Curiosity Killed the Cat 5 Network

Last year, i wrote a technical article entitled 'Social Engineering: Penetration Testing the Human Element' to Pentestmag.com which focused on the process of social engineering assessment using the art of deception and how easy it could be with simply a smile accompanied by an act of confidence.

In the book by Kevin Mitnick, 'The art of deception', he dives deep into that art and shares the tricks he used to deceive people into giving him vital information. Not only did he succeed into tricking the common employees, he also managed to trick security administrators, managers, CIOs and other people holding top position in organizations.

Then again, not many can be as charming, as confident and as cunning as Kevin be it from tele conversation or face to face meetings. Thats when hackers use the art in other forms; from cloning a website and hoping someone fall for it (phishing) to sending malicious links or attachments via emails and crossing their fingers hoping someone clicks on it.

Earlier this month, KrebsonSecurity reported that the famous hack and breach at Target could be the result from an email attack, a malware-laced email phishing attack sent to employees.[1]

These trend of users easily falling prey to social engineering tactics even led to a vendor suggesting to punish careless employees to reduce security breaches. [2]

Looking back at the past, the spread of malware such as the famous 'I love you' virus, the 'Melissa' and the 'Zeus' viruses were all being spread via invoking the curiosity of humans. A single click. Thats all it takes.  And thanks to this curiosity, those viruses managed to spread over 50 million computers worldwide. Even important organizations such as the Pentagon, the CIA and the British Parliament were not spared. [3]

Employees play a huge role in ensuring the security of the organizations. 

Organizations may have placed the best security mechanism to block from any external intrusion but if one thing hackers learn from history is that they have evolved into attacking the human curiosity first because it is much easier to fool a person than a system. Like i wrote above, one click is all it takes to bring the organization down to its knees. 

To quote the security rockstar Bruce Schenier, "Amateurs hack systems. Professionals hack people." 

References:

[1] http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/

[2] http://www.csoonline.com/article/746986/punish-careless-employees-to-reduce-security-breaches-vendor-says

[3] http://support.pandasecurity.com/blog/malware/virus-iloveyou/ 

The Art of Deception - A Book by Kevin Mitnick

The Art of Deception - Controlling the Human Element of Security by Kevin D. Mitnick.

I've always enjoyed reading about the art of social engineering and i even wrote an article to Pentestmag entitled "Social Engineering: Penetration Testing the Human Element" back in 2013. So i got this book from Amazon and yes, Kevin goes in depth into this art sharing scenarios and what are ways to prevent such things from happening. 

Here are some of the contents that interests me.

On Stanley Rifkin

"A few days later Rifkin flew to Switzerland, picked up his cash, and handed over $8 million to a Russian agency for a pile of diamonds. He flew back, passing through U.S. Customs with the stones hidden in a money belt. He had pulled off the biggest bank heist in history-and done it without using a gun, even without a computer. Oddly, his caper eventually made it into the pages of the Guinness Book of World Records in the category of "biggest computer fraud. Stanley Rifkin had used the art of deception-the skills and techniques that are today called social engineering. Thorough planning and a good gift of gab is all it really took.  And that's what this book is about - the techniques of social engineering and how to defend against their being used at your company."

On Passwords

"On the surface this appears to be a simple message to get across to employees. It's not, because to appreciate this idea requires that employees grasp how a simple act like changing a password can lead to a security compromise. You can tell a child "Look both ways before crossing the street," but until the child understands why that's important, you're relying on blind obedience. And rules requiring blind obedience are typically ignored or forgotten."

 Educating Cleaners and Piggybacking

"Also, cleaning crews should be trained about piggybacking techniques (unauthorized persons following an authorized person into a secure entrance). The should also be trained not to allow another person to follow them into the building just because the person looks like they might be an employee."

On Security vs Productivity

"Of course, corporate security policy should mandate system administrators to enforce security policy through technical means whenever possible, with the goal of not relying on fallible humans any more than necessary. It's a no brainer that when you limit the number of successive invalid login attempts to a particular account, for example, you make an attacker's life significantly more difficult.

Every organization faces that uneasy balance between strong security and employee productivity, which leads some employees to ignore security policies, not accepting how essential these safeguards are for protecting the integrity of sensitive corporate information."

On using the power of Authority

"Because Kurt was pretexting as a vice president in his conversation with Anna, a clerk in Finance, he kenw that it would be very unlikely that she would question his authority. On the contrary, she might entertain the thought that helping a VP could gain her favor."

A Potential Fatal Mistake

"The nurses who received these instructions did not know the caller. They did not even know whether he was really a doctor (he was not). They received the instructions for the prescription by telephone, which was a violation of hospital policy. The drug they were told to administer was not authorized for use on the wards, and the dosage they were told to administer was twice the maximum daily dosage, and thus could have endangered the life of the patient."

Double Standards on Spyware?

 "Anitivirus software doesn't detect commercial spyware, thereby treating the software as not malicious even though the intent is to spy on other people. So the computer equivalent of wiretapping goes unnoticed, creating the risk that each of us might be under illegal surveillance at any time. Of course, the antivirus software manufacturers may argue that spyware can be used for legitimate purposes, and therefore should not be treated as malicious. But the developers of certain tools once used by the hacking community, which are now being freely distributed or sold as security-related software, are nonetheless treated as malicious code. There's a double standard here, and i'm left wondering why."

 On Baiting the Victims

"The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a password. Many people, motivated by convenience, have the propensity to use the same or a similar password on every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and password that have been enetered during the Web site registration process."

On the need to challenge the executives

"Employees must be trained not to assist people they do not personally know, even if the person making the request claims to be an executive. Once security policies concerning verification have been put in place, management must support employees in adhering to these policies, even when it means that an employee challeneges a member of the executive staff who is asking the employee to circumvent a security policy."

Hacking Movie - Operation Takedown

Best Quote in the movie Operation Takedown that summarized the story of the infamous hacker and social engineer Kevin Mitnick

Hacker: You did not get this from me.I do not want Kevin Mitnick coming after me.

Tsutomu Shimomura: We respect your privacy

Hacker: Privacy? Never heard of it!