By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData CollectiveSmartData CollectiveSmartData Collective
  • Analytics
    AnalyticsShow More
    data-driven white label SEO
    Does Data Mining Really Help with White Label SEO?
    7 Min Read
    marketing analytics for hardware vendors
    IT Hardware Startups Turn to Data Analytics for Market Research
    9 Min Read
    big data and digital signage
    The Power of Big Data and Analytics in Digital Signage
    5 Min Read
    data analytics investing
    Data Analytics Boosts ROI of Investment Trusts
    9 Min Read
    football data collection and analytics
    Unleashing Victory: How Data Collection Is Revolutionizing Football Performance Analysis!
    4 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-23 SmartData Collective. All Rights Reserved.
Reading: Social Engineering — Hacking by Asking
Share
Notification Show More
Aa
SmartData CollectiveSmartData Collective
Aa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > Business Intelligence > Social Engineering — Hacking by Asking
Business Intelligence

Social Engineering — Hacking by Asking

BobGourley
Last updated: 2010/08/28 at 7:40 PM
BobGourley
9 Min Read
SHARE

“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”

“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”

More Read

bitcoin hackers and its safety

Useful Tips To Protect Your Bitcoin From Hackers

Big Data Makes Black Hat Hackers More Terrifying Than Ever
The Hidden Dangers Of The Internet of Things [Infographic]
Adobe Hack Update: 150m+ Breached Records Now Online
Updates on Dronegate

“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”

“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”

“Well he said he was pretty busy but I just need a few generic questions to close out this help ticket so I can go home — do you think you can help?”
“Uh, I don’t know…”

“Please? Its after 7 here and I really got to go home.  Its just a second”

“Um.  Ok, sure.”

What operating system do you use?

>>>XP

What web browsers do you have on your PC?

>>Firefox 2.0 and IE6

Do you use outlook?

>>No, we use a webmail

When was the last time you updated?

>>The IT team does updates every Tuesday night.

What version of Acrobat Reader do you have?

>>7

What’s your antivirus/endpoint security brand?

>>Mcafee endpoint security.

…
It might not look like it at first, but Mr. “Downs” from “Dell technical support” is a hacker who just obtained enough reconnosence to compromise users and servers inside the target company — an act that costs US companies an average of $6,751,451 per data breach incident according to a Ponemon Research study.

Now, if I walked up to you on the street and asked you those questions out of the blue, you’d likely be either annoyed or (hopefully) suspicious.  However, if I called your secretary at her desk and told her I was from Dell solving a problem and I want to get off quickly because I’m a working stiff with a family too — that might be a different story.  She might tell me she’s on windows, and that the IT team pushes updates every Tuesday, and that she uses webmail and Internet explorer 6.  Maybe she’ll even give out her email for me to send her so that I can close out the ticket with a link that takes her to another website for analysis or exploitation through a hole I found in Dell’s website (Cross Site Scripting attacks in vulnerable websites make this attack method very easy to do).  Hackers that can con people into giving information or help them gain unauthorized access are known as social engineers this term is also used for con artists).

A good hacker knows that a good hack involves three things:

  1. Vulnerability
  2. Exploitation
  3. Maintenance of access
Talking to that secretary gave us a lot of information — the antivirus vendor and version of Internet Explorer being the most important among other things.  This tells us what the system is vulnerable to — in this case IE6 vulnerabilities.  Knowing the antivirus lets us know what vulnerabilities will be detected or stopped unless they are re-written or modified.  With very little work we can probably find a way to circumvent any signatures based antivirus for a payload and a working exploit on a system with a profile similar to that described by the secretary.  Now we have both a vulnerability and a method with which we will exploit it.  Finally, the secretary informed us that patches to systems are done on Tuesdays — so we can have up to a week after successful exploitation to develop a system to maintain access either through reverse shells or an autonomous setup, which should be easy to do once we are in and get the lay of the network.  It’s very easy to find and package exploits with the wide availability of large databases of viruses and exploits (I regularly check several exploit databases to stay on top of trends).

 

It seems like a lot of information in a seemingly innocuous less-than-5-minute conversation.  Now consider the fact that I also got her to expect an email with a link — with that I can collect information like IP addresses, computer names, MAC addresses, perhaps the last few websites the receptionist has gone to, the exact web browser version, and more.  It’s easy to see where this information begins to take a sinister turn into a goldmine of potentially exploitable information.

 

 

People such as the once-infamous Kevin Mitnick have long used these con-artist techniques to gain unauthorized access to computer systems.  In fact, most of what Mr. Mitnick did to gain unauthorized access to computer systems was social engineering, not hacking.  He knew what to say and how to say it and who to say it to by doing his homework on how his targeted industries and businesses operate. Most of his techniques and how he used them to exploit his targets are explained in detail in his book The Art of Deception, which goes over in-depth on teqniques to prevent and close human security breaches. Hackers use social engineering so much that this year at Defcon 18 hackers competed in a game in which they researched and called companies to get information from them that could be used later to compromise their security.  Every single one of the companies that were involved in the game failed to adequately protect themselves from the hackers-turned-conmen (10 companies, 80 hackers, 3 failed calls), and several hackers were even able to score extra points by convincing personnel to visit websites under their control. [link to defcon 18 game]

 

 

Train your personnel in how to spot people who are going in the extra mile to get information about your company to do real damage to it (not drive by browser exploits and page-jacking).  It isn’t enough to have endpoint protection or antivirus systems in place.  People need to be coached on what information to give out and what to keep, especially people with access to sensitive information or that handle many calls every day.  Go through this process with your employees frequently — perhaps place a flyer on company phones reminding them not to give out information on the computer systems or bring it up at company meetings or as part of the new-hire routine training (new hires are the favorite targets of any social engineer.  They’re eager to help and do not yet know the rules).

 

 

Also, regularly shred important documents with good shredders or shredding services, and securely destroy hard drive data (DOD mandates a 7-pass write-over wipe to prevent re-reading), and make sure that you aren’t encouraging a workplace environment where it is not OK to question management for the correct credentials when employees are being told to perform sensitive operations like changing passwords.  Let your employees know that rules apply to everyone and they will know to stick with them every time — even if it means asking the “new boss from the Cleveland office” who’s forgotten his recovery question for more information to confirm his identity.  It’s important to be proactive and prevent your company from losing face before an incident happens, even if you’re small.

TAGGED: hacking
BobGourley August 28, 2010
Share This Article
Facebook Twitter Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

iot and cloud technology
IoT And Cloud Integration is the Future!
Internet of Things
ai in marketing
4 Ways AI Can Improve Your Marketing Strategy
Artificial Intelligence
data security unveiled
Data Security Unveiled: Protecting Your Information in a Connected World
Security
it management for data-driven businesses
7 Major IT Infrastructure Challenges for Data-Driven Companies
IT

Stay Connected

1.2k Followers Like
33.7k Followers Follow
222 Followers Pin

You Might also Like

bitcoin hackers and its safety
BlockchainExclusive

Useful Tips To Protect Your Bitcoin From Hackers

4 Min Read
big data and black hat seo
Big DataITSecurity

Big Data Makes Black Hat Hackers More Terrifying Than Ever

11 Min Read
Internet of ThingsSecurity

The Hidden Dangers Of The Internet of Things [Infographic]

5 Min Read
Image
Data ManagementRisk Management

Adobe Hack Update: 150m+ Breached Records Now Online

2 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

ai in ecommerce
Artificial Intelligence for eCommerce: A Closer Look
Artificial Intelligence
AI and chatbots
Chatbots and SEO: How Can Chatbots Improve Your SEO Ranking?
Artificial Intelligence Chatbots Exclusive

Quick Link

  • About
  • Contact
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?