See how these companies were social engineered
You could be next
Tim Roberts, a security consultant at Solutionary, has been on the other side of trickery. Roberts was recently hired to infiltrate a company’s buildings and networks – mirroring a crook’s social engineering attempts to get at sensitive personal and corporate data. This was all done for cybersecurity assessment purposes and his findings and solutions are shared in hopes you can avoid being the next victim.
Key Loggers and Post-Its
I approached the front desk and chatted up the assistant (nametag Sarah) and a maintenance worker. “There was a ticket put in a while back. Did you guys not get an email notification that I would be here? We are in the process of doing some migration on the network and there have been some outages at the offices.”
At this point, Sarah locked her system and let me sit down at her desk. Instead of using a lot of gadgets, I just took out the key logger and plugged it in between the keyboard and the system. “Could you go ahead and log back in? I need to pull up a command prompt to test the connectivity.” She did, and the key logger was able to catch her submission. “Actually, because I am going to have to ask you to do that a few times, do you mind just writing down your credentials and then we can trash it once I am finished?” I slid the Post-It stack to her and placed a pen on top as I continued to focus on the system, in an effort to convey that this was normal. She wrote down her password and slid it back to me. As I was snooping around the system, I gained access to network shares and several systems on the network. I also noticed that she had her BitLocker recovery key saved conveniently in the My Documents folder, along with some VPN information.
“Sarah, I noticed you don’t have a laptop. Do you ever do work from home?” She replied, “I am not special enough for a laptop. But, they did give me a tablet that I rarely use. I can’t get the VPN to connect.” I tried to bait her with another question. “Oh yeah? Could you show me how you typically connect from home and what credentials you use? Maybe I can reset some things from here for you.” She continued to explain how to remotely connect to the network. I took some quick notes when she wasn’t paying attention. In the end, I had another gig of data, domain credentials, encryption key and a tutorial about how to connect to the VPN.
Poor gullible Sarah
I’d say this was a successful engagement and most importantly a reminder of how gullible people can be, when you appear legitimate, are sympathetic and helpful.
Security awareness training! This goes beyond the annual awareness campaign and quizzes. This must be ingrained into the culture of your company. Your employees must be aware of the risks that are associated with information security (this includes physical and technical controls).
A Clean Desk policy. Sensitive data should be put away when not in use. Passwords should never be written down and taped to the workstation.
Make sure that your Minimum Baseline Configurations (MBC) includes disabling the physical ports that are unnecessary (ie USB). Aside from physical key loggers, the risk for data leakage is increased when an employee has the capability to copy data to an external storage device.
You don’t have to be paranoid, but skepticism and awareness are traits every employee should have. An employee who is able to discern common traits and mannerisms of a would-be attack, can be the first barrier to prevent compromises like this.
Once I picked the lock to the unalarmed external emergency door, I realized that the client took the extra step of implementing biometric access control. There wasn’t a single person going in or out while I observed. I needed a different way in to the server room. I noticed a security guard station with several monitors and a key box behind the desk. I saw a guard and a maintenance employee were taking a coffee break. “Sorry guys, I’ll just be a moment. I need to get the serial numbers off of these devices. We are doing inventory.” I gave him the face of, “you know, the grind,” shrugged and began writing down anything I saw. “Not a problem,” the guard responded after glancing at my fake badge I made using basic photo editing skills. “You can take them if you want. They don’t work half of the time anyway,” the guard chuckled.
“Could you show me? Maybe I could get corporate to put something in the budget for some new systems.” I made my way behind him, looking at the monitors. Without hesitation, the guard typed in the default password of ‘1111’ and showed me the security issues of the building, where the cameras were located, which ones worked, etc. “I almost forgot.” Turning to the maintenance employee, I asked “You’re with maintenance, correct?” He nodded.
“Awesome, I need to get into the server room for some serial numbers.” This was a big risk, but I figured, why not? “Not a problem. I can let you in.” The guard sat up from his chair and escorted me to the server room. I thanked him for his help and told him that I could take it from there.
A new guard
Again, awareness training would help prevent situations the guards faced. Some awareness programs aren’t robust enough to really get the point across as to the dangers of social engineering and real-world threats. Security awareness training too often becomes routine, just another annual training.
Employees need to understand that security starts with them. Always double-check someone’s story, especially when someone is claiming to need access to this or that or doesn’t badge in. It’s OK to take a minute to call and verify someone’s story and/or credentials. Even if they seem irritated and inconvenienced, it’s better to be safe than sorry.
Change default passwords on devices, even if it only forces a three-pin code for a security system. Switch it up routinely.
Remind the security vendor what risks there are outside of the obvious. Inquisitive security guards who are diligent can make or break your physical security.
Barbecuing your data center
The quarterly employee appreciation BBQ was the perfect time to survey the building undetected. I noticed that nearly all of the badge-restricted areas had doors with the same lever handles. I peeked through the thin window, between a haphazard paper and taping job covering what appeared to be a highly sensitive area. My under-the-door tool allowed me to open a lever door from the other side. Utilizing this, I was able to bypass several restricted areas, including a PBX and server room door. Once inside the server room we had access to systems, networking and telecom devices, butt sets (telephone test sets) and PBX systems. After about 30 minutes of harvesting as much data as possible, we heard someone badge in. Two employees came in, one went straight to his laptop, and the other asked who we were. “I’m Elliot, from XYZ. I’m doing some inventory on the PBX systems.” I interjected as I casually flipped through a clipboard that I had taken from outside. At this point, we were able to gather equipment and devices upon leaving the room.
I found a door that led to the main data center, and passed the cubicle area for what I could only assume was the networking department. This door had two-factor authentication, requiring a four-digit PIN and proximity badge in order to gain access. I noticed that the drop-floor below me could be opened. There was also a handy suction grip conveniently sitting on a table beside the door. I lifted one of the tiles and could have easily crawled under the floor, but I decided against this since I was sporting a white button up and it would have heightened the risk of being exposed. I replaced the tile and instead tried to pick the lock using a bogota-style pick. I was able to bypass the tumbler lock, the two-factor authentication and open the door. I was in the data center and had access to several systems with sensitive data, remote employee VPN devices, laptops, Internet switches, the core switch and more.
How not to get grilled by con men
Use industry best practice when securing your server rooms. This means floor-to-ceiling walls, no lever handles and no windows.
Make sure that your intrusion detection systems cover all external doors and accessible windows.
Don’t leave too big of a gap under doors. This makes it harder to trip exit motion sensors and work the under the door tool.
If you must have a physical key to bypass additional access controls consider a strong lock core and a key management log.
Instill a culture of social and physical awareness, not paranoia. Every employee, vendor, contractor, etc. has a part in security. If employees feel suspicious, encourage them not to be afraid to inquire, challenge and to double-check.
Require badges to be visible at all times. If a certain badge requires an escort, make sure there is an escort. If the badge looks funny, ask to see it.
Keep destruction/shredder bins secure. This goes beyond your run of the mill padlock.
Key to the kingdom
After about an hour of walking around, taking photos, picking the locks on office doors and shredder bins dumpster diving, I gathered quite a bit of sensitive data (some of which included scans of driver licenses and Social Security cards). I successfully used the “under-the-door” tool to bypass a lever handle door which led to the IT department and the data center area. I not only had access to the servers, switches, laptops and a treasure trove of data, but I also found a box of handy “remote employee VPN devices and handbook.”
The Security Control Room contained access to the security cameras and security system, a badge maker, access logs, security staff files and a key box. This box was made out of aluminum and had a generic lock that was easily bypassed (I wanted to try to bypass it, even though I had the guard’s keychain). It had a key spreadsheet on the inside of the door, and several keys hanging in it. There were keys to company vehicles, wiring closets, several rooms and cabinets, elevators and much more. The key that caught my eye was one labeled “Facility 2 – Server Rm.” I had agreed to not take anything outside of the facility, so I couldn’t take the key with me.
“Sorry to bug you, but I am doing a key inventory and John from facility services had given me this key for the Security Control Room, but it doesn’t appear to be working. He said that you should have one and to ask if I could use it for a minute. I promise to bring it right back,” I said as I stood in front of the guard’s desk, smiling and gently tapping the random key on the table.
The security guard paused for a moment, smiled and pulled out a handful of keys. “Well, I suppose, but you better bring my keys back, or I am going to hunt you down.” I made my way back down to the door, unlocked it and then locked it back once inside.
Don’t be so trusting
Tell your guards to stop being so trusting and to never hand their keys over to a random “employee”. Guards are one of the first layers of security, but too many companies often depend on them to be the primary eyes and ears, where the whole employee body should be several eyes and ears.
Don’t forget about the hard locks on doors and cabinets leading to restricted and sensitive areas.
Make sure that your guards are alert and aware. Security guard work can get boring, which enhances distractions (phone, Internet, conversation etc.). Make sure that the guards understand their roles and responsibilities, especially if they are not in-house. The security guard can often make a huge difference in your physical security. They are the first barrier within the facility and should not hesitate to challenge someone’s story.
Always double check and never be afraid to validate the identity of someone. If a would-be attacker doesn’t have a legitimate badge visible or isn’t escorted? Escalate. Did someone piggyback? Ask them to badge in and verify a successful result.
Sure, come on in
During the Open Source Intelligence (OSINT) gathering phase of the assessment, and after performing some remote phishing and charming phone calls, we were able to gather a handful of domain credentials and user naming conventions, which happened to be the same as what LinkedIn shows, even without a professional account (last name, first initial), security policy information, badge details and some names to drop.
I pretended to badge in at the entrance. Once I was in the men’s bathroom, my partner said there were still employees leaving and he had kicked off some wireless scans (to see what was accessible outside the building). After the employees left, I stepped out of the bathroom and walked around the floor, browsing through files, taking pictures of sensitive information left in unlocked destruction bins and trash bins, I might add, beside several printers. I found a couple of untethered laptops (only took one) and the perfect cube to stash our device in. Why was this perfect? Because someone was on vacation and it appears that whomever occupied said cube, had a little home router of his or her own connected. I unplugged it and replaced it with ours.
With our rogue access point in place and hidden behind some empty laptop bags beneath the desk, I made my way out of the building and to my partner’s location. Once in the vehicle, we both connected to the access point and DHCP allowed us to scan several ranges. We were able to compromise a few systems exploiting some known vulnerabilities and by using credentials that we had harvested from the remote portion of the assessment, dump some database tables and spend most of the night in front of dimly lit screens in the hotel parking lot hacking away.
Close the backdoor
Network access should be restricted utilizing methods like Network Access Control (NAC) and Rogue Access Point (AP) detection. This will help to prevent malicious drop boxes and networking devices from leaving a backdoor open into your network for further remote compromise.
It is great if employees are aware of tailgating, but it shouldn’t be as simple as allowing a would-be attacker to catch the door and go through the motion of swiping their badge. Pay attention to the sound of authentication and the color – if technically feasible. Employees should not be offended or afraid to challenge each other if they are not following policy. Restricted access doors should be carefully monitored if there is a need for a time-delay (such as a handicapped employee).
Security outmatched by a smile
I piggybacked my way into the building and picked the lock to the executive office space. I saw that one of the VP’s office doors was open and the office was unoccupied. After a minute in the office, I heard the receptionist return to her desk outside of the VP office. I took a business card off the VP’s desk, noticing that the receptionist is looking in. With a smile I acknowledge her, “I am looking for John Doe. This is his office, right?”
“Yes, but he is in a meeting in the conference room. Did you have an appointment?”
“Kind of. I was supposed to install an encryption client on his laptop today. It would only take a moment.”
“Well, he should be back in about an hour or so. Would you be able to come back then?”
“I have a lot of systems to work on and I would like to go ahead and knock his out while I’m here. I will be heading back to corporate early tomorrow, and I still have a lot to do.”
“Well, let me ask him and see what he says.” She got up and made her way down the hall to the conference room. At this point, I could leave and risk compromising the engagement or gamble with luck.
A few minutes later, she returns and says, “He said that he put a ticket in for something like that, three weeks ago.” Concerned, I followed up with a sympathetic, “Yeah, we’ve been a little backed up; hence the time crunch. Could you let me get the serial number off the bottom of the laptop?” I asked. “I want at least some proof that I came by.” I then started to make my way to the office. Although hesitant, the receptionist follows, smiles, nods, unmounts the laptop and hands it to me.
Good thing IT is backed up
I can’t stress enough how important a security culture is within a company and how a comprehensive security awareness program should be. Social engineering is only one attack vector and is often the most dangerous – because it bypasses investment in technical and physical security controls, when your employee isn’t aware of real dangers that lead to and have led to many compromises.
Comments are closed.