Social Engineering
Video demonstrating how easy it is to social engineer your way into clubs by pretending you’re the DJ.
Entries Tagged "social engineering"
Page 7 of 11
World War II Deception Story
Great security story from an obituary of former OSS agent Roger Hall:
One of his favorite OSS stories involved a colleague sent to occupied France to destroy a seemingly impenetrable German tank at a key crossroads. The French resistance found that grenades were no use.
The OSS man, fluent in German and dressed like a French peasant, walked up to the tank and yelled, “Mail!”
The lid opened, and in went two grenades.
Hall’s book about his OSS days, You’re Stepping on My Cloak and Dagger, is a must-read.
Clever Museum Theft
Some expensive and impressive stuff was stolen from the University of British Columbia’s Museum of Anthropology:
A dozen pieces of gold jewelry designed by prominent Canadian artist Bill Reid were stolen from the museum sometime on May 23, along with three pieces of gold-plated Mexican jewelry. The pieces that were taken are estimated to be worth close to $2 million.
Of course, it’s not the museum’s fault:
But museum director Anthony Shelton said that elaborate computer program printouts have determined that the museum’s security system did not fail during the heist and that the construction of the building’s layout did not compromise security.
Um, isn’t having stuff get stolen the very definition of security failing? And does anyone have any idea how “elaborate computer program printouts” can determine that security didn’t fail? What in the world is this guy talking about?
A few days later, we learned that security did indeed fail:
Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.
Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.
Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News.
Meanwhile surveillance cameras that were still operating captured poor pictures of what was going on inside the museum because of a policy to turn the lights off at night.
Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in, wearing gas masks and spraying bear spray to slow down anyone who might stumble across them.
It’s a particular kind of security failure, but it’s definitely a failure.
Fascinating Social Engineering Story
Petty crime and identity theft, but both fascinating and impressive. Social engineering works even in places that take security seriously.
Social-Engineering Bank Robbery
On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.
It wasn’t until the actual AT Systems employees arrived at the bank, at 11501 Georgia Ave., the next day that bank officials realized they’d been had.
[…]
And on Thursday, about 9:30 a.m., a man dressed as an employee of the security company Brink’s walked into a Wachovia branch in downtown Washington and walked out with more than $350,000.
The man had a badge and a gun holster on his belt, said Debbie Weierman, a spokeswoman for the FBI’s Washington field office. He told officials at the bank, at 801 Pennsylvania Ave. NW, that he was filling in for the regular courier.
About 4 p.m., when the real guard showed up, a bank official told him that someone had picked up the cash, D.C. police said. The guard returned to his office and told a supervisor that he did not make the pickup at the bank. The supervisor called a Wachovia manager, who in turn notified authorities. Police were called nearly 11 hours after the heist.
Social engineering at its finest.
EDITED TO ADD (1/16): Seems to be an inside job.
New Identity Theft Tool
This program mimics a human in a chat room, and attempts to extract personal information.
And I thought ELIZA was so 1960s.
Trucker Steals Guinness from Brewery
Someone drove a truck through the front gate of the Guinness brewery in Dublin, loaded the trailer with 450 kegs of beer, and drove out the gate. Security presumed it was just another legitimate contractor coming to pick up beer for distribution, and ignored him.
Moral: look like you belong.
EDITED TO ADD (12/5): Looks like they were caught before they drank all the beer.
How to Harvest Passwords
Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.
For the record, here’s how to choose a secure password:
So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.
Even something lower down on PRTK’s dictionary list—the seven-character phonetic pattern dictionary—together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in.
EDITED TO ADD (12/5): Note that I am not actually accusing them of harvesting passwords, only pointing out that you could harvest passwords that way.
APEC Conference in Sydney Social Engineered
The APEC conference is a big deal in Australia right now, and the security is serious. They’ve blocked off a major part of Sydney, implemented special APEC laws allowing extra search powers for the police, and even given everyone in Sydney the day off—just to keep people away.
Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren’t stopped until right outside President Bush’s hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.
The ABC later released a statement saying the team had no intention of entering a restricted zone and had been wearing mock “insecurity passes” that stated the convoy was a joke.
“It was a piece testing APEC security and the motorcade looked pretty authentic,” the Chaser source said.
“They approached the green zone, and they just waved them through much to their amazement, because the sketch was meant to stop there with them being rejected.
“They were then waved through into the red zone, but rather than go all the way through they made the call to turn around.”
“Apparently that was the first time the police realised it was not authentic and they swooped in and arrested everybody.”
Eight members of the comedy team, including the film crew, were arrested, as well as three hire car drivers.
The fake motorcade three cars and a motorcycle escort had Canadian identification.
“We just thought Canada would be a country the cops wouldn’t scrutinise too closely,” said Chaser performer Chris Taylor.
Another article.
I’ve written about these large-scale social engineering pranks before (although at this point I doubt that the Super Bowl prank was real). The trick: look like you fit in.
I’ve also written about the Australian comedy group before. They’re from a television show called The Chaser’s War on Everyhing, and they’ve tested security cameras and Trojan horses. And interviewed ignorant Americans.
And APEC security is over-the-top stupid:
On the same day police won a court battle to stop protesters marching down George Street through the APEC security zone, it emerged yesterday that at least one cafe near George Bush’s hotel has been ordered by police not to set outdoor tables with silverware, lest it fall into the wrong hands.
And office workers in Bridge Street’s AMP tower have been told to stay away from the windows, draw the blinds and not to look at helicopters.
EDITED TO ADD (9/7): Video of the motorcade and the arrests. Photo of the fake security pass.
Great video from The Chasers on APEC and security, including some very funny footage about what normal people are willing to do and have done to them in the name of security.
Phishing Studies
Two studies. The first one looks at social phishing:
Test subjects received an e-mail with headers spoofed so that it appeared to originate from a member of the subject’s social network. The message body was comprised of the phrase “hey, check this out!” along with a link to a site ostensibly at Indiana University. The link, however, would direct browsers to www.whuffo.com, where they were asked to enter their Indiana username and password. Control subjects were sent the same message originating from a fictitious individual at the university.
The results were striking: apparently, if the friends of a typical college student are jumping off a cliff, the student would too. Even though the spoofed link directed browsers to an unfamiliar .com address, having it sent by a familiar name sent the success rate up from 16 percent in controls to over 70 percent in the experimental group. The response was quick, with the majority of successful phishes coming within the first 12 hours. Victims were also persistent; all responses received a busy server message, but many individuals continued to visit and supply credentials for hours (one individual made 80 attempts).
Females were about 10 percent more likely to be victims in the study, but male students were suckers for their female friends, being 15 percent more likely to respond to phishes from women than men. Education majors had the smallest disparity between experimental and control members, but that’s in part because those majors fell for the control phish half the time. Science majors had the largest disparity—there were no control victims, but the phish had an 80 percent success rate in the experimental group.
Okay, so no surprise there. But this is interesting research into how who we trust can be exploited. If the phisher knows a little bit about you, he can more effectively target your friends.
And we all know that some men are suckers for what women tell them.
Another study looked at the practice of using the last four digits of a credit-card number as an authenticator. Seems that people also trust those who know the first four digits of their credit-card number:
Jakobsson also found a problem related to the practice of credit card companies identifying users by the last four digits of their account numbers, which are random. From his research, it turns out people are willing to respond to fraudulent e-mails if the attacker correctly identifies the first four digits of their account numbers, even though the first four are not random and are based on who issued thecard.
“People think [the phrase] ‘starting with’ is just as good as ‘ending with,’ which of course is remarkable insight,” he said.
Another attack comes to mind. You can write a phishing e-mail that simply guesses the last four digits of someone’s credit-card number. You’ll only be right one in ten thousand times, but if you send enough e-mails that might be enough.
EDITED TO ADD (8/14): Math typo fixed.
Sidebar photo of Bruce Schneier by Joe MacInnis.