A conference on social engineering
A few days ago I had the opportunity to attend a presentation by Kevin Mitnick — yes, the ex-hacker who was the #1 on FBI’s most wanted computer criminals list when he was captured in 1995. He now owns (guess what) a security consulting company.
As someone who has always been interested in social engineering and confidence tricks (not that I can/want to perform them myself ), I took copious notes, which I’ll try to digest and present here for you and for personal future reference.
It must be noted that Kevin’s job title is both “security consultant” and “public speaker”. And the first thing that makes you notice how thoroughly he has embraced that second part is the intro video he has for his presentations: a carefully crafted short, resembling a trailer for an archetypal heist film, with characters such as “the spy”, “the electronics expert” and “the femme fatale” (lol), and referring to Kevin as “the greatest hacker of all time” (seriously, I’ll try to find this video online and post a link here. If you know where I can find it, please add in the comments), etc. It is somewhat cheesy, as you can guess, but it seems that was done on purpose: he knows it amuses people by being over-the-board with all those recognizable clichés. I wasn’t so amused with the actual slideshow’s intro animation, though — but that’s a minor detail. Moving on…
Kevin started by identifying the target of his talk: the human factor in IT security. Then he starts telling the story of Stanley Rifkin, who in 1978 committed what was the largest bank robbery in U.S. history (over $10 million), using only social engineering techniques. It’s a fantastic story, ending with him being captured after trying to make even more profit by selling diamonds bought with the stolen money.
Kevin then moved on to explain what social engineering is exactly: a set of techniques aimed at psychologically manipulating people who possess or have access to important information or assets, in order to convince them to hand them over, many times not even realizing the value of the asset being handled (which is understandable, as these are often mere pieces of a puzzle that the con man puts together to achieve his ultimate goal).
Social engineering, Kevin says, is a serious threat, as it “bypasses all technologies“: it doesn’t matter what security measures you’ve protected your data with — if anyone who has access to it can be convinced to reveal it to an impostor who impersonates a legitimate person who would have access, then the ultra-advanced security measures are useless.
Kevin says that hackers will look for the weakest link in the security: if it’s the technology, they’ll attack there, but if it’s the people, they’ll use social engineering to achieve their goals. That is, they’ll obtain sensitive information by gaining the trust of insiders, rather than breaking into the system. And this allows them to perform the scam with very small costs; in fact, a common method of attack is to use the company’s toll free number, which is rather ironic: the company is getting attacked, and it’s even paying for the call!
What makes social engineering so effective is the general lack of awareness about its existence or techniques. And sometimes, it relies on plain cluelessness of the insiders: as Kevin put it, there’s no patch for stupidity. The statistics he presented are worrying: nearly 100% of social engineering attempts are effective. He mentioned a survey made in the street to assess the amount of personal data people would give away, which revealed that over 90% of people would happily provide (to a complete stranger) either their full name, password, date of birth, the school they went to or their phone number, in exchange for a ticket to a show, or a few bucks, or even a chocolate! This shows that people are very prone to give away information that’s seemingly innocuous, but that when put together by an impostor would allow their impersonation in order to perform a scam.
Next Kevin talked about common methods of attack: from simple tricks such as “hi, I’m John from accounting; I changed my password last week but can’t remember it, can you please reset it?”, up to elaborate phishing scams based on intercepting calls (e.g. to a bank’s customer service) and acting as a middle man, without any of the parties (the user and the system they’re interacting with) knowing. I was surprised to know that Fon routers (n.b.: I am a Fon user myself) have been used in so-called “pocket phisherman” scams, where the router’s firmware is altered to allow intercepting an internet connection and perform data injection (e.g. replacing a secure https login page with an open http one, and then capturing the login data as it is transmitted).
Then, after mentioning trojans, he made an impressive demonstration of a variation of the concept, which uses an ingenious propagation mechanism: a simple usb drive, who anyone could find in the street and think “oh, I’m not dumb, I’m not going to execute anything from here; I’ll delete all its contents and scan it with my anti-virus and snap, I’ll have a new pen drive”. Well, he simply put it in the USB slot of one of his demo laptops, and seconds later (without any action whatsoever!) a second demo laptop acquired access to the first one’s desktop, using a reverse VNC connection. That was scary…
He also talked about websites or files (e.g. pdfs or MS Office files) with malicious scripts that take advantage of security vulnerabilities in the operating system or the browser. As with the above examples, this is a hybrid scam: the trick here consists in convincing the person to open the file or website. He mentioned the case of a Google employee who opened an infected website using IE6 (how come there’s someone at Google using IE6?? I hope that was just for compatibility testing) and got his computer infected with malware.
In another example, he demonstrated a common technique used by social engineers: when faced with an unexpected request by the victim, the hacker calmly acts as if he’s going to comply, and then comes up with a way to workaround the issue. For example, if the victim offers to step by the office of the person the hacker is impersonating, he initially says “sure”, but then subtly hints that it’s easier and faster over the phone. A similar trick was mentioned in the initial story of Stanley Rifkin, where they ask him a piece of information he didn’t have, and he replied calmly “gimme a sec, I’ll look it up and I’ll call you back”. (Of course, he then changed hats and called the person pretending to be from IT support or something alike, and got the piece of information he needed).
Next Kevin told the story of his own hack from 1993, when he managed to get the source code for the firmware of the Motorola StarTAC mobile phone, which back in the day was pretty much as hyped as the iPhone was when it was launched (to give us an idea, he mentioned that the phone cost about $2,000.) He didn’t even plan that; He just got out of work one day and thought he’d give it a try. As he walked home, he took his cellphone and called Motorola’s customer support line, looking for the lead developer. After a series of forwarded calls, and a few identity changes, he ended up on the phone with Motorola’s VP of R&D himself, posing as a researcher from Motorola.
From him, he got the name and contact of the lead developer, who was away from office, so he contacted her assistant. Taking a wild guess, he assumed the developer was on vacation, and told the assistant that before leaving she had promised to send him a few files, for technical purposes; He was right, she had left for a week, so that “insider” knowledge helped build the trust the assistant had on him, and increase the plausibility of his story. After offering to help her with merging all the files and folders into a single .tar.gz file, he further instructed her on how to send the archive to him via FTP. As he couldn’t give her the url of his server, since that would give him away, he provided her with the direct IP address.
However, complications arose. The system had security restrictions that prevented files to be transfered to locations outside the internal network. She said she’s contact the IT security manager, and before he could protest, she put him on hold. After several tense seconds, he heard her voice again, telling him that there was a workaround, using a proxy server outside the company’s firewall. She had been given the username and password to the proxy, so the file transfer was completed. And thus Kevin arrived home, mere 20 minutes after leaving work, finding the source code to the most hyped cellphone of the time sitting on his server waiting for him. And he had used no technical hacks whatsoever!
Using this fantastic story as a case in point, he went on explaining the basics of the security breaches (“holes in the human firewall”, he called them) that are exploited in social engineering scams:
- people naturally want to be helpful
- people tend to use the same password they already had when forced to “reset” it (by a hacker posing as someone from the IT department)
- too strict password requirements may make the person write it down since they can’t memorize it
- people suffer from the illusion of invulnerability (“it won’t happen to me”)
- a hacker makes himself trustworthy by revealing insider information they gathered, and that the victim already knows
- many pieces of information are incredibly easier to gather than people might assume, such as person’s full name, position in a company, social security number, work/vacation schedules, etc.
- a hacker makes himself likable by faking common interests with the victim or offering favors
- often simply calling random people and asking “Hi, I’m calling from IT dept. did you have a problem?” will end up reaching someone who actually has a common problem and will happily take the help (even if they hadn’t reported it in th first place) and then reciprocate the favor
- a hacker makes himself credible by working around pieces of information they don’t have, and keeping a plan B to “escape” (withdraw their request without raising suspiciousness)
- new hires are likely to be the weakest link: they want to cooperate and get along with their coworkers, and don’t know most of the personnel, which makes it harder that they raise the brow when contacted by “John from finances”.
- dumpster diving (searching for pieces of information on the trash –in corporate areas) might be surprisingly effective. Hand-ripped paper can be easily put back together, like a puzzle. And it’s not illegal!
Kevin finished by listing a few of the ways companies can become more resistant to human errors in security, such as:
- Getting top management to embrace the idea, for instance by demonstrating a staged attack to reveal vulnerabilities
- Changing the rules of politeness (it’s ok to say no)
- Using technology whenever possible to remove employee decision-making in security issues (for example, having a machine receive and compare a password or secret question’s answer, instead of a human)
- Using reverse social engineering (hack the hackers!)
The Q&A session in the end also was very good; there were many great questions (is it safe to store data in the cloud? are password-managers a security breach? is biometric equipment worth its cost? has Kevin ever been hacked himself?) and Kevin replied them very well (and yes, his website has been hacked a few times; since then he moved to a more secure hosting company).
In the end, Kevin personally handed each of us his business card, which is made of metal (a nice touch for a security company), and is also a ultra-portable lock-picking kit! All in all, the whole conference was a very enjoyable experience. I’ll definitely buy his books if I get the chance.