Physical Aspects: Social Engineering

One of the first thing I want to talk about is Social Engineering. I put this under Physical Aspects because I felt it fit best here. It has been easy for people who use SE to get information from employees for their own needs.

What is SE? Well, to put it plainly, it is manipulating people to do what you want them to do. Most use SE to be able to do things they should not do. Example: convince a guard that you work for the company and need to get to your desk.

Hackers use SE to get valuable information from employees to help them get into systems. People are inherently helpful. When you drill into your employees over and over that the customer is always right and to be as helpful as possible, they stop using common sense and go overboard. Does this mean that you want your employees being jerks to the customers?? No. You just want them to think about what they tell people before they speak.

If I wanted to know who the system administrator of your company is, I may do the following:

<me> Hi, this is Joe blow in the Denver office, I just started today and am having trouble logging into my system.

<Company receptionist> Hi! Welcome to the company! "Small talk, where are you from, got kids, etc...." OK, have you tried your first name with your last name as your password???

<Me> No I have not. I'll try that. "Small talk on my part, where are you from, do you have kids, how long have you been with XYZ company, " Who else is new?? Any one starting soon???

<CR> Bob Whatever starts here tomorrow in sales. And Bucky wonderpup just started yesterday.

<Me> Cool, glad to know I'm not the only new guy on the block. In case my password does not work, who do I need to talk to??

<CR> That would be Tim Admin. His number is 555-1212, or call the help desk at 555.2323.

<Me> Thanks! You have been more help than you know. Talk to you latter! Bye!

At this point, I now know that the default password of your company, which is the last name of the end user. I also know that you have a new employee who started yesterday named Bucky wonderpup who may not have changed his password, and a guy that starts tomorrow by the name Bob Whatever. I can almost guarantee that his account is active right now! Most accounts are active a good week before the employee starts. So I'll start working on his account right now. I also now know the name and number of the admin of the company, I can now try forcing his password. Note: most admins don't limit there accounts to lock out after a few tries.

I can also try to call the admin and tell him I'm Bucky and that I need him to change my password for me. I'll just give him one to use!

Now, if your using 802.11 networks and are not using encryption "most are not" I can do this all from your parking lot and get right into your network remotely.

So, how could all of this have been avoided??? Did the receptionist do anything wrong??? Not really, and yes, everything.

Let me explain She was very helpful. This is great for a new employee. As a new employee, she could not look up my name on the contact list, as I may not be there yet. "What about the other new guys??" She may have heard about them via office gossip, or they are starting at that location.

What she should have done, is asked who my boss was. Then looked up that persons name on the contact sheet. If I did not have that info, I would have been dead right there. If I did have that info, she should have redirected me to contact my boss, or the local IT person at may location to help me out. You should never give out internal company info to anyone you have not verified works for your company.

I'll add more to this soon.

Here is the Social Engineering Lecture I was on at H2K. This turned out to be more of a chat session with Kevin Mitnic.