Myths and Realities: Social Engineering vs. Traditional Hacking


Many companies today are obsessed with IT security while clearly underestimating the risk of confidential corporate data leakage caused by hacking via a regular phone call. Business intelligence professionals refer to this phenomenon as HUMINT – human intelligence. It is company’s own employees who often work as the weakest link in the security system developed by the company.

The American social engineering contest is part of Defcon, a large hacker convention held in Las Vegas. The event has a rather civil focus: IT hackers probe IT security systems for their weak spots, social engineers hack large American corporations by engaging their employees in phone conversations and extracting corporate secrets from them. All of this happens in front of guests, some of whom rank rather high – among them are senior officials from the FBI, NSA, US Department of Defense and Department of Justice. What I think is interesting is that social engineers achieve their goal faster and more efficiently than their IT counterparts, and sometimes even help them out with tips for an efficient computer attack on the target company.

The contest has a simple procedure. The organizers distribute a list of ten random organizations picked out of the Fortune 500 ranking, and a list of flags – the data that the competitors must obtain. Hackers have two weeks to choose their target, research it using publicly available data, analyze its weaknesses and develop a legend. During the contest they take their places in a transparent soundproof booth set on a stage, and have the phone number dialed for them, with the conversation audible through speakers to the audience to demonstrate the social engineering skills of the hacker. Each hacker has 20 minutes to collect as many points as possible.

Many episodes of the latest contest held in June could be included into competitive intelligence anthologies. John Carruthers who chose to attack a Target store chain was first of the competitors to claim leadership. During the time allowed, he has interacted with several IT officers from the stores all over the country, posing as a systems administrator for a Target data center in Minnesota and asking why they hadn’t deployed an important patch to the company’s supplier software. While getting ready for the contest, John Carruthers noticed that in building its website, Target has unwittingly made public important corporate information – internal store IDs. They ended up included in the URL of the respective pages of all stores within the chain. And if the Target employees expressed any doubts whether they were actually talking to the systems administrator of their company, he would just quote their respective store ID and that was enough to make the ‘friend-or-foe’ system work to his advantage and make the further process go like clock-work.

Engineers posing as analysts carrying out marketing research and journalists found the task to be more difficult.

The championship of the contest has, for the second time, been claimed by Shane MacDougall who had impressively pulled to pieces the security system of the Wal-Mart store located in a Canadian town. Shane called the store manager and posed as a logistics executive from the Wal-Mart headquarter. He said that he was going to visit the town soon as he was selecting ‘pilot’ stores for a program that would be implementing a large government contract that was about to be awarded to Wal-Mart – but he wanted to clarify certain operating details on the phone. Falling for the legend, the store manager has started giving up the flags one by one, lightly and without a shadow of doubt, even blundering out many of the things he was not asked about: shift schedule, the OS and antivirus software installed in his office PC, name of the cleaning services provider, personnel compensation scheme, etc. Finally, MacDougall asked him to go to an external website and fill in a questionnaire there (“To help me get ready for the trip”, MacDougall said). The store manager was willing to do that as well; the only reason he couldn’t do it was because the corporate IT system has blocked the website recommended by the hacker.

Following the successful hack, MacDougall told the CNNMoney reporters that his favorite target are sales employees: “As soon as they think there’s money, common sense goes out the window”. The winning hacker went on to voice another important idea: “I see all these CIO that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.”

Social engineering is a very old phenomenon, but its ‘heroes’ usually choose to stay in the shade. Competitors of this social engineering contest are exceptions. In fact, most of them are professional security systems ‘auditors’ working for large corporations and are therefore interested in demonstrating their skills to the public. If I were to name a famous social engineer of America’s past who did not shy away from using the morally ambiguous methods to their advantage, the only name to come to mind would be the legendary editor of Chicago’s American Harry Romanoff. He managed to source almost all of his sensations via the phone, posing as the chief of police, or the governor, or the chief of a fire department. (History tells of a ‘Romanoff’s mistake’ he made when he called a house that was a crime scene where an investigation team was working. “This is Coroner O’Bannion. How many dead ones you got?” Harry asked. After a pause, the voice replies, “No, this is Coroner O’Bannion. Who the hell areyou?
The business community must realize that the work of social engineers of today is much easier: it’s easier to target an employee, to collect a dossier, to understand the professional and personal relations within a corporations, the hierarchy of its business divisions and its corporate culture. They have access to social networks where the majority of employees – from juniors to seniors – will have personal accounts. There they can take their time to interact with their target and learn their professional language to be able to talk the same language to the target.

Other social engineers choose to not go the obvious way and do not try to obtain confidential information from the most obvious source in the company that possesses such information. It’s not necessary to target an IT officer to learn about IT security, or the accountant – to learn about the company’s finances. Classical example of business intelligence is to use a cleaning lady who removes waste paper from the waste basket in the CEO office. Such waste paper can be a source of commercially important information.
Phone calls are an extremely convenient tool for a social engineer. As long as the information obtained is not used to the detriment of any particular person or the company, the social engineer bears no criminal responsibility: it’s not illegal to talk to someone. In this case, the other party of the discussion must be mindful of their responsibility. For example, if an accountant discloses, even if unwittingly, any data on the phone that then ends up in the possession of the company’s competitors, such an act can result in criminal prosecution under the Federal Law “On Trade Secrets”.

A rather typical situation: an accountant receives a call from a man claiming to be an official within a statistical agency and requests that the accountant replies to the inquiry sent out to the corporate mail. The document raises no suspicions as it is executed in accordance with all standards. There are different scenarios of what happens next. One accountant will probably reply to the inquiry and unwittingly send it to the company’s competitors. Another accountant will demand an original copy, call the agency to find out why they send their inquiries vie e-mail… Guess which scenario is the right one.
It’s important to understand that technology-based security will not guarantee protection on its own. Apart from the expensive and complex IT systems, people working in a company should be responsible for the protection of its data. That is administrative security, which requires continuous awareness development. Any company must have written regulations on management of confidential information, and every new employee must sign a non-disclosure agreement when hired. There must be corporate trainings or seminars at least once a year. Company management must clearly state what constitutes confidential information and how it should be protected. Education is the way to prevent data leaks.

Social networks have long become the place where black hackers carry out their ‘human research’. There have been instances when they made an account posing as a director general of a company and started actively networking with the employees, extracting the information they needed. Certainly this kind of hack will mostly work with the companies where the management is somewhat distanced from its employees, either it terms of geography or management hierarchy. In this case there’s no risk that the director will learn about his interaction with the employees online. Prudent management makes sure that its staff ignores the fake account by making the confirmed account of the director general known to it. And it works. But a hacker can just as easily create an account of the manager’s wife and to interact with everyone related to the company, thus gradually finding out more and more. So how can a company protect itself? The solution is to maintain the highest level of awareness within a company, ensuring that the staff has the general idea of who to hold correspondence with and what topics to discuss.

Author: Romachev Roman
Published in Business Magazine Online, September 10, 2012


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: