By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData CollectiveSmartData Collective
  • Analytics
    AnalyticsShow More
    AI analytics
    AI-Based Analytics Are Changing the Future of Credit Cards
    6 Min Read
    data overload showing data analytics
    How Does Next-Gen SIEM Prevent Data Overload For Security Analysts?
    8 Min Read
    hire a marketing agency with a background in data analytics
    5 Reasons to Hire a Marketing Agency that Knows Data Analytics
    7 Min Read
    predictive analytics for amazon pricing
    Using Predictive Analytics to Get the Best Deals on Amazon
    8 Min Read
    data science anayst
    Growing Demand for Data Science & Data Analyst Roles
    6 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-23 SmartData Collective. All Rights Reserved.
Reading: Social Engineering — Hacking by Asking
Share
Notification Show More
Aa
SmartData CollectiveSmartData Collective
Aa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > Business Intelligence > Social Engineering — Hacking by Asking
Business Intelligence

Social Engineering — Hacking by Asking

BobGourley
Last updated: 2010/08/28 at 7:40 PM
BobGourley
9 Min Read
SHARE

“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”

“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”

More Read

bitcoin hackers and its safety

Useful Tips To Protect Your Bitcoin From Hackers

Big Data Makes Black Hat Hackers More Terrifying Than Ever
The Hidden Dangers Of The Internet of Things [Infographic]
Adobe Hack Update: 150m+ Breached Records Now Online
Updates on Dronegate

“Hi, this is Robert Downs from Dell support — I got redirected to this number by accident by the guy I called, is this Guy?”

“Hi Robert — I’m the receptionist, Donna, I could redirect you to Guy — do you know his extension?”

“Well he said he was pretty busy but I just need a few generic questions to close out this help ticket so I can go home — do you think you can help?”
“Uh, I don’t know…”

“Please? Its after 7 here and I really got to go home.  Its just a second”

“Um.  Ok, sure.”

What operating system do you use?

>>>XP

What web browsers do you have on your PC?

>>Firefox 2.0 and IE6

Do you use outlook?

>>No, we use a webmail

When was the last time you updated?

>>The IT team does updates every Tuesday night.

What version of Acrobat Reader do you have?

>>7

What’s your antivirus/endpoint security brand?

>>Mcafee endpoint security.

…
It might not look like it at first, but Mr. “Downs” from “Dell technical support” is a hacker who just obtained enough reconnosence to compromise users and servers inside the target company — an act that costs US companies an average of $6,751,451 per data breach incident according to a Ponemon Research study.

Now, if I walked up to you on the street and asked you those questions out of the blue, you’d likely be either annoyed or (hopefully) suspicious.  However, if I called your secretary at her desk and told her I was from Dell solving a problem and I want to get off quickly because I’m a working stiff with a family too — that might be a different story.  She might tell me she’s on windows, and that the IT team pushes updates every Tuesday, and that she uses webmail and Internet explorer 6.  Maybe she’ll even give out her email for me to send her so that I can close out the ticket with a link that takes her to another website for analysis or exploitation through a hole I found in Dell’s website (Cross Site Scripting attacks in vulnerable websites make this attack method very easy to do).  Hackers that can con people into giving information or help them gain unauthorized access are known as social engineers this term is also used for con artists).

A good hacker knows that a good hack involves three things:

  1. Vulnerability
  2. Exploitation
  3. Maintenance of access
Talking to that secretary gave us a lot of information — the antivirus vendor and version of Internet Explorer being the most important among other things.  This tells us what the system is vulnerable to — in this case IE6 vulnerabilities.  Knowing the antivirus lets us know what vulnerabilities will be detected or stopped unless they are re-written or modified.  With very little work we can probably find a way to circumvent any signatures based antivirus for a payload and a working exploit on a system with a profile similar to that described by the secretary.  Now we have both a vulnerability and a method with which we will exploit it.  Finally, the secretary informed us that patches to systems are done on Tuesdays — so we can have up to a week after successful exploitation to develop a system to maintain access either through reverse shells or an autonomous setup, which should be easy to do once we are in and get the lay of the network.  It’s very easy to find and package exploits with the wide availability of large databases of viruses and exploits (I regularly check several exploit databases to stay on top of trends).

 

It seems like a lot of information in a seemingly innocuous less-than-5-minute conversation.  Now consider the fact that I also got her to expect an email with a link — with that I can collect information like IP addresses, computer names, MAC addresses, perhaps the last few websites the receptionist has gone to, the exact web browser version, and more.  It’s easy to see where this information begins to take a sinister turn into a goldmine of potentially exploitable information.

 

 

People such as the once-infamous Kevin Mitnick have long used these con-artist techniques to gain unauthorized access to computer systems.  In fact, most of what Mr. Mitnick did to gain unauthorized access to computer systems was social engineering, not hacking.  He knew what to say and how to say it and who to say it to by doing his homework on how his targeted industries and businesses operate. Most of his techniques and how he used them to exploit his targets are explained in detail in his book The Art of Deception, which goes over in-depth on teqniques to prevent and close human security breaches. Hackers use social engineering so much that this year at Defcon 18 hackers competed in a game in which they researched and called companies to get information from them that could be used later to compromise their security.  Every single one of the companies that were involved in the game failed to adequately protect themselves from the hackers-turned-conmen (10 companies, 80 hackers, 3 failed calls), and several hackers were even able to score extra points by convincing personnel to visit websites under their control. [link to defcon 18 game]

 

 

Train your personnel in how to spot people who are going in the extra mile to get information about your company to do real damage to it (not drive by browser exploits and page-jacking).  It isn’t enough to have endpoint protection or antivirus systems in place.  People need to be coached on what information to give out and what to keep, especially people with access to sensitive information or that handle many calls every day.  Go through this process with your employees frequently — perhaps place a flyer on company phones reminding them not to give out information on the computer systems or bring it up at company meetings or as part of the new-hire routine training (new hires are the favorite targets of any social engineer.  They’re eager to help and do not yet know the rules).

 

 

Also, regularly shred important documents with good shredders or shredding services, and securely destroy hard drive data (DOD mandates a 7-pass write-over wipe to prevent re-reading), and make sure that you aren’t encouraging a workplace environment where it is not OK to question management for the correct credentials when employees are being told to perform sensitive operations like changing passwords.  Let your employees know that rules apply to everyone and they will know to stick with them every time — even if it means asking the “new boss from the Cleveland office” who’s forgotten his recovery question for more information to confirm his identity.  It’s important to be proactive and prevent your company from losing face before an incident happens, even if you’re small.

TAGGED: hacking
BobGourley August 28, 2010
Share This Article
Facebook Twitter Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

Data Ethics: Safeguarding Privacy and Ensuring Responsible Data Practices
Data Ethics: Safeguarding Privacy and Ensuring Responsible Data Practices
Best Practices Big Data Data Collection Data Management Privacy
data protection for SMEs
8 Crucial Tips to Help SMEs Guard Against Data Breaches
Data Management
How AI is Boosting the Customer Support Game
How AI is Boosting the Customer Support Game
Artificial Intelligence
AI analytics
AI-Based Analytics Are Changing the Future of Credit Cards
Analytics Artificial Intelligence Exclusive

Stay Connected

1.2k Followers Like
33.7k Followers Follow
222 Followers Pin

You Might also Like

bitcoin hackers and its safety
BlockchainExclusive

Useful Tips To Protect Your Bitcoin From Hackers

4 Min Read
big data and black hat seo
Big DataITSecurity

Big Data Makes Black Hat Hackers More Terrifying Than Ever

11 Min Read
Internet of ThingsSecurity

The Hidden Dangers Of The Internet of Things [Infographic]

5 Min Read
Image
Data ManagementRisk Management

Adobe Hack Update: 150m+ Breached Records Now Online

2 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

data-driven web design
5 Great Tips for Using Data Analytics for Website UX
Big Data
AI and chatbots
Chatbots and SEO: How Can Chatbots Improve Your SEO Ranking?
Artificial Intelligence Chatbots Exclusive

Quick Link

  • About
  • Contact
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?