The Anti-Fraud Network

People, Your Weakest Link: Social Engineering Vulnerabilities

Ian Mann

Following instructions

Whilst most people consciously believe they are independent thinkers, the reality is that it is easy to get people to follow instructions.

Last summer I was presenting at the annual British Computer Society (BCS) security conference in Birmingham. My particular presentation slot was after a large lunch and the last in a group of three. The session before mine, which I thought very interesting, was a legal update. However, it was clear that the mainly technical IT audience had not come to listen to a lawyer and many were beginning to enter deep concentration (of the type that involves intently listening with your eyes closed).

I decided that I needed something a little different to get everyone's attention, so when I was introduced, rather than stay at the podium, I jumped down and approached the audience. Given that the audience consisted of about 150 people, I could be heard without the microphone. I started with, “Now, I know many of you will have heard that I may be putting you into hypnosis in this session.”

Actually, this was not the case at all. However, combined with me approaching the audience up close, it did get their attention.

I continued, “I can assure you that I will not be using hypnosis,” not strictly true, depending upon your understanding of hypnotic states, “but to begin with could you all please stand up?” Now, with my obvious expectation of compliance and my close proximity, everyone complied and stood. This uses, in addition to the prompting by me, an anticipated group dynamic. In addition, people in general want to avoid the embarrassment of being singled out, so once a few people start to stand up, the rest soon follow.

I then returned to the podium, and announced, “In this presentation, we shall be examining just how easy it is to get people to follow your instructions. You can now all sit down.”

In fact, with the exception of the chairman, the whole panel had also stood up.

Despite our belief that we don't follow instructions, the reality is that for every time you refuse, there are literally thousands of times when you comply. From early childhood, through school, and into employment, we naturally follow instructions.

It is not by accident that military training involves intensive repetition in following instruction and acting as a group in compliance to senior officers. Drilling is exactly that, drilling the mind to be compliant to instruction. When given the instruction to attack the enemy, an army wouldn't function if individuals wanted to debate the merit of the particular strategy being suggested.

Ignorance

Most people are compliant to instruction when they feel ignorant about the situation they are in. Irrespective of your level of IT knowledge, you will recognize that the majority of people feel relatively ignorant of IT systems. This is especially the case when they feel that someone else knows more than them. Given that a high proportion of social engineers also have good technical knowledge, they can use this to their advantage in obtaining compliance. In most cases, a normal user will always follow an instruction when they perceive that it originates from an expert. Don't confuse this ignorance with lack of intelligence, it is a localized feeling related to the specific circumstances in which the target finds themselves in.

Nor should you fall into the trap of believing that social engineering only works against people of lesser intelligence—this is not the case. In my work with the UK government, I recently reviewed some official documentation where it was stated that social engineering was “an attempt to exploit the naivety of users,” followed by the statement that “education is the only effective way to directly protect against social engineering”. As you will see as we explore the issue in more depth, the author of this document is wrong in both cases.

The document went on to give the reassurance that a “well-secured network” will reduce the impact of a successful social engineering attack. I see very little evidence to support this statement.

Gullibility

An interesting characteristic of peoples’ gullibility is that it tends to increase if they are offered increasingly attractive benefits.

One example is the 419 scam (the 419 refers to part of the Nigerian Criminal Code dealing with fraud) where you receive an email from a relative of an African prince (or similar) who has a plausible (NOT) story of millions of pounds that are tied up in a bank account somewhere. They have chosen you to help them simply transfer the funds via your bank account, for which you shall receive a “modest” payment of perhaps a million. I am working here in pounds sterling where a million is still a tidy sum. Please feel free to add some extra zeros if your local currency is heading rapidly towards devaluation.

You may be thinking that this is now so well known that people cannot possibly be falling for it. However, in our filtering of emails, we still see a significant number of these, very obvious, attacks. Their consistent usage, with very little variation, is a good indication that people are still being caught out.

As you probably have heard, if you fall for the scam, as the promised transfer day arrives there is a “small” hiccup that requires you to pay a small amount to receive the millions into your account. Of course the money doesn't arrive, and the hiccups get larger, as you are sucked deeper into the scam.

Some individuals have been lulled into paying out their life savings. There are a couple of interesting observations in relation to this particular scam:

Even though this type of attack is so well known, many scams still say they are acting on behalf of someone in Nigeria. Enough people are still drawn in that the fraudsters haven't even felt the need to change the country in the story.
In some cases where the police have got involved, the victims have blamed the police for stopping the transaction. Despite being presented with the truth of the scam, they still believe that the story was genuine and they were only days away from riches.

It really does appear that the greater the promise, the more our conscious logical processes give way to subconscious greed. Which is why more people can tell you what they would do with their lottery winnings than could explain the almost non-existent probability of them actually winning.

Desire to be liked

The desire to be liked is common to all of us and has been used by many sting operations. Foreign diplomats have, on occasion, been tricked into divulging information by the amorous advances of a particularly attractive individual. In a similar way to the breakdown of logic seen as financial gain increases in a lottery scam, a similar breakdown of conscious critical thought can often be observed in “romantic” circumstances.

Being helpful

Being helpful involves more than simply holding the door open for people, which helps tailgating criminals to enter into your building. In a work context we are usually encouraged to be helpful to fellow employees.

Even office politics and conflict are usually put to one side in the case of new employees. As you think back to your first day in a new job, and how you felt, you will be extra helpful to that new employee who asks for help (for “help”, you can read “confidential information”).

Masquerading as a new employee is a particularly effective role for a social engineer. They are new and so you do not expect to recognize them. In addition, you would expect them to be asking for information, and do not particularly question any lack of knowledge of the way things are usually done; particularly good for targeting the IT helpdesk, where they have been trained to be especially helpful. In addition, the helpdesk staff are used to such routine tasks as resetting passwords—another useful avenue for a social engineer to exploit.

Let me walk you through an example of just how easy, by focusing upon peoples’ vulnerabilities, it is to walk into the London head office of a major international bank, bypass all their security measures, and find yourself sat at a computer logged into the network.

The Risks Associated with Vulnerabilities

This following was achieved with just 1 hour of preparation and included bypassing a number of security countermeasures, including:

police ‘anti-terrorist’ security check
reception sign-in
swipe-card entry system
security guards
internal entry controls
IT network access controls.

Case Study: Police “Anti-Terrorist” Security Check

I arrived in a black cab, dressed in an appropriately financial type suit, conservative tie, clean shaven, all designed to help with building initial trust. The large leather briefcase was ignored as it was obvious that I didn't look like a threat. To the heavy police presence in the City of London, I presented no obvious threat.

Reception

Our previous reconnaissance had uncovered a significant vulnerability: reception was giving out printed cards for visitors, permitting access to certain areas. These passes were then shown to the security guards to allow visitors through the swipe barriers. This potentially reduces the benefit of an expensive swipe entry system, simply to save employees from having to come to reception and escort visitors. I had arranged a prior meeting to see an employee which enabled me to retain the visitor badge and pass by avoiding handing them in when I left (I tailgated a group of departing employees).

Scanning the visitor badge and pass, with some simple editing on a standard PC, enabled duplication of the badge with the correct date for the intended social engineering test.

Risk 1: will they change the colour of the pass each week/day? This was a risk that I accepted. The threat was reduced with some diversionary tactics based on the security guard expecting the correct pass, re-enforced by approaching from the correct direction (reception desk).

The trick was to approach the security guard from reception. Having had a conversation that looked to the security guard as if I was signing in as an official visitor, I then turned, placing the badge on the suit as if the receptionist has just issued it. I kept the pass hidden as long as possible from the security guard in case it was the wrong colour.

Of course the conversation with the receptionist was a cover. I actually asked a question about whether she could tell me if another employee had arrived yet. A few other pleasantries made up the time of a typical sign in. She assumed I was an employee as there are so many she couldn’t recognize them all. Also, I knew the turnover of support staff is high in this area of London. I kept my back to the security guard during this conversation. A quick observation of other employees arriving (the exercise was timed for 8:45am to give some cover) showed a number carrying takeaway coffees; behaviour which I copied, carrying a coffee into an office makes you look more like an employee than a visitor (or a threat!).

The Security Guard

I turned towards the security guard, pinning the badge on the pocket. This looked to the guard as if I was a visitor and, since my back was turned to the receptionist, she still assumed I was an employee.

The pass to get through the gates was still a risk: had they changed colour and had the guard noticed the fake? However, good use of the heavy bag and juggling a large coffee, allowed the pass to be shown only briefly. “I’ve been told you have to let me up to the 12th floor” to the guard helped to reinforce what I required from him. You can rely on UK companies employing low-paid security guards, on long shifts, with little training. As an example of attention to detail, even my tie design was chosen to distract the guard away from the badge, and reduce the possibility of him spotting that the pass was the wrong colour.

The addition of a security guard was a security mistake. Designed to add security, he was actually the mechanism that enabled access.

Risk 2: would the receptionist notice I had been allowed through by the security guard and not just swiped through as the employee she thought I was? This was an acceptable risk as it was a busy time of the day and she probably would not notice. Most people in repetitive roles are working almost exclusively in the subconscious and don't notice things like this.

Internal Entry Controls

The difficult part was done. I was in the heart of the building with plenty of people moving around. I removed the badge in the lift, to become an employee again. Some simple tailgating with others allowed for free movement within the offices and through swipe-card entry doors.

I headed for the executive floor and presentation areas next. Here, some computers were helpfully left switched on and logged in with open access to the computer network.
Exercise achieved.

So, was this an exceptional example?

No! This is the norm in organizations, of all sizes, across all sectors. The required techniques may be different every time, yet the principle that security countermeasures are weak, and usually ignore the human (social engineering) element is almost universal.

Fraudsters have long recognized that people are the weakest link in security and continue to target them, often in the home. One such scam involved the targeting of families in the US of serving military personnel. A telephone call informs them that they are due a $4000 refund on their taxes. They are told they must pay a fee to cover postage, they are then asked for credit card details to cover the payment. A feature of this type of attack is that the individual amounts stolen are often small, yet apply to large numbers of people. This has the effect of often falling under the “worth investigating” level of the criminal justice system.

In these, and similar cases, the attacker is assuming an identity that either generates trust or authority. It’s very easy to convince someone of a false identity, and we very quickly trust what someone tells us as being the truth.

Let me further illustrate the weak links provided by people with a short story. This example reinforces just how hackers will exploit human weaknesses.

You should be able to spot similarities with your own organization, and where similar weaknesses may be found. I have called the target organization CriticalX. Clearly any resemblance to similar organizations is purely coincidence.

Attacking CriticalX

Background

CriticalX is a young, entrepreneurial IT organization that has grown out of a web design company. Like many web design companies, they have responded to their client’s requests, and moved into new areas of functionality. Skills in interface design have enabled them to sell a wide range of systems with some important functionality for their clients. They now employ 200 people and are growing rapidly.
One particular area of growth is the provision of a Human Resource system “PeopleEasy” for a range of organizations. Their business model is straightforward, with web-based applications accessed across the Internet by their clients. They have found these systems relatively easy to sell, using the case study examples of high-profile clients on their website to attract new business.

A key feature of the sales process involves selling directly to the HR department. They are able to demonstrate the application quickly during the sales visit from any Internet enabled PC. HR departments are usually well aware of the need to keep their information confidential. CriticalX have recognized this and make a point of highlighting the padlock in the corner of the browser when demonstrating the system to potential customers, as this shows the site is “as secure as online banking”. This reassurance, however hollow, combined with an impressive client list, case studies and a well-designed application make a compelling case for a HR department. These selling points are delivered by a sales team that is conversant with the finer persuasion skills covered in detail in my book.

Another point worth noting here is that CriticalX are managing to sell into organizations with well-developed security functions within their IT departments. And yet, they never get asked security questions as part of the sales process. Why is this?

Very simply, the clients’ IT departments never get involved in the commissioning or implementation of this system. Implementation doesn't require the IT department (used as a key selling point by CriticalX) which means that any nominal security controls around system acquisition can be conveniently bypassed.

Why Target CriticalX?

Why would this small organization be of particular interest to a skilled attacker, HackerZ? Because of their clients; holding all the relevant human resource information about an organization can make you a key target.

In this case the ultimate target is not CriticalX at all, but one of their clients. The attacker is constructing a large and relatively complex, attack on BankY (an attractive target). The attacker, recognizing that the human element of an attack will be crucial, is building up a profile of BankY’s employees. A first step in constructing a social engineering attack is to identify key suppliers. CriticalX’s online case studies, including details of the service supplied to BankY, is of particular interest. A little research on CriticalX shows them to be a small company, with rapid growth and HackerZ has reasons to suspect that they may be an easier route into BankY, rather than a direct attack.

Note: although this assumption is common amongst hackers, there is very little correlation between organization size and the level of information security protection. Although size brings resources, and often expertise, it also brings complexity and significant inertia against change and response.

CriticalX Vulnerabilities

As with many organizations, CriticalX has neither identified, nor classified, its critical information—in this case, the client data. Access to critical systems is too widespread amongst their users, with poor controls over passwords. Real data is often used in test environments without controls over its usage and, more importantly, its deletion. This can open a system to a variety of technical hacking attacks towards multiple data points.

However, HackerZ has a different tactic in mind. She assumes, from the information on the website, that BankY is the largest and most important client of CriticalX. Therefore, it is reasonable to assume that serving the needs of BankY will be of prime importance. So why not social engineer CriticalX into simply sending the HR information directly to her? She has a plan:

establish a relationship with CriticalX;
gain their compliance with innocent requests for information;
create an emergency to obtain the critical data

Contact 1: Wednesday 7:30pm

JohnnyT:	Yes, I am the lucky person who covers the 7pm to 7am shift on Monday to Thursday.
HackerZ	So is it okay if I call you at this time? Sorry, I didn't get your name?
JohnnyT	Johnny. Yes, that is fine, your support contract is 24/7, and to be honest it can get a bit dull through the night. Call me at 3am if you want.
HackerZ	Laughs. Okay Johnny, I might just do that if Jessica gets me up like she often does. Mind you, I wouldn't normally be doing work at that time. I don't envy you working through the night.
JohnnyT	Well, it has its advantages. At least there are no bosses to interfere with things. Also, I tend to get longer to sort out your problems out of normal hours because it's not as busy. Anyway, what is your problem with summary reports?
HackerZ	Oh yes, sorry I forgot that I needed some help. Yes, summary reports. Well, as I said Johnny, I am quite new to this. I am just not sure how to run a report for a department to get our usual employee summary.
JohnnyT	Well, are you in the reports section?
HackerZ	Yes, I think so. I have searched for reports, but get lots of results. I’m not sure which is the best.
JohnnyT	Oh yes, much better to go to the management tab, then select reports.
HackerZ	Thanks. I can see you are an expert at this. Lucky I called you.
JohnnyT	Thanks, but at this time, it’s only me.
HackerZ	Okay I can see the reports listed. Are these reports we have set up?
JohnnyT	Yes, I have done some work for you guys, creating reports. Mainly for Jim Harrison.
HackerZ	Oh yes, I haven't met Jim yet, but I know he has done some work setting this up.
JohnnyT	Yes, you should find a tab for each department. Which one do you need?
HackerZ	Well first I was going to just query our service desk staff. But at the moment I am just experimenting to get used to the system. I am sure Johnny you know what it is like when you are new into a job. I want to keep one step ahead. It isn't easy, especially when you work from home like me. It can get a bit lonely at times.
JohnnyT	Tell me about it.
HackerZ	Okay, that has worked. Great. Might call you again later if that is okay?
JohnnyT	Sure, anytime.
HackerZ	Great to talk to you. Thanks.

Analysis

So, what has HackerZ obtained so far? Very little, you may be thinking. Actually, she got exactly what she wanted from this first call—establishing a relationship. The information she gleaned was a bonus. However, in her experience, she expects to find new information from each contact with the target, it even adds to the excitement.

On the face of it, this was just another support call. However, lets re-run the call and explore what is really happening.

Before we start, it is worth noting that HackerZ at no time had any access to the system PeopleEasy. A lesser-skilled attacker may have gone straight in trying to trick Johnny into giving her an account. However, that has risks, as there may be some strict procedures around this, and as yet, HackerZ hasn't enough information with which to assess if this strategy may work.

So lets re-run the conversation to explore what really happened:

HackerZ: Hello, can I please speak to the helpdesk? JohnnyT: This is the support desk, can I help you?	Comment: Although she got the title wrong, as a new employee this is understandable.
HackerZ: Oh thanks, this is Sarah Clark calling from BankY. I haven't called you before, but is this the right number for help with PeopleEasy? JohnnyT: Yes, this is the right number Sarah, what is the difficulty?	Comment: HackerZ has established that she is from BankY. This hasn't been challenged at all, so she now knows that authentication for support calls is weak. As she hasn't called before, she may have been instructed that there is a procedure to register in order to get support. Currently, with no such procedure, she can proceed. If there was a procedure, she could have simply asked for help, and got details of what she would have to do.
HackerZ: Well, you will have to forgive me, as I am quite new in this role. I am doing some analysis and need help with summary reports. I work mainly from home and tend to catch up with things once I have put my daughter to bed. I am so glad that you are still available to help me. Tell me, do you always work this late? JohnnyT: Yes, I am the lucky person who covers the 7pm to 7am shift on Monday to Thursday.	Comment: HackerZ has gained some sympathy and in the process found out the shift pattern for out-of-hours support. Also, the days Johnny works. She has mentioned summary reports. She knows they exist, because screen shots and feature lists from the website have highlighted them as a key benefit of PeopleEasy. From her analysis of CriticalX she guessed they wouldn't have many staff out-of-hours. However, this feature is probably required when offering a system to an organization such as BankY.
HackerZ: So is it okay if I call you at this time? Sorry, I didn't get your name? JohnnyT Johnny. Yes, that is fine, your support contract is 24/7, and to be honest it can get a bit dull through the night. Call me at 3am if you want. HackerZ Laughs. Okay Johnny, I might just do that if Jessica gets me up like she often does. Mind you, I wouldn't normally be doing work at that time. I don't envy you working through the night. JohnnyT Well, it has its advantages. At least there are no bosses to interfere with things. Also, I tend to get longer to sort out your problems out of normal hours because it's not as busy. Anyway, what is your problem with summary reports?	Comment: The main objective here for HackerZ is to develop rapport with Johnny. Getting his name is important, as using someone's name in conversation is a powerful way to develop communication. In the process, he has revealed that there are no management on-site through the night.
HackerZ Oh yes, sorry I forgot that I need your help. Yes, summary reports. Well, as I said Johnny, I am quite new to this. I am just not sure how to run a report for a department to get our usual employee summary. JohnnyT Well, are you in the reports section? HackerZ Yes, I think so. I have searched for reports, but get lots of results. I’m not sure which is the best. JohnnyT Oh yes, much better to go to the management tab, then select reports.	Comment: In addition to re-asking for his help, she reminded him that she is new to this job, and gained more sympathy in the process.
HackerZ Thanks. I can see you are an expert at this. Lucky I called you. JohnnyT Thanks, but at this time, its only me. HackerZ Okay I can see the reports listed. Are these reports we have set up? JohnnyT Yes, I have done some work for you guys, creating reports. Mainly for Jim Harrison. HackerZ Oh yes, haven't met Jim yet, but I know he has done some work setting this up.	Comment: Praising Johnny is a good tactic. Everyone likes praise, and tends not to get enough of it. He has now told her the name of a key contact (this may be of some use in the future). Her reply merely repeats back the same information, yet sounds like she is an employee. She doesn't go as far as claiming to know Jim well. This could be risky, and may lead to a silly mistake. It is a good communication strategy to confirm the same information back at this stage, and better to be cautious on the first call.
JohnnyT Yes, you should find a tab for each department. Which one do you need? HackerZ Well first I was going to just query our service desk staff. But at the moment I am just experimenting to get used to the system. I am sure Johnny, you know what it is like when you are new into a job. I want to keep one step ahead. It isn't easy, especially when you work from home like me. Can get a bit lonely at times. JohnnyT Tell me about it. HackerZ Okay, that has worked. Great. Might call you again later if that is okay? JohnnyT Sure, anytime. HackerZ Great to talk to you. Thanks.	Comment: HackerZ doesn't push things too hard. Johnny is now convinced she is looking at the system. They have also 'made friends', and opened the door for further communication.

HackerZ makes two further calls, in each case developing the relationship further, whilst asking for simple help that she can reasonably expect from the information gleaned from the website. She is careful to call when Johnny is on duty.

Still not pushing for a new account to be created, HackerZ probes for something potentially critical during call three. We join the conversation towards the end, after Johnny has helped her out:

Contact 3: Monday 9:30pm

HackerZ:	Thanks Johnny. You are great at helping me when I need it. I bet you have to deal with much more complex problems than my silly requests.
JohnnyT:	Well, it does vary. But most people are not as nice as you. But yes, the other night I was running custom SQL queries directly from the database for Jim.
HackerZ:	Wow, not sure what that is, but sounds complicated. Can you pretty much do anything then?
JohnnyT:	Yes, the system’s not that difficult when you've been at it for a while.

As HackerZ suspected, Johnny has full administrator access directly to the data. This kind of access is common for support staff, and not just in small organizations. Unfortunately it is evidence of lazy access control. Johnny should be able to do 99.9 per cent of his job without full access to the data. Just think whether you would be giving someone in Johnny’s role access to your HR files if they were paper records within your office?

This gives HackerZ a clue as to the way she can get to the data. Her fourth contact is the critical one. Remember, by this time Johnny “knows” Sarah (HackerZ).

Contact 4: Tuesday 5:00am

The timing is deliberate. Johnny is at the start of a week of shifts. Following the weekend, this may well be the hardest time, as his body adjusts to night work. Also, late in the shift, he is likely to be tired.

HackerZ:	Crying... Oh Johnny, sorry to call you. It's Sarah again. Don't know what to do. I'm in a real mess here.#
JohnnyT:	Its alright, can I help? Sarah, don't cry, I'll do my best.
HackerZ:	I don't know what to do. I've got to get this information for first thing. I've been up half the night with Jessica, and now it won't work.
JohnnyT:	What's wrong? Tell me the problem, and I'll see what I can do.
HackerZ:	I don't think you can help me. It just won't work at all. I should have done this yesterday. My boss will probably fire me if I don't have it for the morning. He's already been having a go at me for that time off with Jessica last week. He thinks working from home is easy. I've no one to turn to when it goes wrong. If you can't save me Johnny, I don't know what I'll do.
JohnnyT:	I'll do my best. Just tell me the problem Sarah, and we'll sort it out.
HackerZ:	I can't get anything to work. My computer's playing up and Explorer won't come up. I've rebooted about 50 times. I know you are great at helping, but I've only really used spreadsheets before. At my last job they taught me to do loads of things with spreadsheets. Now I can't even get into PeopleEasy. What can I do?
JohnnyT:	Oh, I don't know. You say you can't open Explorer. This is the only way into the system. Are you sure it won't work?
HackerZ:	Crying... I've told you it won't work. I have to get these figures. I need lots of reports. I've got to summarize all this information. If only it was here in a spreadsheet I could do it in time. Crying...
JohnnyT:	Sarah, don't cry. You say, if you had a spreadsheet you could do what you need to do.
HackerZ:	Yes, I think so. It's just that I need all the information. Can you help me Johnny?
JohnnyT:	Look, I can get you that information. The database is really quite simple. I can make you some spreadsheets with everything you need.
HackerZ:	Still sobbing... Really? Wow, you are wonderful. Can you do that? I know spreadsheets. You've just saved my life.
JohnnyT:	Look, I can get everything you need into some spreadsheets and email them to you.
HackerZ:	Oh. Can you send them to my personal email, as BankY's system has been down since yesterday. That's partly why I'm still here at this time trying to get things done. I need to set off to work in a couple of hours, and my mother is coming round to take Jessica first thing.
JohnnyT:	Can you explain what you need?
HackerZ:	Johnny, I'm not too sure. Just put it all in a spreadsheet and I'm sure I can sort it out. You are a life saver!

As you can imagine, a number of spreadsheets duly arrived, containing a wealth of information about BankY’s employees. HackerZ has achieved her objective of obtaining the HR information. Her original intention was to be able to profile individuals within critical BankY roles to aid her larger attack on BankY systems. However, in this case she discovered a bonus. The HR records included bank account details of each employee. One feature of PeopleEasy is that clients of CriticalX can configure their own fields. In this case BankY had extended the functionality to include an essential element of their payroll processing.

This is a really nice bonus for HackerZ. She can make use of these bank account details, along with the other personal information to help her conduct fraud against many individuals’ bank accounts. However, she has the bigger target of BankY in mind, so she decides to keep the information, as she can always sell it within the underground market. Always useful if she needs some extra funds to help her larger, and more ambitious, target of BankY.

Vulnerability Analysis

BankY has made some fundamental errors in the commissioning of a new information system. By allowing the HR department to independently purchase and configure a system, they have effectively bypassed the usual information security controls of the bank. The external storage of such confidential information should be carefully considered, with appropriate controls agreed with the supplier. In addition, independent testing and/or auditing of these controls would be a sensible step to ensure compliance, and measure the effectiveness of the controls.

Putting the PeopleEasy system through a security review process should also have included an analysis of the information to be stored within the system. This should have highlighted the high risk of payroll information being stored with personal details, in an externally managed system.

CriticalX has some fundamental weaknesses in its support processes. The first weakness is the lack of suitable authentication of support requests.

Secondly, no rules were in place to prevent JohnnyT sending the information directly to “Sarah”.

Possible Countermeasures

For CriticalX there are a number of improvements that could be made:

Establish an authentication system for support requests. This could involve maintaining a list of approved people who can make a call. Authentication could be achieved with some form of password, or a callback to designated numbers.
Client information within PeopleEasy should be classified, with appropriate access control applied. Does JohnnyT really need full access to the database? 99 per cent of his support calls are likely to be limited to simple training of users in the correct operation of the system.
Where it is appropriate to exchange data with a client such as BankY outside of the system, appropriate secure transmission should be agreed. This may be encrypted email, or a secure download section within PeopleEasy.
Finally, service desk administrators are prime social engineering targets. Some awareness and training to Johnny could have allowed him to be alerted to the attack—“emergency” calls should lead to questions being asked. In this case, the request to send everything in a spreadsheet to a non-BankY email address should have generated an alert.

The last point sounds obvious, however it does require JohnnyT questioning the identity, and honesty of “Sarah”, who is now quite a good friend. Even with extensive training, his “belief” in her could easily override this.

One of the most famous hackers to date was Kevin Mitnick. He gained more notoriety for his imprisonment without trial in the US and the frankly ridiculous things said about his danger to society, than his actual hacking exploits. You should always show a healthy scepticism about hacker’s own stories, especially those that get caught. By definition, if they have been caught then they aren’t necessarily the best at their chosen career path. However, what is interesting about Kevin is his admission that the social engineering part of his hacking was so important. When later giving evidence to the US Congress he stated that he “was so successful in that line of attack” that he “rarely had to resort to a technical attack”.

I am always interested in how easily social engineering techniques can be learnt. Large gatherings of people allow you to experiment with techniques on a greater number of participants. Recently we tried such an experiment.

Incident: Unlimited Free Alcohol
Each year ECSC exhibits at Infosecurity Europe in London. This is a great opportunity to meet with clients and get an update on new offerings in the information security industry.

For the last few years, I have done a series of seminars and workshops on social engineering. This has given me a great opportunity to share techniques and methodologies from this book as they are developed. However, I have also managed to gain a modest following who expect something new, interesting and amusing each year.

Therefore, recently, we decided to give free drinks to everyone.

The Infosecurity Europe show is great fun, usually a Tuesday, Wednesday and Thursday. Unfortunately, the Thursday is a little subdued, as the organizers put on a free drinks party for the exhibitors on the Wednesday evening, with as much free alcohol as you can drink, starting at 5:30pm. I am sure you can guess what IT salespeople + free drinks + 5:30pm start time equates to.

Coincidentally, my social engineering presentation was scheduled for 4:45pm to 5:15pm on the same evening.

Given the circumstances, I thought it only fair that I should invite all the delegates (approximately 100 people) from my presentation to join us for the free drinks. A great opportunity to try a little mass social engineering (can you have a little mass?), to see if we could get a large number of delegates past the security guards, whose job it is to ensure that only exhibitors gain access to the party.

In convincing colleagues, I had to come up with some moral justification and this is it: given that the drinks are free, nobody is losing financially. Also, I would be making a positive contribution to the state of the exhibition the following morning, as less alcohol between the exhibitors would mean lighter hangovers. In addition, we would be moving human knowledge of social engineering forward another step. (Okay, that last point is probably a little exaggeration.)

So, to the exploit. The only discernible difference between the badges of exhibitors and delegates was a nice red strip across the badge holder. There were other differences, but conveniently the red stripe obscured these. Therefore, the plan was to doctor the badges and help people gain access.

Step one: we conveniently left a number of red marker pens under delegate chairs. These had been selected to be a reasonable match, however not so great as to remove the element of risk, and therefore fun.

Step two: a mind script. Given the limited time to prepare people (the last two minutes in my presentation), we couldn’t go through an in-depth course in getting past security guards. So I invited the delegates to imagine what it must feel like to be standing in an exhibition hall for 2 full days and then to be offered unlimited free drinks. So diligently showing their badges would not be normal, more like a mad rush, desperate to get to the bar first. Better not to show the badge at all and if challenged, annoyingly flash the badge towards the guard. The red flash will be sufficient to satisfy the guards.

Did we succeed in this social engineering experiment? Certainly, by the number of people who I met throughout the evening thanking me for their drink. I even managed to get a rather nice photo of three “consultants” from one of the big four audit firms, holding up their fake badges, together with fists full of beer bottles. They were obviously intelligent enough to follow my instructions and gain entry.

Unfortunately, they weren’t quite intelligent (or sober) enough to refuse to have their photo taken with badges that clearly identified them by name and company. Anyway the photo makes a nice addition to my presentations on the subject. I am sure you can forgive me for slightly exploiting fellow consultants.

Vulnerability Analysis

This was another example of security guards working in the subconscious, blindly accepting badges with only a cursory glance to check for a colour. Given the subject of the exhibition and its attendees, it would be nice to see rather better security measures in place.

Possible Countermeasures
1. Remember, coloured badges are often a terrible idea, as they lead to people judging them purely on colour and not examining the details.

2. Security guards doing more than just giving the feeling of security, or satisfying the minimum requirements of insurance policies.

Ian Mann is Senior System Consultant with ECSC Ltd (www.ecsc.co.uk) a specialist information security consultancy. Ian has worked with a wide range of companies, including a number of leading financial institutions, to help them understand the risk from attacks by social engineers, and to develop effective countermeasures. He is also known for his presentations on the subject.

Contact Details:
Email: ian.mann@ecsc.co.uk