Social engineering threats and information security

Social Engineering and Information Security

We are in an age of information explosion and one of the most critical problems facing us is the security and proper management of information. Advanced hardware and software solutions are being constantly developed and refined to patch up any technical loopholes that might allow a hacker attack and prevent consequent breach of information security. While this technical warfare continues, hackers are now pursuing other vectors of attack. Social engineering refers to the increasing employment of techniques, both technical and non-technical, that focus on exploiting the cognitive bias in humans as the weakest link in computer security. What is shocking is the fact that in spite of the great vulnerability to human exploitation, there prevails a seemingly careless attitude in this regard in the corporate world. While more and more money is spent on beefing up hardware security and in acquiring expensive software solutions, little is done to address the social engineering exploits. While government laws and regulations such as the HIPPA, SOX (Sarbanes-Oxley) and the Gramm Leach Bliley act (GLBA) are already in place to protect privacy and information security it is important that more awareness is created about the social engineering threats. This paper is a brief overview of the various technical and non-technical social engineering techniques and the simple but effective measures that could be implemented to protect end users from social engineers.

Social Engineering Techniques

Pretexting

Pretexting is defined as "the act of creating an invented scenario to persuade a targeted victim to release information or perform some action." [Hadnagy & Wilson, chapt4]. Social engineers use extensive research to successfully impersonate in order to make the target believe in them and disclose vital information. The background research and practice enables the social engineer to convince the target easily making it appear as a legitimate case. The phone is the most important tool used for pretexting. Pretexting enables the social engineer to obtain vital personal information from the users. The most famous incident of corporate pretexting was the 2006 HP scandal. In this case, Patricia Dunn, the chairwoman of HP at that time employed security officials who used pretexting to obtain phone records of HP board of directors and other employees to find out an inside leak and was successful in doing that. In a court statement, the FTC reported that "the defendants have obtained confidential customer phone records, including lists of calls made and the dates, times, and duration of the calls, and sold them to third parties without the knowledge or consent of the customers."[Greg Sandoval, Feb 2007]. The 2006 Telephone records and privacy protection act clearly made it illegal for any person or corporate entity to use fraudulent methods of obtaining call records from the Phone Company. Any violations in this regard are duly punishable by imprisonment up to 10 years.

Phishing

Phishing attacks are a common form of technical social engineering attack that use either a website or an email as the medium for tricking the unaware customer into giving out his/her vital information such as bank account, credit card related information etc. Email phishing scams often involve warnings about breach of account security and ask the customer to reenter their account details and change their passwords. Typically, a phishing email would contain a link to a malicious website that resembles the original website of a reputable bank or any other business. Unaware users would reenter or update their personal details which could then be used by the Social engineer to obtain access to their accounts. [McDowell, 2009]

Phone Phishing

Phone phishing is the new trend used by social engineers. As more and more users are becoming aware of the dangers of unsolicited emails the hackers have begun to use phishing over phone instead of the emails. Particularly, the availability of low cost VOIP services has attracted them to use this popular media for their fraudulent schemes. Phishing over VOIP is now popularly termed as Vishing. Users are sent voice mails that sound legitimate as from the bank informing them that their account has been frozen. They are then asked to call back to a particular number to reactivate their account. Unwary customers end up calling the numbers and divulge their account details making it a successful Vishing scheme for the hacker. [Sonja Ryst, (2006)]

Persuasion

Social engineers rely on their successful impersonation and persuasion skills to con the users. They utilize the human qualities of 'Trust', 'Helpful nature', 'fear', etc. To circumvent the technical route and gain direct access to confidential user information. A skilled social engineer may use both the direct as well as the peripheral route to persuade the victim into giving in the required information. [Michael Workman, 2007]

Hacking

With the available computing power hackers can easily target data servers. By using botnets they can disrupt the normal server services. Today it is not so difficult to crack passwords as the availability of cloud computing power and the cluster of literally hundreds of virtual machines would enable any hacker to crack down an encrypted password in under 20 minutes using a simple brute force method while the same process could have taken days together before. [Ted Samson, 2011]

Case Studies

Kevin Mitnick

Kevin Mitnick is world renowned for his social engineering exploits and his excellence in elicitation skills. One of his famous exploits include hacking into the DMV (department of motor vehicles) using his well refined impersonation skills and elicitation methods and intercepting police calls to the DMV. In this self reported real story which he calls the "The Reverse Sting," Kevin describes through the character of Eric how he managed to successfully breakthrough into the nonpublic DMV database and how he gained access to driver's license numbers of people and police officers using a combination of non-technical and technical social engineering skills.

Eric knew that posing as a police officer he could have access to all the information from the DMV database. However, the first problem was to find out the unpublished DMV phone number. This he obtained by first calling up the telephone information service and asking for the phone number to the DMV headquarters. Obviously he was only provided with the public number for DMV headquarters. For obtaining the private number that would normally be used by cops he first called the local sheriffs office asking for the number for Teletype department (through which police send and receive information) Eric then called the teletype number and asked for the number that police officers would use to call the DMV headquarters. When he was questioned "Who are you?" he swiftly responded, "This is Al. I was calling [HIDDEN] .." Based on the fact that he already had the non-public Teletype number and that he got the base numbers for the DMV right the Teletype receptionist assumed that he was internal and gave him the number. Eric used the number and called the DMV and posing as a Nortel Technical support guy he asked to speak with a DMV technician. Eric informed the DMV technician that Nortel is updating all the DMS 100 switches and that it could be done entirely online for which he would require the dial in number to the DMS 100 Switch board. Since it seemed to be totally believable, the technician promptly gave in the number. Using his previous experience with Nortel boards and by testing out all the standard passwords, Eric was soon able to break into the system and gained access to 19 dedicated lines.

Now he could intercept any of the different incoming lines to the board. He intercepted one of these lines and connected it to his new cell phone which enabled him to receive all the incoming calls to that particular line on his cell phone. Soon law enforcement officers were routinely calling him for obtaining details for various license numbers. Thus by using a simple mix of non-technical elicitation techniques and technical knowledge, he was able to break into one of the strictly confidential government databases. [Hadnagy, Chapter 8]

Hadnagy Case Study

Christopher Hadnagy, the author of the book, 'The art of Human Hacking', discusses his own personal experience as a Social engineering auditor for a medium sized printing company in the U.S. This audit was performed to convince the CEO of the company to invest in security systems which he was very reluctant to do as he felt that all proprietary processes and other confidential information were very safe and secure with him as he does not use technology so much in his life. In fact, over the phone the CEO had vehemently rejected the need for additional security systems saying, "hacking him would be next to impossible because he guarded these secrets with his life." [Hadnagy, Chapter 8]

Hadnagy, as the auditor, was given the responsibility to convince the CEO about the potential dangers and to gain the approval for the required security upgrades. Hadnagy started by using a simple information processing and aggregating tool such as Maltego and was soon able to obtain useful information such as the I.P address, mail servers, Phone numbers, address of the company, employee names and designations, etc. Further running the Maltego metadata transform provided more information in the form of more files with dates, creator information, etc. Particularly one file named InvoiceApril.xls grabbed the attention of Hadnagy. The file contents indicated that it was an invoice for a marketing venture organized by the local bank. Hadnagy immediately called the bank, posing as a Mr. Tom from the accounts department of the printing firm, and asked for the details of this particular marketing event run by the bank. It was found that it was the annual Children's Cancer Fund Drive organized by the bank.

Hadnagy gathered more information about the CEO like his native place NY, his favored dining places (Domingoes), his love for the Mets game, his top three favorite dishes, etc. With all this background information Hadnagy planned to use 'Cancer research funding' as the attack vector and called up the CEO over the phone and informed him of a small fund raiser event in support of cancer research for children and that it included a raffle prize which was 2 tickets to the Mets game and dinner at the Domingoes. (both the CEO's favorites) In other words, the auditor was simply pulling the emotional strings of the CEO and using his gathered information trying to make it a personalized conversation. Hadnagy had already prepared a malicious PDF file with the scripts that would enable him to have full access to the CEO's computer. The CEO did in fact succumb to this simple trick and gave in his email id and opened the malicious PDF which gave Hadnagy complete access to his computer and the servers. [Hadnagy, Chapter 8]

The above mentioned case studies clearly suggest how a skilled social engineer can use the phone or the internet to gather important information and use it to impersonate and gain access to highly confidential information pertaining to the target. It is important to protect oneself against these skillful social engineering attacks and before we discuss some simple protective strategies let us have an overview of the available legal protection.

Legal Protection

Due to business requirements a lot of confidential client information is stored in company servers. Under these circumstances there is an ever present danger of a snooper hacking into these secure systems or the possibility of sale of user information to third parties. There are now legal provisions that are aimed to prevent these misuses of private information. The HIPPA (Health Insurance Portability and Accountability Act) ensures privacy for transfer of health information online. Healthcare providers across the country are required to implement administrative and technical policies that ensure adherence to national standards. [University of Miami] The Sarbanes-Oxley Act (SOX) is a corporate governance law that requires public companies to integrate security into the strategic plan of the enterprise. Section 404 of the SOX clearly highlights these 'risk centric compliance issues' that have to be addressed by corporations or face criminal enforcements and punitive damages. [Mark Kaelin, 2005] The Gramm Leach Bliley Act (GLBA), enacted in 1999 by the former president Mr. Clinton requires that banks and other financial institutions maintain privacy of customer's financial details. There are three main provisions in this act namely a) Financial Privacy, b) Safeguards rule and C) Guard against Pretexting. In particular the GLBA requires financial companies to clearly layout their employee training plans (how they train employees in safeguarding customer information) and also requires them to conduct random spot checks. [Tina Douglas, 2010] The Telephone records and privacy protection act of 2006 offers legal protection to ensure privacy and confidentiality of phone records of consumers. Thus there are various legal provisions that place serious responsibility on corporate bodies to defend the customers from being exposed to social engineering tricks.

Protection against Social Engineering (Role of people in security)

It might be hard to believe but the fact is that only a small percentage of information security is actually met by technical measures while the vast majority depends on the IT personnel. As much as 70% of information theft is ascribed to the personnel inside the company. So the human aspect of information security should be the point of focus, but unfortunately as many studies and surveys suggest, it is the most neglected aspect of IT security. A comprehensive study by the Turkish department of information systems security in Turkey, TUBITAK UEKAE, confirmed these gapping holes in security provisions by Turkish public agencies. For this audit, conducted over a three-year period, around 56 IT personnel from 6 organizations were contacted over phone and of these 38 (around 68%) gave out their passwords. [Tolga Mataraccioglu, Dec 2010]