The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (35 page)

has already compromised the secure perimeter.

Enable auditing features of the operating system and critical

applications. Also, ensure that the logs are preserved on a

secure host that has no other services and the minimal num-

ber of user accounts.

Social Engineers -- How They

Work and How to Stop Them The social engineer employs the same persuasive techniques the rest of us use every day. We take on roles. We try to build credibility. We call in recip- rocal obligations. But the social engineer applies these techniques in a manipulative, deceptive, highly unethical manner, often to devastating effect.

-- Social Psychologist Dr. Brad Sagarin

T

his chapter does something a bit different: We look at the most

difficult type of attack to detect and defend against. The social

engineer, or the attacker skilled in the art of deception as one of the weapons in his or her toolkit, preys on the best qualities of human nature: our natural tendencies to be helpful, polite, supportive, a team player, and the desire to get the job done.

As with most things in life that threaten us, the first step toward a sen- sible defense is understanding the methodologies used by cyber-adver- saries. So, we present here a set of psychological insights that probe the underpinnings of human behavior allowing the social engineer to be so influencing.

First, though, an eye-opening story of a social engineer at work. The fol- lowing is based on a story we received in writing that is both amusing and a textbook case of social engineering. We thought it so good that we have included it despite some reservations; the man either had accidentally

221 222 The Art of Intrusion

omitted some of the details because he was distracted on other business matters or else he made up portions of the story. Still, even if some of this is fiction, it makes the case very convincingly of the need for better pro- tection against social engineering attacks.

As elsewhere throughout the book, details have been changed to pro- tect both the attacker and the client company.

A SOCIAL ENGINEER AT WORK In the summer of 2002, a security consultant whose handle is "Whurley" was hired by a resort group in Las Vegas to perform a variety of security audits. They were in the process of reengineering their approach to secu- rity and hired him to "try to circumvent any and all processes" in an effort to help them build a better security infrastructure. He had plenty of technical experience, but little experience being in a casino.

After a week or so of immersing himself in research on the culture of the Strip, it was time for the real Las Vegas. He usually made it a practice to start a job like this early, getting finished before it was officially sched- uled to begin, because over the years he had found that managers don't tell employees about a potential audit until the week they think it's going to happen. "Even though they shouldn't give anyone a heads up, they do." But he easily circumvented this by performing the audit in the two weeks before the scheduled date.

Though it was nine at night by the time he arrived and settled into his hotel room, Whurley went straight to the first casino on his list to start his on-site research. Having not spent a lot of time in casinos, this experience was quite an eye-opener for him. The first thing he noticed contradicted what he had seen on the Travel channel, where every casino staffer shown or interviewed appeared to be an elite security specialist. The majority of the employees he watched on-site seemed to be "either dead asleep on their feet or completely complacent in their job." Both of these conditions would make them easy targets for the simplest of confidence games -- which wasn't even going to come close to what he had planned.

He approached one very relaxed employee and with a very little prod- ding found the person willing to discuss the details of his job. Ironically, he had previously been employed by Whurley's client-casino. "So, I bet that was a lot better, huh?" Whurley asked.

The employee replied, "Not really. Here I get floor-audited all the time. Over there they hardly noticed if I was a little behind, pretty much Chapter 10 Social Engineers -- How They Work and How to Stop Them 223

that way for everything . . . time clocks, badges, schedules, whatever. Their right hand doesn't know what their left is doing."

The man also explained that he used to lose his employee badge all the time, and sometimes he would just share a badge with another employee to get in for the free meals provided to employees in the staff cafeterias located within the bowels of the casino.

The next morning Whurley formulated his goal, which was straightforward -- he would get into every protected area of the casino that he could, document his presence, and try to penetrate as many of the security systems as he could. In addition, he wanted to find out if he could gain access to any of the systems that ran the financials or held other sensitive information, such as visitor information.

That night, on the way back to his hotel after visiting the target casino, he heard a promotion on the radio for a fitness club offering a special for service industry employees. He got some sleep and the next morning headed for the fitness club.

At the club, he targeted a lady named Lenore. "In 15 minutes we had established a `spiritual connection.'" This turned out to be great because Lenore was a financial auditor and he wanted to know everything that had to do with the words "financial" and "audit" at the target casino. If he could penetrate the financial systems in his audit, it was sure to be viewed as a huge security flaw by the client.

One of Whurley's favorite tricks to use when he's social engineering is the art of cold reading. As they were talking, he would observe her non- verbal signals and then throw out something that would lead her to say, "Oh, no shit -- me, too." They hit if off, and he asked her out to dinner.

Over dinner, Whurley told her that he was new to Vegas and looking for a job, that he had gone to major university and had a degree in Finance, but that he had moved to Vegas after breaking up with his girl- friend. The change of pace would help him get over the breakup. Then he confessed to being a little intimidated by trying to get an auditing job in Vegas because he didn't want to end up "swimming with the sharks." She spent the next couple of hours reassuring him that he would not have a hard time getting a finance job. To help out, Lenore provided him with more details about her job and her employer than he even needed. "She was the greatest thing that had happened to me so far on this gig, and I gladly paid for dinner -- which I was going to expense anyway."

Looking back, he said that at this point he was overconfident about his abilities, "which cost me later." It was time to get started. He had packed a 224 The Art of Intrusion

bag with "a few goodies including my laptop, an Orinoco broadband wire- less gateway, an antenna, and a few other accessories." The goal was simple. Try to get into the office area of the casino, take some digital photos (with time stamps) of himself in places he shouldn't be, and then install a wireless access point on the network so that he could try to remotely hack into their systems to collect sensitive information. To complete the job, the next day he would have to go back in to get the wireless access point.

"I was feeling quite like James Bond." Whurley arrived at the casino, outside the employee's entrance, right at the shift change, positioning himself to be able to observe the entrance. He thought he would be there in time to observe things for a few minutes, but most of the people seemed to have arrived already and he was stuck trying to walk in all by himself.

A few minutes of waiting and the entryway was clear . . . which was not what he wanted. Whurley did, however, notice a guard who looked as if he were leaving but was stopped by a second guard and they stood around smoking just outside the exit. When they finished their cigarettes, they parted and started walking in opposite directions.

I headed across the street towards the guard who was leaving the

building and prepared to use my favorite disarming question. As

he approached me crossing the street, I let him get just past me.

Then he said, "Excuse me, excuse me, do you have the time?"

It was by plan. "One thing I've noticed is that if you approach some- one from the front, they're almost always more defensive than if you let them get slightly past you before you address them." While the guard was telling Whurley the time, Whurley was looking him over in detail. A name badge identified the guard as Charlie. "As we were standing there, I had a stroke of luck. Another employee came walking out and called Charlie by his nickname, Cheesy. So I asked Charlie if he caught shit like that a lot and he told me how he got the nickname."

Whurley then headed toward the employee entrance at a quick pace. It's often said that the best defense is a good offense, and that was his plan. As he reached the entrance, where he had noticed employees show- ing their badges earlier, he went straight up to the guard at the desk and said, "Hey, have you seen Cheesy? He owes me $20 on the game and I need the money to get some lunch when I go on break."

Recalling that moment, he says, "Damn! This is where I got my first challenge." He had forgotten that employees get their meals free. But he Chapter 10 Social Engineers -- How They Work and How to Stop Them 225

wasn't put off by being challenged; while others with attention deficit/hyperactivity disorder (ADHD) might see it as a problem, Whurley describes himself as "very ADHD," and adds that, as a result, "I can think much faster on my feet than 90 percent of the people I run into." That ability came in handy here.

So the guard says, "What the hell are you buying lunch for any-

way?" and chuckled but started looking suspicious. Quickly I

threw out, "I'm meeting a little honey for lunch. Man, she's hot.

(This always distracts older guys, out of shape guys, and the living-

with-mom type guys.) "What am I going to do?"

The guard says, "Well, you're screwed 'cause Cheesy's gone for the

rest of the week."

"Bastard!" I say.

The guard then amused Whurley (an amusement he didn't dare show) by unexpectedly asking if he was in love.

I just start rolling with it. Then I got the surprise of my life. I

have never even come close to something like this. It could be

attributed to skill, but I rack it up to blind luck: the guy gives me

$40! He tells me $20 won't buy shit and I obviously need to be the

one that pays. Then he gives me five minutes of "fatherly" advice,

and all about how he wished he had known what he knows now

when he was my age.

Whurley was "in awe" that the guy bought this con and was paying for his imaginary date.

But, things weren't going as smoothly as Whurley thought, because as he started walking off, the guard realized he hadn't shown any ID and challenged him. "So I said, `It's in my bag, sorry about that' and started digging through my stuff as I proceeded away from him. That was a close call 'cause if he'd have insisted on seeing the ID, I might have been screwed."

Whurley was now inside the employee entrance but had no idea where to go. There weren't a lot of people he could follow, so he just walked with confidence and started taking mental notes of his surroundings. He had little fear of being challenged at this point. "Funny," he said, "how the psychology of color can come in so handy. I was wearing blue -- the truth color -- and dressed as if I were a junior executive. Most of the people running around were wearing staffer clothes, so it was highly unlikely they would question me." 226 The Art of Intrusion

As he was walking down the hallway, he noticed that one of the cam- era rooms just looked just like the ones he had seen on the Travel Channel -- an "Eye in the Sky" room, except that this one wasn't over- head. The outer room had "the most VCRs I had ever seen in one place -- wow, was it cool!" He walked through to the inner room and then did something especially gutsy. "I just walked in, cleared my throat and before they could challenge me, I said, `Focus on the girl on 23.'"

All the displays were numbered, and, of course, there was a girl on nearly every one. The men gathered around display 23 and they all began talking about what the girl might be up to, which Whurley thought gen- erated a good deal of paranoia. This went on for some 15 minutes just checking out people on monitors, with Whurley deciding that the job is a perfect one for anyone with a propensity for voyeurism.

As he was getting ready to leave, he announced, "Oh, I got so caught up in that action, I forgot to introduce myself. I'm Walter with Internal Audit. I just got hired onto Dan Moore's staff," using the name of the head of Internal Audit that he had picked up in one of his conversations. "And I've never been to this property so I'm a little lost. Could you point me in the direction of the executive offices?"

The guys were more than happy to get rid of an interfering executive and eager to help "Walter" find the offices he was looking for. Whurley set out in the direction they indicated. Seeing nobody in sight, he decided to take a look around and found a small break room where a young woman was reading a magazine. "She was Megan, a real nice girl. So Megan and I talked for a few minutes. Then she says, `Oh, if you're with Internal Audit, I have some stuff that needs to go to back there.'" As it turned out, Megan had a couple of badges, some internal memos, and a box of papers that belonged back at the main resort group Internal Audit office. Whurley thought, "Wow, now I have a badge!"

Not that people look at the pictures on ID badges very carefully, but he took the precaution of flipping it around so only the back was visible.

As I'm walking out, I see an open, empty office. It has two net-

work ports, but I can't tell if they're hot by just looking at them,

so I go back to where Megan is sitting and tell her that I forgot I

was supposed to look at her system and the one in "the boss's

office." She graciously agrees and lets me sit at her desk.

She gives me her password when I ask, and then has to use the rest-

room. So, I tell her I'm going to add a "network security moni-

tor" and show her the wireless access point. She replies, "Whatever.