Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Index
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories

Social Engineering

Introduction

Upon assessing the risks that an infrastructure faces, an organisation will typically consider the threats posed by the more common low-skilled, so-called 'script kiddies'. However, another more determined type of attacker exists, one that is motivated by money and is interested in corporate espionage or cyber-terrorism. Such people will not necessarily limit themselves to attacking an organisation using a network connection and often rely on other routes to attain a successful subversion.

The Alternatives

Most people are aware of the classic eighties movie 'War Games'. Its premise, a bored teenager uses his computer and modem to detect other machines on the local telephone network, inadvertently stumbling on a military system's 'back-door'. In the days prior to the internet, connecting to another computer by modem was one way that organisations could share information with each other. When the use of modems was more prevalent, the 'crackers' of yesteryear would dial a range of telephone numbers to look for modems where security on the attached device was weak. This approach is known as 'war dialling'.

Staying on the theme of movies, in 2000 the movie 'Takedown' was released. The movie told the story of how the infamous hacker 'Kevin Mitnick' was tracked down and apprehended. While some technical skills were required, the majority of Mitnick's exploits came about as a result of 'social engineering'. Wikipedia defines social engineering as ' the practice of obtaining confidential information by manipulation of legitimate users.' .

War Dialling

Since the internet became more widely used in the mid-1990s, the use of modems to connect different organisations and transfer information between systems has rapidly subsided. However, modems are still very much used for legacy applications and for out-of-band access to key equipment where the internet cannot be relied upon. The justification often quoted for disallowing connections to equipment from untrusted sources such as the internet is that it would be too insecure. Unfortunately, with organisations' focus being placed on internet security, concerns regarding adequate protection of an organisation's telephony infrastructure (as well as long-forgotten dial-up services and engineering access to devices) can often fall by the wayside. It is usually the case that current staff are nervous to disconnect remote services as they are no longer sure of the reason for its original implementation in addition to the impact removal will bring.

So, motivated crackers who will certainly explore all avenues of attack will always consider these legacy routes into an organisation. Before any attack can begin, the cracker will need to generate a list of numbers to target. Some opportunistic hackers may just target a random telephone number range, whereas an attacker targeting a specific organisation will gather telephone numbers from press releases, company websites or internet registration databases, and then identify the range of numbers used by the target.

The next stage an attacker will perform would be to randomly dial the pool of numbers.

This would usually be performed out of normal office hours, as a number of telephones ringing in succession would pique the suspicions of Staff: even those with the least security awareness. Once a range has been dialled, the attacker will then look through the results to verify which telephone numbers actually have modems attached. It is possible to configure most war dialling applications to grab the 'banner' (a text message detailing the name and details of the remote system) that is presented on connection to a modem. This can then either be pattern matched against a known list of banners (e.g. using the commercial Phonesweep product), or be manually compared by viewing the banners, and using specialist knowledge. The latter of these two approaches may not always provide the best results, as many protocols used over a dialup connection keep all communications in a binary format or using specific connection parameters, and as such, are not necessarily straightforward to interpret. On the flip side, the former approach is only as good as the set of banners being compared. If these are lacking in depth, or are out of date, the tool will not be able to accurately identify services.

The results from a war dialling exercise can range from being able to gather information relating to an organisation right the way through to bypassing several layers of firewall devices and gaining access to the 'crown jewels' - an organisation's corporate network.

Social Engineering

As far as social engineering is concerned, there are many attack vectors that an attacker may pursue. These can range from extortion to bribery and from threatening a target to simply appealing to a person's better side in the hope of gaining further information. Multiple methods can be used to achieve the same aim. For instance, if an attacker wants to gain unauthorised access to a building, she could do any of the following:

•  Use common props such as mobile phones or cups of coffee which make subconsciously motivate people to avoid the path of a busy person or to assist and be helpful

•  Use a visitor's pass that has been discarded close to their target building

•  Purport to be another, such a contractor. Uniforms worn by Telco staff usually work well

None of the above approaches require a great deal of technical ability. A small amount of self-confidence and a convincing story can often be the only skills that are be required to gain access to a building.

While the above would be useful in gaining access to a building, social engineering is commonly used in order to gain access to information by telephone. Two example scenarios that IRM have successfully demonstrated are highlighted below:

•  Unblocking a barred mobile telephone without providing any security information

•  Receiving a temporary SecurID passcode as the caller had 'left their token in the office'

The individual performing a social engineering exercise should be carefully selected, along with the approach that they are going to take. The individual should be confident, and be able to think on their feet. Additionally, plans should be made to detail the information required and what information should be given in order to obtain the required information.

One of the most important parts of planning a social engineering exercise is to come up with an 'exit strategy'. It is often the case that the first attempt to socially engineer an individual will result in failure. In order to ensure that suspicions are not raised, the social engineer should ensure that they have a way of ending the interaction without further raising the suspicions of the victim. An exit strategy can take a variety of forms, from having to take another urgent call in the case of a telephony-based attack, or to use planned excuses in physical attacks.

Defences

Whereas war dialling is a technical attack, social engineering is very much non-technical. As such, the defences to take against such attacks will greatly differ.

For war dialling, as with other technical areas of information security, a multi-layered approach should be taken.

Before technical measures can be implemented, policies and procedures need to be developed. Any requests for analogue telephone lines (needed for a modem) should be justified with a business case and signed off by a manager. Where a requirement exists for a DDI to be assigned to an analogue line (i.e. inbound calls permitted) this should be examined closely to ensure that the organisation as a whole is not put at risk. Where possible, equipment assigned a DDI should not be connected to the telephony and LAN infrastructure at the same time.

From a technical point of view, there are several defence options. Where the investment in additional hardware and software is not available, regular audits should be performed to verify that the analogue lines configured on a PBX are indeed supposed to be there, and that any business requirements are still valid. Wherever possible, 'call back' security should be implemented on modems receiving calls from outside of the organisation as an additional measure.

Where further investment is available, the implementation of a 'voice firewall' could be considered. A firewall for voice traffic is analogous to an application layer firewall in networking terms. Rather than simply looking at the source and destination for a call, the voice firewall should also be able to detect the type of traffic (data, fax or voice) for a particular call and make a policy based decision as to whether the call should be permitted.

Social engineering by its very nature is targeted at people, subsequently this is where defence measures should be implemented. Unfortunately, whilst a computer will do whatever it is programmed, human beings will not necessarily act in a controlled manner.

As with technological defences, human defences need to be multi-layered and regularly re-enforced. The first step is to develop policies defining how staff should act when dealing with sensitive information. Additionally, where staff are dealing with particularly sensitive information (e.g. information covered by the data protection act), additional training may be needed to ensure that staff are aware of their responsibilities. Simply stating that information should remain confidential as a clause in an employee's contract is not enough. The methods through which social engineers are gathering information are multi-layered and well thought out. Protective measures need to take these multi faceted attack vectors into account and regular security awareness training should be presented throughout the organisation.

Although policies and procedures will not take into account every eventuality, where a member of staff feels that a policy should be circumvented (this may be due to exceptional circumstances or for a legitimate business reason), the request should be forwarded to a manager, and not acted upon in isolation by the employee concerned.

Conclusions

The concept of social engineering has been around in different forms for many years. Since the early days of human existence, so-called confidence tricksters have been defrauding people. The practice is likely to increase in today's society. As the techniques used by social engineers develop, so should policies along with their adequate validation. Organisations carry out regular penetration tests against their systems and applications, the same is rarely true for social engineering engagements. Companies should consider commissioning regular 'scenario-based' attacks on critical and sensitive areas of their operations.

With the advent of the internet, organisations are relying less and less on modems for communication, instead choosing to rely on access controls methods involving a combination of firewalls and Virtual Private Networks. However, the areas where modems are still in use often contain sensitive systems (typically third-party engineering support for devices such PBXs, legacy hardware, SCADA systems etc) and therefore require appropriate measures taken to ensure that access is restricted only to authorised users.

Author Steve Darrall - Posted November 2005