Following on from my previous post on 'gaming the system', a friend sent me this link to Frank Abagnale Junior - the man played by Leonardo DiCaprio in "Catch me if you can" - giving the closing keynote at the RSA APAC conference (youtube).

It's an interesting talk to hear how someone with a hacker mindset in the 60s was able to social engineer and defeat some of the security systems of the day...just by not following 'the rules'.

Social engineering is back! Did it go away? Not really, but it's back in the mainstream news. One of the competitions at DefCon this year has been a 'social engineering contest', where contestants were given a list of information they have to obtain and a target company that they have to obtain it from.
They were given a limited amount of time to get as much of the information as they could. And the the result? Not good.
We've touch upon Social engineering before and unless (or even if) you're a super-secret organization with highly trained personnel it is something that is damn near impossible to stop. I would imagine it is easier to do against larger companies (such as those targetted in the contest; the likes of Apple, Microsoft, Cisco, Ford, Coke and BP) , especially those with areas that routinely deal with the public and whose staff are encouraged and trained to be helpful and friendly.

Only 3 out of the 50+ employees contacted by the competitors were skeptical enough to hang up without providing information (and all three were women....so much for the skeptical male stereotype!). Apparently:

"People went as far as opening up their e-mail clients, Adobe Reader, versions of Microsoft Word, and clicking on 'Help/About' and giving the exact version numbers of their software," said Aharoni. "For an attacker, the exact version number would provide a much higher level of success," allowing an attack to be tailored to exploit a vulnerability in that exact program.

The contest was sponsored by social-engineer.org who seek to "Exploit the HumanOS".

While I can see the validity of the contest, I hope the details of those called is not released to avoid any punishment or ridicule from their employers or fellow workers. The urge to be helpful is part of human nature and it is a sad fact that there are those who will exploit and manipulate that nature for their own ends.

Time to go and review your Security Awareness training...

I recently came across this blog entry from the SNOsoft research team (aka NetraGard) describing in some detail a rather extensive penetration test for a 'mid-sized' bank.

The pentest was undertaken to not to identify all points of risk, but instead was to identify how deeply the pentesters could penetrate. The unusual approach and the use of social networking reconnaissance and social engineering that caught my eye:

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

From there they were able to identify key employees and eventually email a dodgy trojan pdf that could evade the companies AV and eventually capture the DCs. Game Over.

I doubt many companies would have an external party go to this extreme to test their defences, even banks. I wonder how many companies would have sufficient defences to resist this type of assault?

They also have an interesting blog post entitled “FaceBook from the hackers perspective“ that is worth a read.

Alot has been said about Facebook privacy (or lack thereof). A friend passed along this fascinating link that graphically illustrates the evolution of privacy on facebook (or should that be devolution?)

Social networking contains all kind of dangers, from the typical social engineering and scamming to getting fired for 'chucking a sickie' and things far, far worse.

Of course, facebook, myspace or linkedin aren't responsible for the crimes that may be committed by users of their service, but sites like facebook they aren't helping matters by proclaiming 'privacy is dead' and purposely making more information public.

It has been said before, but bears repeating: don't put anything on the internet that you wouldn't want everyone to know. While I don't agree with mark Zuckerburg that 'privacy is dead', I do agree that for all intensive purposes, 'privacy is dead on the internet'.

And finally if you are a facebook user, here are 10 Privacy Settings Every Facebook User Should Know, or if you're tired of the whole social netowrking thing, how to delete your facebook profile in 5 minutes (and by the way, apparently you're not alone).

I was pointed to some more information on Aurora by a Uni classmate. HBGary have a slightly more in-depth threat review of Aurora here [pdf] and are offering a 'Aurora inoculation shot' with details here. The inoculation does not address the social engineering aspect of the attack, it is more of a scanner to tell if you're already infected and help clean the infected machine (which to me seems like more of an after-the-fact action than the name 'inoculation' implies).

One thing in the HBGary report is the CRC algorithm used is claimed to "indicate the malware package is of Chinese origin". This was originally announced by Joe Stewart and widely reported, but there has since been some dispute as to whether the CRC is a 'smoking gun' indicating China.

We may never know...

On a somewhat related topic (malware in general), I often use virustotal to scan 'suspect' files, but a colleage recently pointed me to a coupleof other sites that provide a similar service: virusscan.jotti.org and threatexpert.com. All three are worth investigating if you haven't seen them before.

iSec has published a brief report [pdf] into the widely-reported "Aurora" attacks on Google (and others) that allegedly orginated from the Chinese Government. The report provides an interesting insight into a recent sophisticated attack that I suspect few organizations would have been able to repel, and is well worth reading.

An important point from the end of the report is that the:
"...most interesting aspect of this incident is that a number of small to medium sized companies now join the ranks of major defense contractors, utilities and major software vendors as potential victims of extremely advanced attackers. This is concerning for many reasons, not the least of which is that even most Fortune-500 companies will not be able to assemble security teams with the diversity of skills necessary to respond to this type of incident."

Great little article over at SANS on Social Engineering in Real-World Computer Attacks