
“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”
“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”

“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”
“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”
“Well  he said he was pretty busy but I just need a few generic  questions to  close out this help ticket so I can go home — do you  think you can  help?”
 “Uh, I don’t know…”
“Please? Its after 7 here and I really got to go home.  Its just a second”
“Um.  Ok, sure.”
What operating system do you use?
>>>XP
What web browsers do you have on your PC?
>>Firefox 2.0 and IE6
Do you use outlook?
>>No, we use a webmail
When was the last time you updated?
>>The IT team does updates every Tuesday night.
What version of Acrobat Reader do you have?
>>7
What’s your antivirus/endpoint security brand?
>>Mcafee endpoint security.
…
 It  might not look like it at first, but Mr. “Downs” from “Dell  technical  support” is a hacker who just obtained enough reconnosence to  compromise  users and servers inside the target company — an act that  costs US  companies an average of $6,751,451 per data breach incident  according to  a Ponemon Research study.
Now,  if I walked up to you on the street and asked you those  questions out  of the blue, you’d likely be either annoyed or  (hopefully) suspicious.   However, if I called your secretary at her  desk and told her I was from  Dell solving a problem and I want to get  off quickly because I’m a  working stiff with a family too — that might  be a different story.  She  might tell me she’s on windows, and that the  IT team pushes updates  every Tuesday, and that she uses webmail and  Internet explorer 6.  Maybe  she’ll even give out her email for me to  send her so that I can close  out the ticket with a link that takes her  to another website for  analysis or exploitation through a hole I found  in Dell’s website (Cross  Site Scripting attacks in vulnerable websites  make this attack method  very easy to do).  Hackers that can con people  into giving information  or help them gain unauthorized access are known  as social engineers this  term is also used for con artists).
A good hacker knows that a good hack involves three things:
- Vulnerability
- Exploitation
- Maintenance of access
Talking to that secretary gave us a lot of information  — the antivirus vendor and version of Internet  Explorer being the  most important among other things.  This tells us  what the system is  vulnerable to — in this case IE6 vulnerabilities.   Knowing the  antivirus lets us know what vulnerabilities will be  detected or stopped  unless they are re-written or modified.  With very  little work we can  probably find a way to circumvent any signatures  based antivirus for a  payload and a working exploit on a system with a  profile similar to  that described by the secretary.  Now we have both a  vulnerability and a  method with which we will exploit it.  Finally, the  secretary informed  us that patches to systems are done on Tuesdays — so  we can have up  to a week after successful exploitation to develop a  system to maintain  access either through reverse shells or an autonomous  setup, which  should be easy to do once we are in and get the lay of the  network.   It’s very easy to find and package exploits with the wide  availability  of large databases of viruses and exploits (I regularly  check several  exploit databases to stay on top of trends).
 
It  seems like a lot of information in a seemingly innocuous   less-than-5-minute conversation.  Now consider the fact that I also got   her to expect an email with a link — with that I can collect   information like IP addresses, computer names, MAC addresses, perhaps   the last few websites the receptionist has gone to, the exact web   browser version, and more.  It’s easy to see where this information   begins to take a sinister turn into a goldmine of potentially   exploitable information.
 
 
People  such as the once-infamous Kevin Mitnick have long  used these con-artist  techniques to gain unauthorized access to  computer systems.  In fact,  most of what Mr. Mitnick did to gain  unauthorized access to computer  systems was social engineering, not  hacking.  He knew what to say and  how to say it and who to say it to by  doing his homework on how his  targeted industries and businesses  operate.  Most of his techniques and how he used them to exploit his targets are explained in detail in his book 
The Art of Deception, which goes over in-depth on teqniques to prevent and close human security breaches.  Hackers use social engineering so much that this year at Defcon 18   hackers competed in a game in which they researched and called companies   to get information from them that could be used later to compromise   their security.  Every single one of the companies that were involved in   the game failed to adequately protect themselves from the   hackers-turned-conmen (10 companies, 80 hackers, 3 failed calls), and several hackers were even able to score extra points by convincing personnel to visit websites under their control. 
[link to defcon 18 game] 
 
Train  your personnel in how to spot people who are going in the  extra mile to  get information about your company to do real damage to  it (not drive  by browser exploits and page-jacking).  It isn’t enough  to have endpoint  protection or antivirus systems in place.  People need  to be coached on  what information to give out and what to keep,  especially people with access to sensitive information or that handle  many calls every day.  Go through  this process with your employees  frequently — perhaps place a flyer on  company phones reminding them  not to give out information on the  computer systems or bring it up at  company meetings or as part of the  new-hire routine training (new hires  are the favorite targets of any  social engineer.  They’re eager to  help and do not yet know the rules).
 
 
Also, regularly shred  important documents with good shredders  or shredding services, and  securely destroy hard drive data (DOD  mandates a 7-pass write-over wipe  to prevent re-reading), and make sure that you aren’t encouraging  a workplace environment where it is not OK to question management for the  correct credentials when employees are being told to perform sensitive operations like changing  passwords.  Let your employees know that rules apply to everyone and  they will know to stick with them every time — even if it means asking  the “new boss from the Cleveland office” who’s forgotten his recovery  question for more information to confirm his identity.  It’s  important  to be proactive and prevent your company from losing face  before an  incident happens, even if you’re small.
