One of my favorite parts of penetration testing is and always has been social engineering. I love it. In fact, I love it so much; I developed a real passion for it. My passion led well beyond the traditional social engineering and evolved into the study and practice of more sophisticated techniques associated with socio-psycho manipulation. It is a gift of sorts and who am I to question a gift? When speaking with prospective or current clients with respect to security assessments I have often implored them to include both physical security analysis and social engineering. This habit was formed upon entry into the world of professional security consulting where I sharpened these skills under the tutelage of many senior to me in both age and experience. Almost all of my earliest mentors in this space were or had been active in the United States DoD or like intelligence services, most of whom shared a common pedigree not unlike my own hailing from the world of information security and intelligence. These environments taught us to remain vigilant and open to idea that the unexpected should be expected therefore our ability to address anomalous events must remain categorically strong.
Over the years, within many engagements, activities of this nature were written into SoWs (Statements of Work for the lay person), and acted upon with full approval of parties both able to authorize such activity within and against their organizations and their legal representation (a detail I cannot stress enough that should not be overlooked). We would engage reconnaissance carefully leveraging skills we had cultivated in our former lives and applying them to the commercial world. We would engage in deep open source intelligence gathering and analysis in order to supplement our knowledge base regarding our target(s). We would become familiar with the physical environment in which our targets could and would likely be found. These locations would range from their places of business, to local restaurants and pubs, to local shopping districts to other geographic locales that we knew to be frequented by parties belonging to the organization, our target, in question. All the while we would be looking for ingress and egress points in addition to ideal areas for initial contact and exploitation. We would additionally identified areas in which useful information may or not be discarded by our targets that truly believed that no one would be interested (ah how I loved dumpster diving in my youth!). Finally, upon having enough information we would begin our careful insertion and infiltration. There is an art to doing this as much as there is a science and at times, the art becomes (or at least in my experience became), much more valuable.
These exercises almost always proved fruitful, as they would typically be multi-faceted involving multiple small teams each of which was cognizant of the others activities but all tasked with different missions during these exercises within the greater assessment. Some teams focused more upon the physical compromise of the environment, the acquisition of credentials and knowledge which could be socially engineered or stolen and thus counterfeited to serve our purposes in pushing deeper into the environment escalating our mission per our SoW and charter. Others would work on compromising individuals, seeking to gain their trust and subsequently their knowledge and any information considered noteworthy. Others still work on electronic and social engineering utilizing e-mail, web and telephonic techniques all designed to gain the trust of our targets or members of our target organizations in the hopes of escalating our privileges and advancing our efforts. This was good work. It was important work. And it was work that not all are capable of nor designed for. To the layperson reading this post I imagine it sounds outrageous if not frightening that work of this nature goes on and is conducted by security professionals in an effort to test and assess the security posture of a client and to a degree I can understand that attitude. However, this work is terribly important and often demonstrates weaknesses not previously accounted for within enterprise environments (public or private), during traditional security assessments and audits.
At this point you may be wondering whether or not there is merit in engaging a qualified team to do provide this type of service in addition to traditional services brought to the table as part of a security assessment. My personal perspective is that if you have overt responsible for the risk posture of an organization and understand that security or the state of being secure is contingent upon the three legs of the security stool (people, process and technology) being dutifully tested and exercised you most assuredly should do so. Failure to do so can expose you and your organization to a world of risk, which complying mindlessly with a three lettered data security standard or a mutagenic health-privacy act cannot hope to save you from. So what are we to do? First, if you haven’t already done so, conduct a meticulous review and analysis of your organizational information and physical security policies. If you don’t have any now is the time to remedy this deficiency. Should you (as I imagine most do, but will refrain from assuming), have these policies on hand review while employing a healthy dose of third party ego; remove yourself from the immediate, intimate involvement with them as they relate to your job and evaluate them as though you were brought in to do so as a third party. Do they look mature? Are they clearly articulated and well defined? Are they comprehensive? Do they address the natural bridges that occur between physical and logical security? Provided you have the resources, engage them to conduct preliminary assessments (provided they are qualified to do so), and if they are found to be lacking in the ability, do not hesitate to contact professionals with the appropriate pedigree, background and reputation to speak to about scoping a statement of work on your behalf. Remember that not every attack of a truly serious nature takes place across a wire and that many begin and end with a simple telephone call, a conversation around a smoking area or via a new hire.
Human Frailties
I’d like to talk a bit today about two security failures I’ve read about recently. One of these was very widely publicized, and the other seems to have been swept under the rug. One of these failures was a genuine shock, from an organization that is normally a paragon of reliability, and another is from an organization who’s name has, sadly, become synonymous with security failure. There are lessons to be learned from each of these, however.
Here in the United States, we celebrated Thanksgiving on Thursday. Most of us gathered with our families to share a meal, and to give thanks for the things that we all too often take for granted. One of the things I quietly gave thanks for this past Thursday was the fact that I’m not Jim Mackin. Because if I were Jim Mackin, I would have had the unenviable task of explaining to the American press how in the hell two unscreened, uninvited people were able to social-engineer their way past the Secret Service and in the process, gain personal direct access to the President of the United States.
The United States Secret Service is one of those institutions that we Americans kind of take for granted. They’re widely known as one of the best-trained, best-equipped, and highest-performing security forces in the world, and have, at least until this week, held nearly-universal respect among the people of this country. Its mission is simple – “to protect national leaders, visiting heads of state and government, designated sites, and National Special Security Events”. (less well known is the other prong of the Secret Service’s mission – the USSS is also the government agency historically responsible for the investigation of counterfeiting, as well). One could reasonably assume that protecting an event like this would be pretty well-paved ground for the Secret Service. Although every event has special requirements, I would imagine that the plan for the protection of Tuesday’s state dinner was largely a boilerplate item, containing many processes and procedures that had been time tested.
But despite this event being a pretty standard protection operation for the USSS, and there being exhaustively documented and tested processes in place to ensure that security was maintained, two unauthorized people got in, seemingly without any extraordinary effort. How did it happen? At this time the investigation of what happened is still ongoing, but news reports indicate that someone in the Secret Service’s uniformed division failed to check the attendees’ names against a list. To be fair, the potential damage was mitigated greatly by other physical checks that were performed, such as a metal-detector wanding, etc, but the fact remains that two people who weren’t supposed to managed to get withing a handshake’s distance of President Obama, Vice President Biden, the Prime Minister of India, and untold numbers of VIPS. Needless to say, we’ll be hearing more about this incident.
The second failure I’d like to talk about today is a bit less well-publicized, and comes from the recent news that Choicepoint, the consumer data aggregator, has once again been fined by the US Federal Trade Commission for a data breach. You might remember that back in 2005, Choicepoint was the hub of what was at the time one of the largest personal-information disclosures in history, involving 163,000 consumer records and resulting in 800 documented cases of identity theft, for which Choicepoint settled with the FTC for $19 million dollars in fines and restitution to harmed consumers. The second breach, which occurred last year, was somewhat smaller than the first, involving the personal information of 13,750 individuals. This breach occurred after Choicepoint “turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off”. In other words, all the lessons learned from the 2005 breach and 2006 settlement were for naught, because someone flipped the wrong switch. Incidentally, this second Choicepoint breach cost the company $275,000, which, astute observers may note, is 78% less per compromised record than the financial penalty for the first, larger breach (I’ve another post brewing about this, which I’ll save for later).
So, what do these two failures have in common? They both had humans at their root – humans not following procedures, either willfully or accidentally. Human frailty caused both of these failures in security. Neither of these were failures in technology, or procedure, or the implementation of either. For all accounts, the security plans behind both the Secret Service and Choicepoint breaches were solid, but yet they both failed because someone, somewhere simply didn’t do what they were supposed to do.
There are lessons to be learned by IT security practitioners from these incidents, however. The first and most important thing to remember is that “To err, is human.” Human beings are inherently fallible machines. The idea then would be to minimize the potential effect of human factors when planning for the protection of high-value assets.
Think of it this way: One of the first principles of systems administration is to eliminate single points of failure whenever possible. The most prominent example of this principle is a RAID array, where the failure of one (or more, in some cases) physical hard disk drive does not result in either the loss of the data on the array or an interruption in service. Hard disks, like humans, are fallible, and this relatively simple mechanism was designed to work around that fact.
So, how do you implement a RAID array of people? Simple: Procedures for security operations should be designed that no individual person has the ability to leave a protected asset vulnerable through their action or inaction. Furthermore, processes should also be designed so that each person, while acting as part of a team, also must perform their role independently of others – this, to avoid the temptation for a person performing a secondary check to become less vigilant, under the assumption that the person performing the primary check did their job correctly.
Clearly, implementing multiple human checks is not feasible for protection of most assets, labor being as expensive as it is. But for the protection of high-value assets, such as the safety of world leaders or the personal data of millions of consumers, implementing these multiple checks is crucial to ensuring that you, like Jim Mackin, do not end up having to explain an embarrassing security failure.
“Mensch tracht, un Gott lacht” “Men plan, God laughs” Yiddish proverbPerimeter? What perimeter?
This came across my feed reader this morning, and I thought it was interesting. It’s yet another example of how the traditional notion of “the perimeter” doesn’t really exist any more. In this case, attackers were able to infect machines at a few small credit unions, simply by sending CDs in the mail that appeared to be from the National Credit Union Association. All the “traditional” infection vectors go out the window here: These machines weren’t infected by an email payload, or from a malicious website, or from a software or operating system vulnerability. All the network protection in the world wouldn’t have helped here, because NOTHING went over the network prior to infection. In fact, this is a really “old-school” way of disseminating malware – it’s the 21st century equivalent of a virus being passed around on an infected floppy.
So, what might have helped?
First and foremost, well-managed and well-monitored antimalware with a good, solid signatureless detection engine, running on each and every endpoint. To quote my friend and colleague Josh Corman, trying to write a signature for a targeted attack like this is like giving a vaccine to a corpse – by the time the signature is written and deployed, the damage is long since done.
Secondly, user education and training might have also helped here, to a degree. The users who blindly ran the infected CDs were gullible, plain and simple. A user with a well-tuned B.S. detector is your best defense against social engineering attacks like this one.
Third: desktop lockdown – 90% of corporate PC users have no job-related need whatsoever for their CD drive – so WHY do they have CDs available for use? There are plenty of enterprise-manageable software tools available to disable removeable storage – use them.
The credit unions that got hit with this were NOT sitting ducks, and you don’t have to be either. You CAN defend yourself against social engineering – you just need to be proactive about it.
Watching the news over the last few days, it’s pretty much been wall-to-wall coverage of the Air France crash off the coast of Brazil. And, as has been historically the case when such tragedies occur, the news media isn’t exactly doing a bangup job of being the calm voices of fact and reason. Patrick Smith, in his Ask the Pilot column, regularly does an awesome job of pointing out the shortcomings of the media when it comes to aviation-related subjects. But, watching this coverage, and reading Smith’s latest column, made me think of another subject where the media tends to err on the side of sensationalism without a whole lot of regard for accuracy: a topic near and dear to my own heart, information and network security.
One doesn’t have to look far to find a particularly fact-challenged depiction of security topics in the media. Take this article for example, reporting on the near-total meltdown of the new pay-parking system deployed in the city of Chicago. Here they are quoting some self-appointed “hardware security expert”, who raises the specter of hackers, and specifically calls out Chinese hackers as being a possibility, without even the minutest shred of evidence to suggest that was the case. In fact, simply disabling pay-parking kiosks isn’t even CLOSE to the typical M.O. of Asian cracker groups, as there’s not really a lot of profit motive in just shutting the kiosks down. (there is the prospect of extortion, but that doesn’t seem likely to be the case here, either)
So, why would someone make such wildly-uninformed speculative statments to the media? Simple: it sounds just plausible enough to a person not otherwise versed on the subject that it would create an air of credibility, whereas simply saying “I don’t know what happened, and no one else really does” doesn’t make for a good soundbite.
Here’s another, particularly egregious, example. This video takes the repeat defacement of some kid’s Myspace page, and actually tries (and fails) to connect it to terrorism, even going so far to show a van exploding not once, but twice, the second time in super-slow-mo. (for emphasis, I suppose) When I watch a video like that I get this mental image of the promo they probably aired before the news that evening; I’m imagining that it sounded something like: “Internet hate groups – are YOUR CHILDREN at risk? Tune in at 11 for the full Fox11 investigation”
Here’s a little speculation of my own: Terrorists with the means, motive, and opportunity to blow up a van in a public place couldn’t possibly care less about your Myspace. My personal guess is this kid just pissed off someone on 4chan, and was stupid enough to get social-engineered into installing a keylogger on his box, which explains why his page is was getting owned despite the fact that he had changed his password a few dozen more times. With the keylogger retrieving his password (and everything else he types) and sending it to points unknown, the 4chan crowd then used that information to have an absolute field day screwing with this guy. Their actions were about as harmful as a prank call, and just about as emotionally mature.
But, a person who doesn’t have a background in information security (meaning, 99% of the American population) would be likely to listen to this reporter and come away thinking that out there on the internet, there is a group called “Anonymous” that is basically the second coming of Osama Bin Laden, bent on the abject destruction of everything holy. They even go so far as to cite the case of some moron who thought that just because he didn’t use his real name, he was truly anonymous, and decided to make bogus bomb threats against football stadiums. Clearly criminal, clearly stupid, but it’s ridiculous to lump someone like that in with the people who really have the means, motive, and opportunity to blow things up.
But, like in aviation, being the voice of calm and reason when it comes to information security isn’t good for ratings, right?
