How to Create Social Illusions: A Social Engineering Case Study

your mic's live all right uh we're going to get started with our next Talk of the day uh the talk is titled how to create social Illusions a social engineering case study um I'd like to introduce Mr Steph Fox uh cissp qsa is a Ser security architecture and engineering adviser at the US Department of the treasury and holds an MS in business Information Technology from wall College an NSA recognized Center of Excellence Mr Fox brings a cross disciplinary perspective to the practice of information security combining his expert experience as a security consultant a senior IT Auditor and a systems engineer with principles from behavioral organizational psychology to address security challenges and everybody I'd like to welcome Mr Steph

Fox he's also one of our uh co-organizers so an extra hand for him too well thanks a lot for coming guys um how many people here are familiar with how visual Illusions work basically people that design visual Illusions use expectations that the visual cortex of your brain has to interpret stimuli from the environment and they use that to play tricks in your brain social Engineers do the same thing with behavioral and organizational psychology to trick you into believing that certain circumstances are what they are not and that's what we talking about here I'll mention a few tools but this is not a tools talk this is really about psychology and what the environment or whether what elements in

the environment can be manipulated to fool you into believing things are the way they are not a little bit about me as I was already introduced I'm currently a security architecture and engineering adviser with the US Treasury I protect your taxes my background is as a as a security consultant I did a lot of social engineering pen testing a lot of PCI work before that I was IT Auditor for GM so I worked in this building and before that I was a developer in assist assistance engineer but before that I was into psychology understanding how the human brain works and how it interfaces with machines now why would a Psy person in Psychology care about security any any

ideas how someone from Psy psychology ever even cared about security exactly well really computers don't make money by themselves companies don't operate it's so you on computers people have to use computers to make companies money so as a social engineer if I know how to hack a person it doesn't matter how well protected the computer is doesn't matter how many millions of dollars I spent to protect the perimeter to have a SIM or a sock in place all that doesn't matter if I can fool a person I talk a lot about these topics on secur Lex gon.com my own blog but also see us so online in IFC Island today we're going to talk about a

actual case study I did back in February of last year talking about the high level objectives the actual tactical Mission and describing step by step what I did at the client site a disclaimer worth mentioning here is that everything I talk about here does not reflect the opinions of the US government these are my opinions so why is it so effective who's who here has read the 2012 rise and data breach report really that's all guys you need to read this only 7% of the incidents that were studied here came or were attributed to social events however those 7% accounted for 37% of the records that were breached huge payback in the effort expended no other area hacking malware

privilege misuse had that level of return this makes it a very big risk so the case study this was a company in the transport industry they they serve most of the Midwest a couple of clients on the on the west coast it's a midsize company but with a small culture now why would that be any ideas they grew faster exactly until about two years ago they were very small mama pop operation they only had about two planes in their Fleet but they got a huge contract that allowed them to expand in less than a year but culturally they never caught up so their processes are still in that Mom and Pop mindset so they don't think that they're

targets of Big Time hackers of course with most engagements there's Rules of Engagement this this was not a red team operation we were asked to escalate Privileges and get access to corporate records but we were not allowed to attack personal email addresses of employees and we were not allowed to Target their individual property so I couldn't uh track their cars I couldn't uh seal our steal their property I could take photographs but I couldn't steal steal her stuff and I couldn't steal government I'm sorry corporate equipment so I couldn't walk out with servers that kind of thing so we're going to talk about how was I able to do all this cool stuff so the mission get us of

credentials get access and here's the Rules of Engagement oh yeah the server room was out of scope now I could get into the room take photographs but I couldn't hack anything in the server room so after getting it after putting it on a suit getting some rler is walking into a field I did a lot of Recon now Recon accounted to about for about six hours of a 20-hour project very small amount of time so I had to collect all all the information I needed to get the job done in six hours so I went out to Google Google Maps allows you to get aerial photographs of your Target location now what's interesting about this

Photograph you see that there are no Gates you see that there's a there are trash receptacles over here that are not fenced off so I thought huh maybe I could approach them but it's possible they're locked when I got there there was no locks I was able to get stuff out of the trash cans at night over here this looks like a Transformer turns out it was if the Rules of Engagement had not prevented me from damaging equipment I could have shut off their power if I were Chris Nickerson I would have climbed the roof and and damaged their AC but again I was prev from doing that by the rules of engagement what show what's not showing

this picture is that over here there was apartment complex this means that the people in this in this uh building were used to people showing up they were unaccounted for and lastly Google told me that this building houses six other businesses now why is that important

right my client was used to seeing people that didn't work there and they were used to dealing with them and there were processing processes in place to deal with strangers that were relaxed and there were a lot of exceptions to processes depending on the person so next I wanted to see what the employees saw of the company now glass door.com is a great way to find out what people think about the company you you find a lot of reviews people about their their bosses here it's a really great Storehouse of of internal perspectives as we can see here the company was readed by its employees as two stars out of out of five the the employees were very

dissatisfied their CEO had a 0% approval rate and this statement alone really captures the opinions of the company employees that their management was really good and getting people to leave the company and go to other jobs this reflects the great deal of tension so I wanted to see well what about their ATN environment I now know they're pissed off so maybe they're doing stupid things with their it so I found this forum which one of their employees posted a help notice for SharePoint so here I find out not only that the version of SharePoint they using the fact that they even posted a problem with a detailed error report but the ELA told the ELA name the

file they were trying to retrieve okay this file includes name of a other of another contract company they were doing business with so if I had wanted to I could have contacted that company and got in details about what they did for this for for this client but I also know that by just by looking at what business that the clients's in I understand the issue they were hired for so it gives you more intelligence as to what's happening in this company and here is an announcement of a layoff that was planned about six months after I came on site the company was ping layoff 300 people the company has about 900 employees so this is a significant

layoff well the the companies are LLC they're not publicly traded so I wasn't able to get their their SEC reports but I did some additional research and found out that there was a union on site and they planed a strike now I'm not sure where they got this giant rat from but there but anyone that gets a a giant inflatable rat to take to their strike is motivated and very unhappy so this really helped me helped me understand how to manipulate these employees I would not want to walk in as someone that was a represent representative of the business I wanted to come in as an authority figure that was there to solve problems but was not associated with

management so that feeds into the pretext the rules that you select as a social engineer understanding the attitudes and psychology of your target employees is key and also knowing where the giant r came from that helps so next on to Facebook now why is Facebook important any

ideas correct with Google I was able to find out a lot of corporate information lot corporate events but Facebook allowed me to focus on the personal side of the company their employees so here I discovered that the compan is heavily into nonprofit events and I discovered a nice little note that was left by a previous employer saying thank you for donating a check to the uh nonprofit it's nice to see that even though you were no longer located in blah you still care about the city now this tells me that the company had moved this tells me the nonprofit they were associated with I now know how much money was done donated but with this posting is a

photograph of them of them donating the check this Photograph was was also associated with names of everyone in the photograph so now I have I have employee names I know their dress code I know that because the photograph was taken at the company site and I know that they all belong to the group that that communicates with a nonprofit and here is the person who sent that email John L has 145 friends every single one of them works at this company he no longer works there though this one person put every nonprofit that works with a company he connected them so I got to know John El very well over Twitter over Facebook LinkedIn so I could pass myself off as

someone that's friends with him so I could then inherit all the positive attitudes that the employees of the company had for him so I could use that to my benefit now I have a lot of inform information here I'm now at about hour three I got three more hours so I need a tool to really organize it and draw relationships from this data I pull out Malo now in this case I use a trial version that gives me about two days of work that's enough time so I dump all my data into Mal maltego and I have four new relationships now what I'm looking for is it more data is it more pictures so I

want to be begin to draw a psychological profile of the company but more importantly the employees next we're going to be talking about the psychological markers that I used and used to ask us questions of this data first I wanted to determine the group types now why would it be important for me to figure out what groups are this

company it influences the role but also influenced by Targets in the way that I relate to them so a primary group these are groups that you can think of as a high school click kind of tough to get into but once you're in you're in unless you do something really really stupid and you get kicked out but they have a lot of perceived power and they're very influential the secondary group they're easier to get into they tend to be targeted more by solal Engineers for that reason but they defer in authority to the primary group so my objective is social Engineers to know enough about the primary group in order to influence decisions that the secondary group

members

make to do that I need to understand what groups within the organization appeal to the need of people to belong to something everyone wants to belong to something the groups at this organization that appeal to that need were the charity committee as we were discussed earlier this was so strong that that the company itself formed an entire unique charitable organization to manage all their relationships that they were into very critical transport committee as we discussed earlier there being business was trans sport so a lot of the business decisions were driven through this committee Logistics the same way the it governance even though they weren't very effective as we'll see later on they were still influential because they drew people to

them in terms of wanting them to belong to something useful in the company now even though we want to belong we also want to differentiate and we want to show other people how we stand out well this company the employees decided to post on Facebook on LinkedIn all their achievements so if they got a Bonus if they became employee of the month if they uh w a new project they would post this on Facebook and I I I would be able to then pull this data in and know who was standing out and really Target those individuals and with this data I also wanted to identify what individuals in your organization were see seen as authority

figures there there are two basic types of authority there's position Authority like a CEO or a manager they may not be very good leaders but they're perceived as someone they you have to work with and deal with but there's also natural leaders people that just buy their natural cities and ability to deal with people draw respect and even though they they may not be a manager have the power the manager would have so here we have the chry committee as very formal position power the same with Logistics the natural leaders were The Gatekeepers these were huge of my targets I wanted to Target them because they were the one that they were the ones that

interfaced with everyone that came in from the outside side and I would want them to to trust me as someone that that was coming in my overall findings as as I used maltego to slice and dice this data was that there's a lot of staff management tension I was able to determine their it infrastructure they were mainly at Windows shop I was able to find out they were heavily into Community involvement the key communicators in the organization and how they dressed so was able to use that to my benefit and also that they had a shared building space that they showed with other businesses now with all this information I had to build a plan to actually

achieve my mission so I went through building the exploits I would use so if I would ever to to be an office by myself and access to a laptop or a desktop I could plug something in and take over the network with that so that it was key to figure out what what do I do once I get access identify the credible excuses for me to be there the pretext that would make sense again we go back to what's expected and using that to your benefit gaining control of company assets and gaining the trust of company Gatekeepers now to do this I would use persuasive methods I would use the fact that they they were afraid of being laid

off they were afraid of losing BS business I would use different techniques and different interpersonal techniques to gain trust and they persuade them to make choices they wouldn't normally make and to make those choices make sense I would also use self- effacement that is to not seem all that serious about myself not to take myself seriously to seem reproachable and non-threatening to to when at people into making certain decisions but also I would seek every opportunity I had to correct other people and what they said now if I were to walk up to you and you were telling me about your job and I would tell you no you're wrong about that you're doing it wrong how would you

respond I would wonder who you were I would wonder uh what your what your background was for for knowing that I was wrong how you were coming to that decision well it doesn't really matter to me what what why you think I am who I am I know you're wrong Pro prove to me that you're right and put me on the defensive exactly I'm defending myself right so you give you give me more information about what you do that you may not had given me before so I could then use that information to further my goals so by correcting others you actually elicit more information about what they do and also by connecting the pieces of

inform information the five people in the organization might give me even though the individual pieces might be low risk I can put them together and really they form something that's dangerous to the organization now during this process I had formulated about four different pretexts it only really came up with two that made sense we're going to discuss the two that made sense the first was an IT consultant that came from the outside as I discussed earlier I don't want to be someone that was hired by management I was someone that was hired by the company that was about to cancel a contract with this vender to come in and do a security assessment of their

Wireless so anyone that face me would come up to me if they if they so CH chose and maybe even challenge me and I could tell them look I'm from this hot company I'm here to make you guys look better I'm not here to get you fired someone that was easygoing but knowledgeable was there to solve a problem and someone that will command respect and yet not be threatening and the other one as we discussed earlier was associated with nonprofit organizations someone that would appeal to the very core corporate values of community involvement and someone that as we'll see later on would actually be escorted through multiple levels of physical security to meet with executives

now to put together my tool I used from backtrack the social Engineers tool kit this is a tool that's available for free allows you to make a variety of exploits depending on your needs you could do spear fishing can you can do uh as I did you can make malicious PDFs to put on USB USB sticks you can do a variety of things and I chose payloads that were related to Windows so from this list of payloads there made a variety of of attacks now before I walked in I wanted to as I mentioned earlier I had four options during pre-testing I made certain phone calls to figure out which ones made the most sense the two that we

are this made the most sense now during his phone calls I was also able to find out even more information about the company which strengthened the believability and credibility of my

pretexts you may ask well what about that balance of hours you had 20 hours well I was also there as an actual pentester I was there to do a pentest and also a wireless assessment of the organization so I had the freedom to walk around as someone that wasn't there to hack the company socially during this onsite Recon I was able to observe other people in the organization tailgating as though it was no big deal I observed that there was Al almost no chance of me being challenged if I if I was challenged it would not turn out to be anything really hairy although I had my get out of fre get free card and I was able to find out even

more details about the community involvement aspect of the company so during weon I got off an elevator and right there in the public area was a very convenient laminated sheet of paper with actual size ID cards so there I I I I know it's important to for your employees to know what their IDE ID cards look like but why would you post that public during the postmortem of this engagement I asked the manager why do you do this it's like well we want our employees to to know it's important to have their badges on so you do this in public the these were high def copies I could have take taken this to Kingo taken it out of the

lamination and photocopy them and use it for my own I didn't do that because I want to see what I could actually do without that but also in public area the same public area I found a phone directory of everyone that worked in that floor this was the it operations floor sorry it management floor I apologize on the business management floor there was a glass in display as most companies do displaying their involvement with certain events compan pness that sort of thing they posted a letter associated with that donation I showed you a p picture from Facebook this letter tells me all the details about that donation so by it by itself this is not

that big a deal but together with the information I found on Facebook I know everything now I know how to pass myself off as someone that was involved with this I know the name of the executive I know the amount of money I know how it was

used so day one day one wasn't even intended to be a social engineering day I was going to meet the it manager of the company to start my appen testing so I'm waiting outside in a public area that I just took took some photographs of and I dial the phone there's no again his voicemail so we got there for about 10 minutes and someone opens the door and said well who who are you and I chose myself St Fox from the company I worked for back then and I said well I'm I'm I'm here to see the it manager looks he looks at me come on in well at this point no big deal right

I figuring he'll escort me so I walk a little bit and I hear the door closed behind me turn around I'm I'm stay I'm there alone so I turn around I figure it's about 8:30 in the morning people are working right I look down the hall there's no one in the office so maybe they're in a meeting no problem keep walking what's wrong with this picture so one of the desks I have a planner of one of the employees I could have grabbed that gotten all our per all their personal information I see purchase orders with customer information bank accounts really cool information about the company I also found the company directory so I wrote I took a picture of

that took a picture of the purchase order so I keep walking down another unlocked workstation with even more information sorry so I walked down and I finally found the employee that's sitting just outside of the it manager's office that's empty so I talk with her he's she's his secretary talk with her for about 20 minutes and she's giv me more information about the company really useful stuff like oh what hours people leave where they go they got coffee when the picnic is oh here's an invitation for the picnic [Music] tomorrow really really friendly people again going back to that small

culture so the funny thing is the it manager opens the door he looks at me it's like no are you the it consultant mhm so I failed so day two now day two I had already gotten set up on day one for pen testing I already saw my scans day two there was a snowstorm so I show up sitting outside the app the server room no one from it operations is there yet because they're well it's a snower so I'm sitting on the floor reading a book and a guy from the Department of the fence walks up to me now I have a I have a suit on the the full consultant uniform clipboard the

all powerful clipboard is was with me and he asked me well who are you now I I tell him who I am oh why you here I'm here to help with security come on in again I figur I'm going to be escorted right so I started doing my scans and all of a sudden I hear the D the guy leaves me alone in the server room well the the it operations room for two hours now I don't have pictures here but the client forbade me from showing the pictures of the server room as you would expect but I was able to get pictures of network diagrams I was able to open up drawers and take pictures of people's desk

within within the office but the really cool part I was able to find a test lab which had a computer with a password pasted to the side of the monitor with a username something like no way sit down log in yep bring up a the text file say users so F all these are test users right looking at this thing so I grab just one name walk over to my production box that I'm testing with it's a production password so I just had every production password user names of the entire company from this one test box now the really interesting part was later on with the it guide just looked at me as he walked in how the hell did

you get in here oh he let me in he what why'd you let him in his response was well he had a suit on he looks like a consultant he says he works with you guys oh

okay so the same day I'm not done yet taking a break doing some scans of the lower floor and figuring you know I'm feeling the social engineering bug go back put away my equipment walk upstairs and I began to act like the social uh the social type into nonprofits so I tail behind another another employee now I've got my clipboard with me but with with paperwork I gathered from the nonprofit just the day before before it started snowing so it with this with the STA was was also an envelope from the nonprofit in which was a USB stick with a malicious pad just in case so I see someone approaching me I could tell by their micro

Expressions they were like who is this why are they here so before they even have a chance to talk to me I said I'm Jim from this nonprofit I'm here to see Martin his whole expression changes he was excited really did you get the you know I'm really glad you're here we haven't heard from you guys in a few months yeah we really appreciate your gift back in Christmas time we were able to feed all these families really love the turkey we gave them thanks to your money really want I wanted to thank marman person so he escorts me through two levels of security at this point he hasn't even asked me through for an ID

at all he walks me through two levels of security into a secured business office now before all this happened I was able to determine that Martin would not be in his office he was going to be in a meeting I was woring the rest that his meeting was cancelled thankfully he was not there here's his office how was I able to take this picture I was left her alone so to his credit his computer was locked but no no difference I just left my nice USB stick in the envelope saying for Martin from the nonprofit boom now now I really wish the Rules of Engagement had included attacking personal addresses because off in the corner here is a sports illustrator for

that month with his personal address so now I know he's in sports and now I know where he lives but that was out that was out of bounds but this is show to to show you how much we leave behind something as innocuous as a magazine could be used against us if we aren't

careful so day three I'm doing a wiress assessment as part of the job and I see people tailgating like a bunch of people into the business office so I figured I'll give this a shot walk in and I'm intercepted by the receptionist a gatekeeper and she asked me for my ID Steve why are you here I'm doing a wireless assessment for the company I was hired by the management of this building to help your it people out to do this assessment really okay she place with some paperwork oh yeah we were going to do this assessment she has she doesn't know that I'm actually a consultant from the outside hired by the company all she knows is there's an

assessment so she gives me my ID back well you need a badge you should go to this office I said look you know I appreciate you doing your job but I don't have time I need to do this job looks at me looks at the computer well here's a badge now what she should have done was kept my ID but also directed me to the HR to go through a formal badging process but she actually had her own badge this shows that this company had exceptions for processes that were in place now this badge she told me would only give me access to this one floor which was fine because this this was the floor where HR records were

stored I would be able to get all the HR records of everyone no problem where I was actually able to get photographs of key employees HR records but turns out that this badge gave me access to every single room in the company except for the server room and here is a photograph of the badges first one I had was escort only required well an escort required badge which I kept HD most of the time and next one was a visitor now this thing it might as well say contractor because no one challenged me they gu saw he's a visitor e coool it's kind of cool that was number one though so who here wants to get

pwned okay this will be quick I would rather you guys learn how to frustrate social engineer like myself but how do you do that well security really needs to go beyond just being a policy it needs to be part of your culture you need to really care about security because without you without your involvement without you guys be watching out for people trying to fool you it doesn't matter how much money the company spends on on servers and all the stuff as I said earlier you're the weakest link but you but by caring you can be stronger than a machine a lot of my clients took their security awareness programs and turn them into games where they were

hacked themselves and send their employees fishing attacks over corporate mail and the ones that wouldn't fall for it got points which they then trade in for special treats like J like casual days or just dinners for their team just cool stuff ways to to reward them from for behaving in in a in a manner which was Secure but as you saw earlier that this company was just storing all this information about themselves on on the internet they weren't thinking well what could someone do with this so really companies have to think about well what could someone do with this information now how do you do that you need to work with your with your corporate marketing team that put the

stuff out there and figure out what the security issues are behind that many of my clients have fused teams where Security reviews the test sites of marketing before stuff ever go ever goes out and also you need to social engineer your own companies every once in a while very important there's no reason why you can't do that there's no law against it as long as you do it the right way now I do recommend you hire a professional pentest or social engineer one time to set a baseline to help you identify the problems first but after that you can do it on your own now I'm not the endl BL expert on social engineering there's people out

there a lot smarter than me I definitely recommend some of those resources uh Chris had ngi he wrote a great book on it we also has a site called social engineer. org I recommend you can check that out there's also a couple of guys that uh in a lady that wrote some books on uh corporate intelligence gathering but also the looking at the psychology of social engineering any

questions okay well thanks a lot for coming through the talk this will be posted online thanks a lot