People are Main Vulnerabilities. Social Engineering at PHDays V

8/12/2015

Now you can watch Positive Hack Days V on YouTube — there are dozens of lectures on practical security in Russian and English. The 2015 forum was devoted to not only hardcore hacking techniques, but also "non-technical" attacks. Quite interesting and unusual was a report by Chris Hadnagy, who exploits human psychology and doesn't believe in technological progress: "While you're looking for zero-day vulnerabilities, we can just pick up the phone and find out your secrets." Let's take a look at some of the stories and observations of a 42-year-old American.

How to make a person tell you his or her credit card PIN

"If I’d been a real criminal I would probably be rich, famous, or dead," writes Chris in his book "Social Engineering: The Art of Human Hacking". The creator of Social-Engineer.org used social engineering in casinos, sport events, auctions — but only to demonstrate security flaws.

Once Hadnagy took part in a BBC show: he was to steal a purse with a credit card and then to get the victim to tell him the PIN. The BBC didn’t think it was possible to accomplish this. They picked the mark — an unwitting woman dining in a cafe. Chris was nearby waiting for an "attack" opportunity. With her friend sitting opposite she kept her hand on the bag at all times — not an easy task. The woman was beginning to look like bad news. But, after a few minutes, her friend left to find a restroom. The mark was alone so Chris gave Alex and Jess (his assistants) the signal. Playing the part of a couple, Alex and Jess asked the mark if she would take a picture of them both. She was happy to do so. She removed her hand from her bag to take the camera and snap a picture of the “happy couple” and, while distracted, Chris casually reached over, took her bag, and calmly locked it inside his briefcase.

The victim was yet to notice the empty chair as Alex and Jess left the cafe. She stood up and looked around, frantically. This was exactly what Chris was hoping for so, he asked her if she needed help. He convinced her to calm down and think about what was in the bag. A phone. Make-up. A little cash. And her credit cards. First of all, Chris asked who she banked with and then told her that I worked for that bank. What a stroke of luck! He reassured her that everything would be fine but she would need to cancel her credit card right away. She agreed and Chris called the “help-desk” number, which was actually Alex sitting downstairs in the van, and handed his phone to her. On the dashboard, a CD player was playing office noises they had downloaded from the Internet. Alex assured the victim that her card could easily be canceled but, to verify her identity, she needed to enter her PIN on the keypad of the phone she was using. His phone. You can guess the rest. If they were real thieves, they would have had access to her account via ATM. However, Chris gets enough money for exposing scam techniques. The woman even thanked Chris for giving her bag back to which he replied, “Don’t thank me. I’m the one who stole it.”

Hadnagy and the Creator of Linux

Now, Chris Hadnagy teaches corporations to detect social engineers and makes competitions, where communicable people pry secrets out of large companies in front of a big auditory. However, his start was slow. One of his first experiments was conducted at a tech conference at the Javits Center in New York City.

A private party was held in a popular toy shop FAO Schwarz located nearby. There were top managers of HP, Microsoft, and other large companies. Chris and his his friend decided to get in to the party at all costs. They approached the women in charge of the ticket booth and the guest list and spoke to them for a few minutes. As they were speaking, Linus Torvalds, the creator of the Linux kernel, walked by. Chris had picked up a Microsoft plush toy at one of the booths, turned to Linus and said: “Hey, you want to autograph my Microsoft toy?” Torvalds smiled, clapped Chris on the shoulder, and said: "I will see you inside, young man.” So, the friends got two tickets to the party.

Engineers Shut Down Plants

"Sometimes in the tech field, we can get so caught up in “what’s new” that we lose sight of the importance of “what’s practical,” writes Hadnagy in his blog social-engineer.org. It all comes down to the fact that social engineering is simple and it works, which means that criminals, hacktivists, and even state-sponsored groups are all more than happy to exploit this vector. Hadnagy advises all the security specialists to closely study "Open Source Intelligence Techniques", a book by a former CIA agent Michael Bazzell.

Chris has gathered a comprehensive collection of 2014 high-profile attacks using impersonation, phishing, vishing, and other social tactics.

  • Physical damage to German steelworks. This attack was covered in German IT Security Report (Die Lage der IT-Sicherheit in Deutschland 2014). While the details are still not revealed, it was reported that the attack had two stages. First, the hackers gained control over the emails of the plant workers and sent them letters containing phishing links. Through the email, the attackers got access to the company's network and then — to the system controlling blast furnaces. As a result, the plant personnel was unable to control the equipment: the system stopped showing blast furnaces, which damaged the whole operating system. The experts mentioned that the hackers knew the features of industrial equipment and plant controls, which means the attack was purposeful.
  • The entire mess that is the Sony-hack likely began with social engineering against key employees.
  • Insider attacks are often carried out using social engineering tactics, such as the breach that occurred when AT&T records were accessed and released.
  • There are several articles linking the use of social engineering tactics like phishing to initiate hacks against such companies as Target, Home Depot, and J.P. Morgan, leading to physical and financial losses for these brand-name companies.
  • The iCloud hack used SE information gathering tactics to build databases which were then used in brute-force attacks on celebrity accounts resulting in the theft of their private photos and videos.
  • One advanced persistent threat used phishing to steal millions from various banks (mostly in Russia).
  • Experian was breached when a man impersonated a private investigator and talked his way into access at one of Experian’s subsidiaries.
  • eBay employees were manipulated into giving their credentials to attackers which ended up compromising 145 million user accounts.

You can find the report by Chris Hadnagy in PHDays V playlist on YouTube.

video