Attacks using social engineering techniques can be difficult to defend against, as Gunter Ollmann discovers.
An area of security that regularly raises the hackles of a corporate security department is the threat of social engineering attacks. While most security staff can understand the dangers of this type of attack, it is extremely difficult to guard against, as the defense relies heavily upon staff education procedures that are almost impossible to enforce.
Over the last few months there has been a fair bit of press interest regarding social engineering in the wake of the book by perhaps the world's most famous hacker and social engineer, Kevin Mitnick. His book, The Art of Deception, provides a valuable insight into social engineering for those not familiar with the techniques in use.
Although social engineering does not normally form part of a security assessment or penetration test, there are instances when I have been requested, as part of a larger exercise, to see if procedures are followed by the helpdesk or customer support department.
More frequently, ad-hoc social engineering takes the form of verifying that potentially malicious content inserted by the consultant during the assessment is viewed, and consequently executed by the customer support department.
This entails the consultant phoning the customer service desk, pretending to be a new customer having trouble filling in the user registration page, getting the customer service person to verify the details onscreen and listening to them gasp as something unexpected happens to their screen - such as displaying a pop-up box containing text inserted by the consultant advising them to inform their security department that they are vulnerable to attack
As almost all of my clients operate internationally, I regularly have to assess the security of web-based applications in multiple countries. Fortunately the code can be interpreted regardless of language or accent, and the discovery of security weaknesses or vulnerabilities can proceed as normal. Unfortunately it can be difficult to verify some types of vulnerabilities that rely upon various forms of social engineering.
Luckily, there are two types of online tools to aid me in overcoming this hurdle - online translators and relay telephony services. By combining these online services I can carry out my minor social engineering challenge anonymously and in any supported language.
Relay telephony services are typically online services targeted at people with hearing, sight or speech impediments. Many telecommunications companies around the world now offer this service over the internet using a web-based real-time terminal. The caller types the telephone number of the person to be called, along with any extra details to aid the intermediary telephone operator. The operator then calls the number, introduces themselves and explains their role.
Overcoming the language barrier
Using the web-based terminal, the operator types in the recipient's conversation, and also reads the caller's text to the recipient. Combining this service with an online translator means that I can conduct a limited conversation in French, German, Italian, Japanese, Chinese or Korean.
That said, a large number of my clients are from the U.S. or have offices in the U.S. that need to be included in a security assessment. I could just phone their helpdesk or customer services department if there is a social engineering requirement. Unfortunately, in security conscious organizations, I can run into several hurdles that make it difficult - such as a caller display showing my number as an international call or being withheld, or even my non-American accent. By using an American-based relay telephony service we can effectively 'proxy' a social engineering call. As an additional benefit of using a relay service, call recipients tend to go the extra mile to be helpful as they think they are actively helping a disabled person - and it saves the cost of an international call.
The ability to social engineer by proxy has not been lost on the computer underground either. A number of popular underground web sites and IRC channels are regularly updated with information about current relay telephony services from around the world.
Would-be hackers and script-kiddies can make use of the service to hide their pre-pubescent voices from the customer services department, make free international calls (with the appropriate country/area codes), and make anonymous prank calls from anywhere in the world.
What can an organization do to help protect itself from social engineering attacks? Each and every employee must understand what social engineering attacks are, the techniques commonly used, and how they could be subjected to an attack without their knowledge.
Organizations must also ensure that policies and procedures exist for controlling access and disclosure of all confidential information.
And finally, it is important that employees are aware of services that social engineers may employ against them. This includes 'helpful' services such as relay telephony services.
Gunter Ollmann is manager of X-Force Security Assessment Services EMEA for Internet Security Systems (www.iss.net).