Security consultant Daniel Lewkovitz was commissioned to conduct a social engineering audit of a large company.
"The aim of the exercise was to gain remote access to the network and access certain files as part of a full security audit. The original plan was to war dial to find dial-in servers. An assumption was made that IT staff and senior management would have this access. The former were easily identified: pagers, tee-shirts etc," Lewkovitz explains.
"It turned out that the company allowed all staff to log in via their Web page. As such, anyone's details would have worked. After the password was reset, access was allowed to all manner of commercial-in-confidence material."
To begin, Lewkovitz obtained the name of an employee, and rang the company help desk impersonating the stolen identity. The help desk staff cheerily told him he would need his staff number and log-in ID in order to perform a password reset. Lewkovitz simply hung up and went about getting the information.
The login name was easy enough to come up with, and staff numbers were displayed prominently on staff badges hung around employees' necks. Lewkovitz simply meandered in to the company's favourite local lunch spot and wrote down a few names and badges.
The following is a direct transcript of the call that took place once Lewkovitz had obtained the necessary information: (Names have been changed.)
Telephone Operator [TO]: Help desk, good morning.
Daniel Lewkovitz [DL]: Good afternoon actually.
TO: Whoops, sorry. Good afternoon [laughs] how can I help you?
DL: [Laughs] It's John Smith speaking. My computer says I can't log in.
TO: Umm . . . When you say you can't log in, what exactly is the message?
DL: Sorry, I don't recall exactly. It was after I type in my password.
TO: Oh, okay. Did the message start with "The password is incorrect, please retype your..."
DL: [Interrupts] Yeah, that was it. I got that a few times and now it won't let me get in at all!
TO: I see. Windows XP locks you out if you get the password wrong more than twice. I can reset it for you if you'd like.
DL: Thanks! I'll type it in properly this time.
TO: Actually we have to change your password to a new one.
DL: That's okay, I'll write it down this time [laughing].
TO: [Laughing] I've seen a lot of people around here do that . Sorry, I missed your name?
DL: John Smith
TO: Thanks. I need your badge number as well.
DL: No problem, it's 2231.
TO: Thanks. Your password has been reset to Tuesday. You'll have to change it on your first login and it will also take about two minutes for that to be updated in Lotus and the Intranet. Was there anything else?
DL: No thanks. That was all, you've been great. Thanks again.
TO: Okay, goodbye.
Lewkovitz offers the following analysis:
Note the operator volunteered information about the company's operating system, which could be useful in an attack. He also volunteered details of the password policy that may assist in cracking attempts; namely that the passwords would be reset to the day of the week, and that staff write down their passwords.
He also asked a closed question that could be answered yes or no based solely on information embedded in the question, such as "are you using Windows" instead of "what operating system are you using?"
The jovial manner of the call put the target at ease -- he kept trying to be helpful, polite, and friendly despite this being used against him. Security has to take precedence over rank or ego. You can still be polite while guarding security.
Badge IDs should have been considered "sensitive" as they could be used to reset passwords. Despite this, the information on them was readily obtainable as staff prominently displayed them. The company concerned has since allowed staff to nominate their own private questions, for example their child's favourite doll, rather than mandate date of birth or badge numbers etc. There are a lot of companies who still use easily-obtained information as private identifiers. Even someone's date of birth is usually easy to ascertain.
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian