If you can get into the bank's internal network, you can get all sorts of information. Identity theft can net more money without the risk.

Re:Yikes! So much effort! (5, Informative)

Negadecimal (78403) | more than 7 years ago | (#17052262)

I think a bank requires a little more awareness on the part of the staff than most offices.

That's an understatement. My wife's bank doesn't even have wastebaskets at teller stations, for fear that an account number could end up in the dumpster out back. All paper is either quickly shredded or couriered daily to a processing center. Loose sheets - even a sticky note - are verboten.

Each teller has a binder on hand that contains security procedures specific to the teller. When one teller accidentally grabbed another's binder a few month ago, the whole branch had to do a security update, which included a two-hour procedure to change the vault codes.

Re:Yikes! So much effort! (1)

gr18563 (848290) | more than 7 years ago | (#17052340)

I dont know how rare the proximity card access system is for your area but I work at a small/medium hospital and we have a card printer with the microchip key and they are relatively inexpensive and easy to acquire. They are also quite good at replicating identification cards so that would be quite easy to do. Also we have run ins with the copier people all the time as well as the guys that PM our PowerUPs. So we could pose as one of those guys pretty easily. The card printer is in a semi unsecured area so its kinda easy to get to and if you have any technological sense you can run a card through it and print one. The most time consuming part of the process would be trying to find the stupid cards.

Re:Yikes! So much effort! (1)

TubeSteak (669689) | more than 7 years ago | (#17052026)

How would you feel about a stranger shoulder-surfing?

It's much easier to just plug into the LAN & sniff for l/p's (which shouldn't be sent as cleartext in the firstplace, but frequently are)

And why is it that way? (4, Insightful)

blueZ3 (744446) | more than 7 years ago | (#17052062)

Whenever I hear the usual rant about users having their password as a sticky note on their monitors, my instant reaction is "It's your fault, you goob!" I've worked lots of places where they've implemented a new "password security process" which requires you to switch your password regularly and which prevent you from using the same password for some ridiculous period of time and which disallow dictionary-based words/phrases.

Hello, McFly? Which is better: my having an easily-remembered but difficult-to-guess password that I never write down, or you forcing me to change my password frequently and then write it down because your policy makes me choose something obscure? My original password was fairly strong (a combination of upper and lowercase letters and numbers that are meaningful only to me) but when I'm forced to change to something new, it will be written down somewhere until it's committed to memory. Can you say "counterproductive"? How about "unintended consequences"?

Of course, I understand that a lot of these policies are based on out-dated recommendations and come down from on high. However, it would be nice if those making these "rules" to realize that most users have other things to do besides remembering a constantly changing set of passwords. Oh, BTW -- my new password is "theCIOsucks!" :-)

Re:And why is it that way? (4, Interesting)

Maxo-Texas (864189) | more than 7 years ago | (#17052174)

Completely agree.

I went from very secure passwords to insecure passwords written down on paper slips as a direct result of our security policy.

1) Change every 90 days (up from 60 at least. that was really bad).
2) no repeating letters or numbers
3) no letter or number in the same position as last password.
4) must have a number
5) not be a word in a dictionary
Starting password something like
YuL1P3729 (the last 4 digits were what changed- they were an old phone number- I slid through it horizontally)

Current password something like
secre1t
I have about 8 passwords.
And they are all on a yellow sticky on my desktop.

Re:And why is it that way? (1)

geekoid (135745) | more than 7 years ago | (#17052444)

B00B13s_giB!a is an easy to remember password, and you only need to change the last letters.

Of course most password policies still have there roots into the mainframe world.

Re:And why is it that way? (1)

archen (447353) | more than 7 years ago | (#17052238)

Where I work I had to implement a policy where I choose the password. I've decided that since I pick a secure one, it's probably not worth changing. I still find sticky notes. You know what? When people were picking their own passwords which never changed (half of which were there initials and the number 1) they still had them on sticky notes. This isn't automatically the admin's fault.

Re:And why is it that way? (1)

hey! (33014) | more than 7 years ago | (#17052364)

It's ironic when you think of it. Companies implement "cheap" security schemes that introduce small but regular bits of frictional loss into everybody's productivity, and that actually make the problem worse.

A secure login token system would be, after the intial purchase has been amortized, cheaper, more secure, and more convenient than some draconian password policy. It's certainly cheaper than absorbing the risks of allowing weak passwords.

Re:And why is it that way? (1)

Yottabyte84 (217942) | more than 7 years ago | (#17052554)

Pfft. I can memorize a randomly generated 12 character password after using it half a dozen times. Write it down, put it in my wallet, and burn it when I stop looking at it.

Re:Yikes! So much effort! (2, Interesting)

Capt James McCarthy (860294) | more than 7 years ago | (#17052082)

"All you need to do at this place is look over someones shoulder at the sticky note stuck to the monitor."

How about this: I _HAD_ a user who made the MS Flying banner hold his password. I would have never believed it had I not seen it myself.

negative vs positive (5, Insightful)

theStorminMormon (883615) | more than 7 years ago | (#17052180)

I've been thinking about the article. It seems to me that such an abject failure to prevent a security breach could be more demoralizing than instructive. In most companies, the employees are not going to be security-savy, and they will not question a potential intruder. When the penetration test is successful everyone just feels stupid and slightly used. That's my guess at how the bank employees would react when the boss let them know that they got totally hacked.

Instead, for those bosses with less scruples, you'd probably get more bang for your buck by faking the penetration test. Hire some dude to try to get in, and arrange some employee to "catch" him. Then you get to circulate the news that you were successful because an employee did the right thing. I think the information would be just as instructive (always ask for outside confirmation of vendor reps), but instead of being depressing (you guys all failed to do the right thing) it could be empowering (it's easy to do the right thing, and one of you managed to do it).

Is penetration testing even worth the money for a system as obviously insecure as this one? If, as the article claims, these attempts succeed 9 times out of 10, then you don't need to pay for the penetration test to know your company will fail. Does a bank manager really need to pay someone to tell them the obvious? They should take some proactive steps towards security-enhancements first, and save the penetration testing for when they actually think they have a somewhat hardened system (social and technical) to penetrate.

-stormin

Re:negative vs positive (1)

egypt_jimbob (889197) | more than 7 years ago | (#17052438)

A penetration test (at least in the cyber realm) is not about determining whether an attacker can get in, but how an attacker can get in. I assume it's the same in meatspace.

If you don't know where the holes are, you can't plug them.

Re:negative vs positive (1)

SQLGuru (980662) | more than 7 years ago | (#17052592)

You pay to figure out if you are the 1 or in the group of 9. If you are in the group of 9, you need to spend more on security training / awareness. Training the whole branch office is likely to cost a whole lot more than the cost of the assessment. If you are in the 1, then you've avoided the full cost. If you are in the 9, then the cost of the assessment is easily absorbed into the total cost of securing the branch.

Layne

penetration tester (2, Funny)

neuro_guy (1021643) | more than 7 years ago | (#17051712)

penetration tester. now that's a job! is it somehow related to the porn industry?

Re:penetration tester (1)

lixee (863589) | more than 7 years ago | (#17051752)

penetration tester. now that's a job! is it somehow related to the porn industry?
Yep! One that blows (the job that is).

Re:penetration tester (1)

LMacG (118321) | more than 7 years ago | (#17051880)

No, that would be the fluffer [wikipedia.org] .

No - In Porn They're Called "Troubleshooters" (1)

Petersko (564140) | more than 7 years ago | (#17051754)

With the trend in porn towards the foot-long as standard, I doubt anybody needs a penetration tester.

Re:penetration tester (1)

Iamthefallen (523816) | more than 7 years ago | (#17051862)

How about Penetration engineer? [securityfocus.com]

Man that'd make a badass business card.

Re:penetration tester (1)

EvilTwinSkippy (112490) | more than 7 years ago | (#17052106)

Sounds too much like a porn star.

Re:penetration tester (2, Funny)

neuro_guy (1021643) | more than 7 years ago | (#17052396)

nah, "engineer" sounds so technical and... theoretical. you know, penetration is all about love and practical experience.

Hmm (2, Interesting)

malkir (1031750) | more than 7 years ago | (#17051730)

I wonder what kind of sniffer he was using to get passwords is 'seconds', including the higher-ups... weren't they not in the building at that time?

Re:Hmm (1)

neuro_guy (1021643) | more than 7 years ago | (#17051800)

now, "sniffer" is another porn industry job that... ah, never mind...

Re:Hmm (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17051866)

All back-end systems and PCs of all branches of that bank are connected to a single gigantic hub. In addition, all employees are constantly login and log from those systems using only non-encrypted protocols. The guy just had to plug his laptop and fire up his sniffer. Easy. Took him seconds.

Re:Hmm (1)

archen (447353) | more than 7 years ago | (#17052328)

I'm over-thinking here, but couldn't that still easily be negated by a managed switch? The piece of garbage nortel's I have can weed out by ethernet address machines that are allowed to connect. No changes to infrastructure required really - aside from perhaps new switches.

Re:Hmm (2, Insightful)

dave562 (969951) | more than 7 years ago | (#17052548)

A lot of things could be done, but unfortunately the reality of the situation 95% of the time is that IT staffs are so overburdened that they don't have time to activate all of the nifty little, wouldn't it be cool features that are out there. Sure you could impliment a managed switch, but then every time a NIC fails, or a workstation fails, you need to go reprogram the switch. It becomes just another thing to do on a task list that is already too long to begin with.

I'm not super knowledgable in the area of man in the middle attacks, but I'm pretty sure that he could just unplug the copier, plug in his laptop, and then spoof the MAC address on the copier. From there he just poisons the arp cache on the switch and voila, snifferic pwnz0rz.

In the words of the Paranoia RPG (3, Funny)

Billosaur (927319) | more than 7 years ago | (#17051734)

  1. Stay alert
  2. Trust no one
  3. Keep your laser handy

Just Check! (2, Insightful)

Thansal (999464) | more than 7 years ago | (#17051742)

I need to call someone about what you're doing


Simple enough. I don't know if I am parnoid or what, but if I recieved an unsolicited "service" for one of our machines I would double check with my contact for that company.

If some one is poking around who I do not know I will check it with my boss.

Re:Just Check! (2, Insightful)

QuantumRiff (120817) | more than 7 years ago | (#17051996)

You would, but would your minimum wage receptionist? How about the custodian that has keys to everywhere? Would they know that someone had called ahead of time? Or would they just assume someone in another department called, and let them in?

Haha I love these guys (0)

Anonymous Coward | more than 7 years ago | (#17051750)

To get out of trouble you just have to practice ONE skill: how to social engineer the police into believing that you are a penetration tester.

Re:Haha I love these guys (1)

Zephyros (966835) | more than 7 years ago | (#17051962)

Heard of a "get out of jail free card"? Pen testers usually get a letter from their contact with the company stating what they are doing. If they get into legal trouble while running a test, the cops can check with that contact while holding the tester. Without that letter, you're pretty much screwed.

Would Biometric Security Devices Mitigate Sniffing (2, Interesting)

w33t (978574) | more than 7 years ago | (#17051760)

I wonder, since the article states that the tester was - within seconds - able to sniff passwords and usernames, that if the bank had employed biometric security devices would this sniffing have been so easy?

Re:Would Biometric Security Devices Mitigate Sniff (1)

earnest murderer (888716) | more than 7 years ago | (#17052392)

Depends on the device. Most that I have seen are just a print recognizer that inputs your password for you. That is, you spend 1 second compared to 2 filling in the password box. A neat trick, but doesn't do anything for security. Even if a system used the print itself, you're just trading a few characters for an image.

You could make the argument that they weaken security since the password has to be stored twice. And in many cases if you know what you are doing, a good print (good enough to fool the reader) is easier to get than watching someone type in a password or installing a key logger.

Encripted login would have prevented this particular breech.

Certainly other systems exist, but what I've seen isn't impressive.

For the love of all things holy (1, Insightful)

noewun (591275) | more than 7 years ago | (#17051772)

Can we please stop calling it "social engineering"? It's called lying. Saying 'social engineering' instead of 'lying' or 'scamming' sounds way to self-important to me, like people who ask, "would you like a beverage?" instead of "want something to drink?". If you're that socially uncomfortable, pop a couple Xanax before talking to me. Or anyone. Or leaving your house.

This rant brought to you by my cold, Adobe InDesign and my idiot clients.

for the sake of clarity (4, Insightful)

Gary W. Longsine (124661) | more than 7 years ago | (#17051874)

Lying is a specific tool, not a blanket term for the various types of deception which may be employed in social engineering. Perhaps you think it sounds self-important, but that assumes that the only people who use the term are engaged in the practice. I think the term sounds reasonably descriptive and emotionally neutral, unlike "scamming" for example, and allows for the possibility that some people may engage in social engineering for non-harmful purposes.

Backwords (1)

geekoid (135745) | more than 7 years ago | (#17052388)

Social engineerins is a subset of lying. Usually deception or implications.

Yes deception is lying.

If you say "I'm going to the movies" then drive to the movie wait 5 minutes, and then go to a motel to bang your mistress, you have still lied. I would argue the worst kind of lie.

Re:For the love of all things holy (3, Insightful)

Anonymous Coward | more than 7 years ago | (#17052234)

Yes it is lying, however its also quite a bit more than that.

Its a con. Plain and simple. Since you generally know the conversation and physical scenario that is going to take place, all that is needed is some improv. Thats why I state its a bit more than lying. You're feeding off of the targets lack of awareness, willfullness to give information, and general good nature, as 'everything seems to be in order' with your physical presence.

As far as distinction in vocabulary and vernacular of language, that would just gloss over any doubts the unwilling participant might have in most cases. Try that tactic against the wrong sort, and you will easily out yourself as an imposter.

neowun, have you actually manipulated people for fun, profit, or other? If not, you should try it sometime. It will give you a better sense of the spectrum that is 'social awareness' i.e., common sense.

good grief... (1)

Gary W. Longsine (124661) | more than 7 years ago | (#17051774)

In this case I wrote his password on a ream of paper and tucked it under the machine.
An amusing stunt perhaps, but perhaps not the best solution to the problem.

Re:good grief... (1)

spellraiser (764337) | more than 7 years ago | (#17051920)

Please RTFA before commenting in this vein.

Immediately after that sentence comes:

When I returned to my office I immediately called my contact and explained what we did and that we were successful. After retrieving the ream of paper with his password, I could hear the concern in his voice since our job confirmed his worst fears. I explained to him this type of problem can be fixed by sharing the results with his employees, and that no one person should be targeted as a single point of failure.

The password under the copier stunt was simply to prove that the attempt was successful.

perhaps I wasn't clear enough (2, Insightful)

Gary W. Longsine (124661) | more than 7 years ago | (#17052486)

This kind of stunt gets people fired, and worse, gets people in serious legal trouble and ruins their reputations.

Doubt me? Ask Randal Schwartz. Unless I missed something, Randal has admitted his naivety, but not malice, concerning the matter of cracking passwords to demonstrate security problems to one of his clients. The client was not amused. Here is an example, from the first click in a trivial google search.

Intel v. Randal Schwartz: Why Care? [mabuse.de]
Clearly, Randal was someone who should have known better. And in fact, Randal would be the first Internet expert already well known for legitimate activities to turn to crime. Previous computer criminals have been teenagers or wannabes. Even the relatively sophisticated Kevin Mitnick never made any name except as a criminal. Never before Randal would anyone on the "light side of the force" have answered the call of the "dark side".
-- end quote --

Randal already had an established reputation as a happy friendly white-hat super star and has highly respected friends who can vouch for him. Would your own reputation be able to withstand a legal battle from a client, even if your intentions were pure? I submit that it may be best to specify in the tiger team's contract the use of techniques like password cracking and sniffing. Leaving a recoverd password on paper for any random employee to find is just a stupid, stupid stunt. Professional tiger teams carefully and jealously guard the evidence of their efforts, and share the results with the client in professional and secure manner. If you need to prove you were in the building, take a picture and leave a business card, not your client's password for crying out frigging loud.

There, that should be clear enough.

Re:perhaps I wasn't clear enough (1)

spellraiser (764337) | more than 7 years ago | (#17052578)

Yes indeedy. Sorry for the misunderstanding.

There are better ways to prove that an attack worked than just leaving a password somewhere, that's for sure.

Look under your keyboard... (1)

From A Far Away Land (930780) | more than 7 years ago | (#17051784)

..go ahead, look.

If you see your password there, that proves I was in your place.

"In this case I wrote his password on a ream of paper and tucked it under the machine."

If it says "12345" it proves you watched Spaceballs.

Re:Look under your keyboard... (4, Funny)

DarthTaco (687646) | more than 7 years ago | (#17051852)

thanks! I looked under my keyboard and found the jumpdrive I had been trying to find for weeks!

Amazing! (2, Informative)

Anonymous Coward | more than 7 years ago | (#17051884)

That's the same combination I use on my luggage.

Re:Amazing! (1)

Anonymous Cowled (917825) | more than 7 years ago | (#17052108)

ROFL! how did this get +1, Informative!!

Re:Amazing! (3, Insightful)

jacks0n (112153) | more than 7 years ago | (#17052316)

moderator sarcasm

Companies look into this (1)

michaelvkim (981938) | more than 7 years ago | (#17051790)

The most vulnerable aspect of security are the people working. The best security consulting firms focus on this the most, and provide training to employees to be wary of people who might be unauthorized. Stuff like giving out passwords over the phone or over e-mail, to even confronting somebody who might not be who they say they are (like a copier repairman). I know some security firms have their consultants dress up as a UPS or Fedex man making a delivery to gain physical access to the building.

No 802.1x? (1)

lukas84 (912874) | more than 7 years ago | (#17051806)

When we installed Wireless LAN at our company, we switched all network access ports to 802.1x authentication.

It required some effort, since we had to "quarantine" non-802.1x devices to separate networks, but i think the security advantages outweigh the work needed.

We're just a small IT service company, not a bank. I really wonder why a bank wasn't using 802.1x since several years.

Re:No 802.1x? (1)

EvilTwinSkippy (112490) | more than 7 years ago | (#17051984)

Simple: You never ever ever ever ever trust a chunk of the network that doesn't have a lock on the door.

We don't secure our wireless because it is a pain, and futile. Anyone who wanted to seriously crack into the system would use a hard line, an idle terminal, MAC spoofing, etc.

We secure the servers, and monitor for odd behavior. Mostly because most or our problems aren't foriegn invasion, they are inside jobs, mistakes, etc.

Re:No 802.1x? (1)

Nimey (114278) | more than 7 years ago | (#17052046)

But the bank had hardwired Ethernet.

Re:No 802.1x? (0)

Anonymous Coward | more than 7 years ago | (#17051998)

I was wondering that as well. We don't do 802.1x but instead have a list of all authorized MAC addresses in a text file, and the DHCP server checks against the list when it gets a request. If not authorized, it either gets access to just the LAN or nothing at all (depending on which VLAN the port is on). It's vulnerable to taking the IP address, gateway, &c from an authorized machine and using that statically, but it still beats what that bank had.

Posting anonymously for obvious reasons.

Mac Addresses are easily faked (1)

imaginaryelf (862886) | more than 7 years ago | (#17052352)

Mac addresses can be trivially faked.

What you need to do is assume that your wireless network has already been penetrated by Joe sitting at Starbucks, and then develop a defense from there. For example, one solution is having all wireless clients go through a VPN client with strong authentication mechanisms just to get back into the corporate network.

Re:Mac Addresses are easily faked (1)

lukas84 (912874) | more than 7 years ago | (#17052360)

How is the VPN solution different from using 802.1x? Except that the VPN solution is a crude hack?

Re:Mac Addresses are easily faked (2, Insightful)

imaginaryelf (862886) | more than 7 years ago | (#17052530)

Mostly for ease of deployment. Assuming that everyone already has a VPN client for connecting from home or hotels, etc. Your users then don't have to do anything special like 802.1x for wireless but VPN for something else, and your administrators have one less variable to control.

Oh great, (0)

Anonymous Coward | more than 7 years ago | (#17051814)

I do understand the need for security but isn't intentionally breaking in and publishing it on the internet just an invitation for more people to try the same? I know that there are laws against this.

It is very well possible to snatch a baby from a mom. Does that mean you DO it? .... NO!

Everything is vulnerable to penetration and banks are no exception. The real question is, should the "social engineer" be allowed to do it in the first place?

Re:Oh great, (0)

Anonymous Coward | more than 7 years ago | (#17051938)

The real question is, should the "social engineer" be allowed to do it in the first place?
 
 
the bank hired him to do it...

1 ream = 500 sheets (5, Funny)

Anonymous Coward | more than 7 years ago | (#17051818)

In this case I wrote his password on a ream of paper and tucked it under the machine.
That seems like an awful lot of effort, when you could just write it on one sheet. :)

Re:1 ream = 500 sheets (1)

rHBa (976986) | more than 7 years ago | (#17052440)

Maybe he was trying to prove that he had a lot of time to himself/wasn't rushed. Still, I would have used a photocopier. I wonder if he had to ask someone to lift the machine while he slipped a ream of paper under it.

Dont really need that. (4, Insightful)

Lumpy (12016) | more than 7 years ago | (#17051838)

$2000.00 cash and you can pay off the cleaning service people to let you in dressed as them. EASILY, sometime for far less. those people are so underpaid yet have access to the most secure parts of the company you can get in, get past the security guards without a second look and you are allowed to root around in secure areas on camera as you are supposed to be under each desk cleaning out trash.

Install a few key loggers, come back in a week and harvest them. No problem and easily undetected at any corporation. They probably will never suspect you even after they get massive hacks later because security typically is also underpaid and way under trained.

The copyer hole (2, Interesting)

Anonymous Monkey (795756) | more than 7 years ago | (#17051846)

At one point I worked for a copier repair company (Dispatcher, accountant/bookkeeper, & some computer stuff). Each month I got calls from people who fell victim to one of two scams.

1st: Some one calls an office and says that copier supply cost will go up next month so stock up now. Then they charge you an arm and a leg for your order. (Most of the time toner and developer is covered under the service contract)

2nd: Some times, some one would call up and say that they don't like the new tech that we sent out. I would say "what tech, you don't have a call up on your machine?" then after a few minuets of back and forth they would realize that it was (a) for the other copy machine and not one from my company, or (b) some one was looking around the office without authorization. The scary thing is that this often happened at schools.

Later, at my next job, I nabbed some one pretending to be a copy 'service agent' at the front desk and fed them a line until they went away.

The moral of the story is be paranoid, ask for ID, make people sign in, never ever trust some one who just shows up and make sure all visitors are escorted at all times.

re: service people (1)

King_TJ (85913) | more than 7 years ago | (#17052652)

Yep... Even when you have people come in from a firm you *did* call for service, you have to keep a close eye on them.

I used to work for a mid-sized company that occasionally called different vendors in the Yellow Pages for printer service. (Our networked laser printers broke down too infrequently to justify a costly maintenance agreement on them, so we were a little better off just calling someone to fix them on a case-by-case basis.) One of the firms we called did a good job the first couple times we used them, but when we called them a 3rd. time, a different repair tech showed up. The office manager caught the guy snooping around in our supply closet, apparently trying to steal some of our toner cartridges and other printer/office supplies!

Some do (2, Interesting)

ackthpt (218170) | more than 7 years ago | (#17051850)

Where I once worked we had students trying social engineering on us all the time. I was a student worker at the time and knew most of the tricks, but when anything new came along it had to go through the filter of common sense. If only 3 people have open access to certain systems, one of them must know of someone claiming they need access, but if you can't contact the other two, you simply stand your ground, bar access and say to the attempted intruder, "Sorry, can't let you in, but don't worry, not your fault. Whomever was granting you access failed to inform everyone." Pretty easy to see if they were trying to engineer me after that, depending how they reacted. If they were insistant then I'd call security which would make them change their tune pronto.

Common sense: If you don't know about some repairman, then it's not your fault when you turn them away.

Re:Some do (1)

geekoid (135745) | more than 7 years ago | (#17052312)

"Common sense: If you don't know about some repairman, then it's not your fault when you turn them away."

haha.. asdly most common sense goes out the window in the corp. world.

If that repairman was to fix a critical issue, you would get inot trouble in most places. Even if you where following policy.

It's that kind of crap that makes an employee not want to question anything.

Man I Wish... (2, Funny)

eno2001 (527078) | more than 7 years ago | (#17051916)

...I could be a penetration tester. On Jenna Jameson. ;P

Re:Man I Wish... (1)

UbuntuDupe (970646) | more than 7 years ago | (#17051994)

You *would* say that, since you believe in allocating goods based on need.

And your need for that good is pretty high after this latest dry spell, eh?

Re:Man I Wish... (1)

eno2001 (527078) | more than 7 years ago | (#17052094)

Damn homey! Dat's FUCKED up! You just put me in my place now didn't you! (So how often do you track my posts looking for opportunities to respond again?) ;P

Employees are not conditioned to be security aware (5, Interesting)

simm1701 (835424) | more than 7 years ago | (#17051936)

I recently hired a car from a well known car company (I won't name them as in general I find them to be a very good company)

I normally hire from one particular branch and drop it back off there and as a regular customer known each of the staff by name, however on this occasion I was dropping the car back at the airport.

After parking up a guy came from a car in another bay (for the same car company) and asked if was dropping off one of their cars which I confirmed and told him it had come from my usual branch and not the airport. He asked to see the paperwork and did a check over the car - not a problem. After he gave me the paperwork back he asked for the keys. Since I didn't know him and he wasn't even wearing a uniform I asked to see ID, he couldn't provide it and all he did have was a stack of paperwork with the company letterhead in a file.

Well I'm afraid that isn't really good enoguh proof of ID - I told him I'd drop the key off at their desk (which is opposite my check in desk) since I had no way to know if he was an employee or not.

After dropping the key off at the office of the car company in the airport it turns out he was a legitimate employee but the question of ID has never come up.

I saw some of the otehr cars there - they are always brand new and while I usually take something like an astra or a vectra this being the airport car park had several jags and a merc or two. Its seems it would be a VERY easy way to obtain a few cars... park up, inspect the car, ask for the key.

Even if you get pulled over by the police you would just have to say its a hire car - a check of the registration would confirm that - these companies really should be a little more careful of their security!!

Re:Employees are not conditioned to be security aw (2)

GigsVT (208848) | more than 7 years ago | (#17052160)

Once they realize it's AWOL and they call the original owner who says he returned it, they'd report it stolen and then getting pulled over wouldn't be so easy to get out of.

Re:Employees are not conditioned to be security aw (1)

simm1701 (835424) | more than 7 years ago | (#17052504)

True but bear in mind this is a drop off at the airport.

And the way they have their system they are not necessarily notified that a car will be arriving, nor do the cars necessarily go stright back to the original branch, and the airport opens odd hours which often vary depending on customer bookings while the normal branch do mon-sat 9-5

Add to this that I pick up a car in the morning and on that case had a late evening flight so I actually had the car contracted til the next morning - as I suspect would be common for airport drop offs.

Put all that together and you have a car that someone could easily steal and get to any location within the uk with relative impunity.

Re:Employees are not conditioned to be security aw (2, Insightful)

jandrese (485) | more than 7 years ago | (#17052556)

You've really hit on one of the big reasons why these social engineering tasks work. If you are "that guy" who insists on calling in everyone who comes into the office, you are also the reason the copier is still broken because he turned away the repairman at the door simply because the copier place's front desk didn't have easy access to the work schedules of the repairmen.

In a perfect world everyone would be competent and always available on the other end of the phone, but in the real world it can be a pain in the rear to find the right person at the other company who could verify that the technician you have is supposed to be there now, not to mention the cleaning staff and all of the other people who need access to your building. You could escort them, but most companies don't have enough dedicated security guards or people without work to do to watch over the guy for 2 hours while he works on some machinery. Even if they do, most of the people at your local bank would have no idea that what he's doing is actually sniffing passwords off of the network, not working on the copier. This guy went to plenty of trouble to make himself look like a copier repairman, he could have easily set up a "diagnostic" program on his laptop and plugged it into the copier's network port (when in actuality he's plugging the network cable into his laptop), and sniff passwords for some time.

That said: How much danger is his knowledge of the passwords? Obviously it isn't good, but what does that actually get you in the bank? Access to the printers and network shares? Without knowing the bank's IT setup it's hard to know how valuable that information is. Clearly he couldn't try to fire up a copy of their software on his laptop (if he even had it), because any teller walking into the copy room would no doubt recognize it and put up a red flag. Presumably the transactions from that software would be encrypted (at least I hope it would be), and they may have additional protections.

Open DHCP (1)

Bottle Washer (1031590) | more than 7 years ago | (#17051956)

Interestingly, the network did not have DHCP locked down to not provide an ip address. Although not a big effort to overcome, keeping it open made his job even easier and gives even less sofisticated hackers a chance.

Can't be true (0)

Anonymous Coward | more than 7 years ago | (#17051980)

Bank without MAC access filtering and no IDS ???
??????

No DHCP! (2, Interesting)

smooth wombat (796938) | more than 7 years ago | (#17052004)

I then disconnected the network cable from the copier/printer and attached my laptop. As soon as my laptop booted up, DHCP provided a network address and I was on the internal network.


At my previous job, DHCP was not used for printers. In fact, you could not plug into any port and get a connection. Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.

Sadly, my current place of employment does not follow this rule. Anyone could do what the article talks about except that our security guard is pretty good about calling someone if a technician shows up and says they have to do something. If that happens, I am usually the one who goes down and finds out what's going on. Since I work in IT, I would know if what the person is saying is true or not.

Re:No DHCP! (1)

Vornzog (409419) | more than 7 years ago | (#17052582)

Everything was locked down by MAC address and every printer was given a specific IP address. Even the pc ports were locked by MAC address.
I wish more people would take basic measure like this. Even some minimal defense would prevent a lot of problems.

I collaborate with a government agency on some of my research (won't name names). They have a policy about no outside computers on the network. Unofficially, the IT guys are more than happy to look the other way, and will even leave an extra ethernet cable laying around, just as long as they don't see you plug in.

This is great for me, but would be horrible if anyone wanted to get into the network. Install a sniffer, plug right on in, and have more than enough login/password combos inside of 20 minutes.

Basic security like requiring a known MAC address would cut out a lot of the really easy 'hacks'.

ObSneakers (4, Funny)

Rob T Firefly (844560) | more than 7 years ago | (#17052034)

"Gentlemen, your communication lines are vulnerable, your fire exits need to be monitored, your rent-a-cops are a tad undertrained. Outside of that everything seems to be just fine. You'll be getting our full report and analysis in a few days but first, who's got my check?"

True story. (5, Interesting)

Maxo-Texas (864189) | more than 7 years ago | (#17052074)

Friend of a friend got a job doing security audits for a major energy company here in houston.

1) He broke into a top nuclear facility by holding a box and asking the person ahead of him to hold the door.
2) He set off the "man trap" and found he could easily climb out of it.
3) He found out the heavily secure facility had secure areas protected by sheetrock walls in some areas.

He finally embarrassed so many people that they posted a picture of his face to all employees with a warning to be careful. That destroyed his effectiveness. Some solution.

But that's the real world for you.

Re:True story. (2, Interesting)

earnest murderer (888716) | more than 7 years ago | (#17052450)

So I am understanding that someone distributed his picture to thwart the security efforts of their own company?

Shit, I'd fire then sue them.

School Security (1)

wbtittle (456702) | more than 7 years ago | (#17052198)

When you check into a public school these days, you have to get a badge from the front desk (after signing in). When you walk around the school with the badge on, no one questions you. If you don't have a badge on, people will accost you. Take a blank business card and hang it from your shirt and no one will stop you.

I tried to point out the futility of such a system, but they don't get it.

If you want the school to be secure, here is the simple solution.

If you see someone you don't know, walk up to them and say "Hi, my name is Charlie, can I help you find anything?" Too busy to do this, DONT EXPECT SECURITY.

More than just social security problems here... (2, Interesting)

jonadab (583620) | more than 7 years ago | (#17052200)

There were a number of technical security flaws he exploited as well. Among them:

> I then disconnected the network cable from the copier/printer and attached my laptop. As soon
> as my laptop booted up, DHCP provided a network address and I was on the internal network.

This should never be. In the first place, DHCP should not hand out an internal-network address to any old network card that comes calling, and in the second place, the copier should probably be isolated from any important or sensitive subnets by a firewall that should only pass the sort of traffic needed for printing/copying/scanning functions, and only if it's coming from the copier's IP address. Discovering the copier's IP address, in order to use it, would be easy enough (our copier has an easy menu interface for configuring that, for instance), but it's an extra thing the attacker has to do, and it should still only get him the ports that the copier normally uses. Defense in depth demands that you erect whatever barriers you can.

Furthermore...

> I started a few of our utilities and started sniffing the traffic on the network.
> Within seconds I had a variety of logins and passwords,

Ack! Switches cost, what, a whole extra fifty cents per port, as compared to hubs? WHY would anybody with anything significant to protect be running an unswitched network? Bad network engineer, no cookie.

Banks supposedly let themselves get robbed (0)

ObiWonKanblomi (320618) | more than 7 years ago | (#17052212)

I am not 100% sure if this is covered, but I do recall banks with FDIC insurance will let themselves have holes in their physical security to be robbed. The reason for this is that the banks can argue they were in the middle of numerous high value transactions, which wouldn't have been audited. This way they can get more money back from FDIC than they really lost.

I am not sure how this applies though with that type of theft.

teach employees? (5, Insightful)

Lord Ender (156273) | more than 7 years ago | (#17052220)

Teaching employees to police each other at the door does NOT help security. It does not work. All the awareness training in the world is wasted money because "politeness" is built in to our culture.

If I'm walking out the door, and someone coming in catches the door after I walk out, am I going to stop, turn around, go back in the building, stop the person on the way to the stairs, force him to follow me back to the badge reader, and wait to make sure his badge is accepted by the reader? No.

It will never happen.

Even if your security awareness training is so successful that 50% of your employees do this, an intruder only has to try twice to get in. You gain nothing.

Employee-enforced physical security is a farce. You will ONLY have real physical security if you have a dedicated security guard who checks every badge and photo-ID for every person entering the building.

Poor security (1)

the_brobdingnagian (917699) | more than 7 years ago | (#17052290)

I never really believed the stories about post-it note with passwords under the keyboard. My last job was in a large store with a few computers present on the floor and at the service desk. Most computers where not being watched most of the time. I could not find passwords UNDER the keyboards, but the computer at the service desk had a little piece of paper taped to the top left corner. This was in clear view of all the customers who entered the store. This password was not for the regular login account. The password was more like an admin password. With this password you could not only look for store information but also modify most information. I did not report this information because I didn't think they would understand. I was told not to use keyboard shortcuts to shut down the machines because that was supposed to be bad?!

Why not a male model? (2, Funny)

Incarnate13 (1019150) | more than 7 years ago | (#17052314)

"Think about it Derek. Male models are genetically constructed to become assassins. They're in peak physical condition. They can gain entry into the most secure places in the world. And most important of all, models don't think for themselves. They do as they're told."

One of the classics (1)

mkro (644055) | more than 7 years ago | (#17052456)

Lineman.net is gone, but one of Isreal's entertaining/scary stories are still to be found on the redirect, AllYourTech.com: Introducing social engineering to the workplace [allyourtech.com] . Recommended reading.

Re:One of the classics (1)

mkro (644055) | more than 7 years ago | (#17052624)

Three cheers for Archive.org: Penetration Testing Using Social Engineering (Part 1) [archive.org] . He make himself sound like a mystical ninja some times, but still entertaining.

Or... He could have hacked the copier (1)

The Infamous TommyD (21616) | more than 7 years ago | (#17052560)

and made it fax out what it found everynight. See: Penetration Analysis of a XEROX Docucenter DC 230ST:"

Network security too! (1)

MobyDisk (75490) | more than 7 years ago | (#17052662)

I'm surprised that the article talks about the dangers of social networking, but didn't comment that a sniffer was able to detect unencrypted passwords over the network. Isn't that an equally significant problem? Doesn't every major protocol these days incorporate password security by default? I'm just thinking right now about the protocol's I've used this morning:

SSH
Remote Desktop
POP3, SMTP (over SSL)
Whatever protocol Outlook uses for email. (???)
SQL server

As far as I know, all of these at least support decent password encryption, most encrypt the data, and all by remote desktop support certificates to prevent MITM attacks (which this guy didn't seem to use anyway). I can't speak for Outlook though. So, what protocols were sending unencrypted passwords? Or do I have too much confidence in the protocols above? What did I miss?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>