Security and Privacy in a Networked World/No Tech Hacking
Instead of a Motto: "You only have to ask"
"Activate the wealth corner of any crowded room by standing in it with a large kitchen knife and a sign that reads "Give Me All Your Money" - Rohan Candappa, The Little Book of Wrong Shui
Social Engineering - what is it?
In his well-known book "The Art of Deception", Kevin Mitnick has given the following definition:
"Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology."
In short, it IS the art of deception. And despite Mitnick himself having been widely labelled as "the most dangerous hacker in the world", he was most of all a genius social engineer, having had a majority of his accomplishments without using technology.
The following points are mostly based on the book "No Tech Hacking" by Johnny Long. Note that these are but some most common ones.
An old bit of wisdom says "One man's trash is another man's treasure". While this makes sense also in its originally intended, general meaning (suggesting that old stuff can still be of use to somebody), it has a special meaning in data security.
Sometimes, important stuff ends up in the trash accidentally. More than often, however, it is thrown out by ignorant people. But whatever the reason, dumpsters can contain rather interesting material (and as shown on the photos in Johnny Long's book, they sometimes do not even need any diving).
Probably anyone would understand the security risk if a discarded and picked-up (by a stranger) document contains someone's password. Seemingly less obvious cases can however be as dangerous. For example, a job-seeker's form partially filled by a system administrator of a major defense contractor might be of interest to an agent of a hostile foreign power (disgruntled employees are easier to bribe). Payment invoices can point out shady transactions. But even a department staff list with working room and internal telephone numbers can be a good starting point for a social engineering scheme ("Hi, this is James from accounting, room 116. My boss, Mrs Peabody, asked me about <something of interest>, could you helped me with that?").
A special case worth mentioning are the "yellow sticky notes" (aka Post-Its and other fancy names). They are often used to write down important bits of information and stuck to some easily visible place. On the one hand, they often contain information that should NOT be that visible. On the other hand, the glue holding them in place tends to wear off after a while, the note glides down - and often ends up in some out of sight place (e.g. between a table leg and a wall). Depending of the janitor, the following step may be
- the note is returned to the table for the owner to find
- the note will remain where it is
- the note ends up in the dumpster (for someone else to find)
- the janitor has some interesting ideas what to do with the found information
The last two options can spell a lot of trouble.
Today, people are lazy and forget to close doors, so many doors are equipped with an automatic closing mechanism. This has further promoted the habit of "open-and-forget" - especially if there are other people around. And in the age of litigation (especially in some large first-world countries), no doormaker would want to risk a lawsuit by someone who got caught in the doorway - so the doors close slowly and if something/somebody obstructs the movement, they will not close at all.
People are also (mostly) nice. If someone follows you, most of us are told either to let them go first or at least pass the door to the next person. The question if the person is actually authorized to pass the doorway seems to be best left to the security staff.
Other factors in tailgating include
- Picking the right door - while the main front door may be heavily guarded, there may be side entrances used occasionally by staff members to have a cigarette (especially as smoking inside gets banned). Blending in (see also the next point) may get one in without having to deal with any security measures.
- Dressing for success - here, it means picking a right look for the targetted institution. Wearing a toque blanche and a white outfit would work at a large shopping mall with several restaurants, a technician with a hardhat, a toolbox and some fancy gadgets would likewise be a good persona to enter a telecom office building.
- ID badges work, even fake ones - with today's technology, these are surprisingly easy to reproduce. Wearing a camera-ready mobile phone and clicking the button when passing someone wearing an ID card may be a working solution.
- Let Mohammad come to the mountain - if the attacker approaches a group of smokers at a side door, it would be suspicious. If he or she 'happens' to be there before others, much less so.
The classic technique of peeking over a victim's shoulder to learn something interesting has largely remained the same - only obtained some newer cousins, e.g. using a mobile phone camera to capture the object or record a video clip (but again, over the victim's shoulder). Typical occurrences include
- computer terminals
- ATMs (cash terminals)
- locks and access pads with numeric codes
- recently, more and more at personal devices (laptops, tablets, mobile phones)
Sometimes, a glance on the screen of an unattended laptop (again, a phone camera shot or recording is even better) can reveal a lot of interesting things. Most mobile devices connect to wireless networks nowadays, knowing what to look for (when snooping on a Wi-Fi) can help a lot. Learning the operating system (at the moment, machines running the soon-to-be-abandoned Windows XP could be especially interesting), taskbar icons hinting at some (vulnerable) services, desktop launchers showing specific applications that may contain valuable data (e.g. an icon labelled "Central Bookkeeping" on the desktop) etc. To top it up, some companies like to tag their hardware with specific stickers attached to their computers revealing the user name and/or position, serial numbers and so on.
Shoulder surfing on a laptop user may also be fruitful in many ways. Passwords, online banking codes etc are of course obvious cases. But also learning about the person's contact list in various services (e.g. Skype) or social networking services can be useful - if a person cannot be attacked directly, compromising his/her contact's computer and posing as its owner may be more successful. And finally, witnessing some less-tha-stellar behaviour (e.g. surfing some special kinds of pornography) may also provide a chance for extortion.
As with other similar activities, countering dumpster diving starts with raising awareness. People should know what kind of information is sensitive and what may be the consequences of leaks.
Number two is protocol - clear rules must exist for handling at least the kinds of trash that may contain data.
Physical protection - mostly locks, either on rooms or also trash depots or even cans - helps too. In some places, it may also help with another problem, namely obnoxious neighbours 'optimizing the costs' by dropping their trash to others' cans.
Physically destroying sensitive documents is increasingly a must. Paper shredders are available in a range of prices - care must be taken to get one with high enough shredding density, as some cheaper models may produce strips of paper with legible text.
Awareness again - people must recognize the problem and if necessary, overcome their 'need to be nice'. Occasional 'raids' on more vulnerable spots by security personnel may be an idea (to catch those with lax manners).
Likewise the protocols - quite often, workers spotting an intruder do not simply know who to inform. In the worse cases, they would keep silent just to "keep themselves out of hot water".
Technological means include better doors and good IDs, but also security cameras to capture the traffic at entrances.
Awareness, awareness, awareness (32 times, Steve Ballmer style). And protocols. Most of these should address human behaviour (e.g. not leaving a computer unattended) but also ways of passing around information (e.g. the stickers example).
Technological measures include good screen savers with short delay and easily activated passwords, also the screen overlays that make the screen viewable only from the front, not sides.
- LONG, Johnny. No Tech Hacking: A Guide to Social Engineering, Dumpster Diving and Shoulder Surfing. Syngress, 2008
- MITNICK, Kevin, SIMON, William L. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, 2002
- OOSTERLOO, Bernard. Managing Social Engineering Risk: Making Social Engineering Transparent. University of Twente, 2008
- Dumpster Diving. http://www.iss.net/security_center/advice/Underground/Hacking/Methods/WetWare/Dumpster_Diving/default.htm
- 10 Strategies to Prevent Tailgating. http://www.buildings.com/article-details/articleid/13274/title/10-strategies-to-prevent-tailgating.aspx
- BARNEY, Karen. Information Security: Who’s Looking Over Your Shoulder? http://www.privatewifi.com/information-security-who%E2%80%99s-looking-over-your-shoulder/
Study & Blog
- Find and describe an interesting case of "no tech hacking". Outline the most important lesson you learned from the case.