We provide the cyber intelligence that keeps

1

We provide the cyber intelligence that keepsblue chip companies fromturning red

"Beyond Network and Apps: Pen Testing Wetware"

Terry Gudaitis, PhD

October 2008, MSU

2© 2007 Cyveillance, Inc. www.cyveillance.com

Agenda

• Defining the “Wetware” or Social Engineering side of pen testing

• How SE fits into a pen testing methodology

• Objectives of SE

• Collection Methodologies

– Physical

– Electronic

– Internet

• Case Studies/Examples

• Questions and Answers


Social Engineering

Definition:

Human or social/psychological based methodologies used to persuade, coerce, or manipulate others into revealing sensitive, private, or confidential information.

The methodologies may include direct or remote assessment, observations, interpersonal communication, lures, schemes, or traps to elicit information.

In Historical Terms = A Con Game


Social Engineering

Human Vulnerabilities and Exploiting Cognitive Biases:

• SE will target the human weaknesses:– Ignorance or naiveté – Illness, vulnerability or psychological susceptibility (i.e., guilt, depression)– Fear, uncertainty or doubt– A desire to be liked, desired or respected– A desire to be helpful, feel successful, or accomplish a goal

• The Objectives for the SE may be to Garner:– Cash or equivalents– Account access, passwords, logins– Identity information– Proprietary or business knowledge– Physical goods (i.e., badges, ID’s, codes)

• Victims (Targets) are either the corporation, the individual or both


Social Engineering

Most “Popular” or Successful Motivations include:

• Get the Job Done

• Fear of Not Doing Their Job

• Wanting to be Helpful

• Severe Empathy and Willingness to Break the Rules

• Ease and Laziness (sometimes this is just due to lack of policies)

The SE:

• Confident

• Knowledgeable

• “Correct Personality” for the role


Social Engineering

Basic Methodology

1. Targeting – Who, Why, Where, What type of Information– How to conduct the collection of information and intelligence

2. Data Collection – Background data– Understand the target; Know your target– Understand the Vulnerabilities

3. Scenario Development– Construct the plan to elicit the information– Assess the plan; Analyze the plan

4. Implementation– Collecting the targeted information– Collection of targeted information…and beyond?– Documentation of collection (times, dates, persons, means)

5. Review – What was collected?– How can it be exploited?– Lessons Learned


Social Engineering

Targeting:

• Who or What is the Target

• What types of information would be useful? Best?

• How will the SE be able to acquire the most useful information?

• Is it possible or necessary to collect information at the physical location or is that 1) not possible; or 2) too risky?

• What information may be able to be collected via electronic or via the Internet?

• Develop the targeting plan

• Start information collection

• Apply the collection of information/intelligence that has been gathered


Social Engineering

Data Collection of SE Information via the Internet:

• Target’s website • Related websites• Partners, Vendors, Associates• Name search databases• Blogs• Social Engineering Sites

- This is the initial starting point of research- This is where the background and back-data will be gathered - This will assist in the other types of data collection (physical

and/or electronic)


Social Engineering

Internet Intelligence: Organizational Target and Human Target

• World Wide Web• Blogs (Web logs)• IRC/Chat• Public email groups• P2P• Discussion forums• Usenet• Images, Vlogs• Unsolicited Commercial Bulk Email (SPAM)• People Finds


Social Engineering

Data Collection of SE Information via Physical Means:

• Dumpster Diving• Shoulder Surfing• Direct Observation

– What types of badges?– Where are the physical entry points?– What does the building/environment look like?– What is the corporate culture?

• Interaction and Discussion with Employees and other workers• Observation of personnel movements

– Where people come and go from and to– Where do people park?– How do they commute?– Is everyone onsite…or do people telecommute?


Social Engineering

Physical Means

• Recon of the physical target– How to dress– When to show up– What type of demographic– Understanding of the perimeter

• Observational Intelligence– Just sit there– Interact without Entrance– Deliveries and Soliciting

• Gaining Physical Entry– Coat-tailing– Walking Right In– Assessing Barriers (i.e., security guards, Xray machines, ID checks)

• Collecting Onsite Documents and Items– Where is the low hanging fruit?– Exiting with “the goods!”


Social Engineering

Data Collection of SE Information via Electronic Means:

• Using listening devices, trojans

• Telephone communications

– Personnel

– Help Desks

– Call Centers

• Email communications

• Virtual Games (i.e., Second Life)

• Posting of surveys, websites (phishing-like activities)

• Any information collected from thumb drives, CD’s, etc…


Social Engineering

Electronic Means

• Recon

• Remote Assessment

• Softest Target

• May include foreign language usage

• May need obfuscation tactics

• Analysis of Replies and Correspondence

• Duration of pre-elicitation communications

• Plan to cease communications


Social Engineering

Developing the Targeting Scenario:

• Applying the background research, information, and intelligence gathering!

• Develop the scenario and point of contact with the target(s) in order to elicit the needed information (i.e., passwords, login data)

– Who are you going to contact?

– What is your “story?” …and what is the backdrop?

– How are you going to contact them?

– When are you going to contact them?

– How many players do you need to make the scenario seem real?

– What psychological vulnerability are you going to focus on? …and why?


Social Engineering

High Profile Case – VP Candidate

“The hacker guessed that Alaska's governor had met her husband in high school, and knew Palin's date of birth and home Zip code. Using those details, the hacker tricked Yahoo Inc.'s service into assigning a new password, "popcorn," for Palin's e-mail account, according to a chronology of the crime published on the Web site where the hacking was first revealed.”

http://wikileaks.org/wiki/Sarah_Palin%27s_E-mail_Hacked


Social Engineering

Case Studies:

EX #1: Elicitation of Customer Data from Insurance Files

EX #2: Gaining Access to Medical Systems and Patient Data

EX #3: Gaining Physical Entry and Access to Internal Databases


Social Engineering

EX #1: Elicitation of Customer Data from Insurance Files

1. Targeting: Company – Access to Customer Policy Information

2. Data Collection - Internet Only - Background data, P2P. WWW

3. Scenario Development– Impersonation of a legitimate customer’s family member– Policy holder in jeopardy (medically unable to communicate)– 3 Person scenario – play on severe empathy

4. Implementation - Phone call to Customer Service Desk

5. Review – Collected Policy # and coverage– Collected SS#– Follow-up contact could possibly get online account access credentials


Social Engineering

EX #2: Gaining Access to Medical Systems and Patient Data

1. Targeting - Help Desk of Major Hospital

1. Data Collection – Internet Collection (i.e., Doc’s resumes, nurses at conferences)– Onsite Observation

2. Scenario Development– Impersonate a Doctor to gain assess to medical database– 2 person scenario

3. Implementation – Email and then phone call to Help Desk

4. Review – Password and UserID (in fac,t re-set password)– Access to Dr.’s email account, address book, etc…– Access to medical database


Social Engineering

EX #3: Gaining Physical Entry and Access to Internal Databases

1. Targeting – Executives of a large Financial Services organization

2. Data Collection – Internet background data– Onsite Observation; Onsite Data Collection at HQ– Email/Postings to company’s forum

3. Scenario Development– Create role of an executive assistant for each executive– 1 person played all 4 exec assistants

4. Implementation – Gained Physical Access and Created Spear/Whale Phish to attempt to get password credentials

5. Review – Access gained to floor/office space of execs– 2 of 4 credentials were elicited (the execs used the same choice of password

for the phish as they did for their corporate accounts)


Social Engineering

Summary:

1. Most everyone can be “psyched” into giving away information

2. 5 Phases of conducting successful SEing• Targeting• Data Collection• Scenario Development• Implementation• Review

3. Planning, planning, planning!

4. Thorough Understanding of the emotional and psychological impact

5. Acting, acting, acting!

21

We provide the cyber intelligence that keepsblue chip companies fromturning red

Contact:Terry Gudaitis, PhDCyber Intelligence Director, [email protected] 703-351-2437

Questions?