Social Engineering: Anatomy of a Hack

How a social engineering expert gained access to extremely
sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box

As the founder of Lares, a Colorado-based security consultancy,
social-engineering expert Chris Nickerson is often asked by clients to
conduct penetration testing of their on-sight security. Nickerson leads
a team which conducts security risk assessments in a method he refers
to as Red Team Testing. Watch Nickerson and his team pull off a diamond
heist in this video.

Nickerson and crew recently took on such an exercise for a client he
describes as "a retail company with a large call center." With some
prep work, Nickerson says the team was able gain access to the
company's network and database quite easily. Read on to find out how
they did it, and what lessons you can take away for shoring up your organization's defenses. (To learn more about social engineering techniques, also see Social Engineering: Eight Common Tactics.)

Chris Nickerson: On-site security vulnerability testing
requires the most memory and intelligence gathering because you need to
start off by gaining information on your target. When I'm doing my
information gathering, I like to find holiday or time-relative events.
In this particular exercise, there was a large horserace going on in
the area. In the town where the company was located, it was the big
thing to go to this horse race. Everyone in the city and around it
geared up and left the office to go to it. That was a perfect time for
me to come in and say I have an appointment.

I said I had to meet with someone we'll call Nancy. I knew Nancy wasn't going to be in the office because on her MySpace profile it said she was getting ready to go to the race. Then her Twitter profile said she was getting dressed to go to the event. So I knew she wasn't in the office.

Before I went to the office, I went to a thrift shop and got a Cisco
shirt for $4. Then I went in and said "Hi. I'm the new rep from Cisco.
I'm here to see Nancy." The front desk attendant in this situation said
"She's not at her desk."

I said "Yeah. I know. I've been texting back and forth with her. She told me she is in a meeting and the meeting is going over."

This was right around lunch time and I said "Since I'm waiting, is
there anywhere around here where I can go get some food?" I knew full
well that after surveying the area the closest thing was about five
miles away because they were sort of out in the sticks.

The receptionist said "Four or fives miles down the road there is a McDonalds. But we have a nice cafeteria here. If you want, you can just eat in there."

Being allowed to go to the cafeteria gave me full access to the
facility because the only thing that was guarded was the door. The
cafeteria lead right into the rest of the building.

So I went into the cafeteria and ate. While I was there, I did USB key
drops. I put files on them with names like 'Payroll' or 'Strategy
2009.' The USBs had rootkits on them. Many contained an autorun
rootkit. Others had Hacksaw, which is a little piece of tech that you
can use with a U3 drive. You plug it into a machine and, if the machine
has auto run on the CD-Rom running it, it will just start dumping all
the passwords, usernames, all that. It will also put a hook into the
machine to start emailing that information out to an email account that
you give it to contact. So, even after I left, I could still be
filtering information. It only takes about 30 seconds to enable itself.

When I do this kind of exercise, I put USBs in areas that people are in
where they might forget something: The bathroom, for instance, on the
sink. Another good area is near the coffee machine. Areas where people
naturally put things down where they might not remember to pick it back
up. I've never done USB key drops without success.

Meanwhile, I had another one of my guys go in through the smoking
door in the back. He hung out, waited, had some cigarettes with people
who came out to smoke on break, and when they were done, the door
opened and he just cruised in. Yet another exercise to prove it really
doesn't take much to get inside.

Eventually, once he was in, I had him come and get me in the
cafeteria. That was so it appeared on the security tapes as though
someone was coming to get me out of the cafeteria to escort me to
whatever meeting I was going to attend. We went through and found
inside of this giant 100,000-square-foot cube farm a few seats that
were wide open and just sat down.

There was no one around us. So, we started pulling keys. We used things
like Ophcrack to start cracking Windows passwords and dump them into
Linux. We started putting our machines on the networks so we could
start doing pen testing and hacking active servers in the environment.
We put up things like WRT 54G routers: the little blue Linksys
wireless units. We took those, stuck them under a cube, put Unix on
them and opened WRT. That made it so I had a wireless access point I
could hit not only from the parking lot, but it also beacons and calls
home so I had a Unix box that sits inside their network.

A short time later, a full team of people came in. A lot of the work
that was done at this facility was shift work, and it was shift change
time. Because we did our homework right, we were at the two of three
cubes that were vacant so there were no conflicts or questions.

Everyone sat down around us. I announced myself as the Cisco engineer
who was working on the phone system. Many of them responded with jokes
and said things like "Honey, please don't fix it. I don't want to take
any calls today."

One thing I have learned is that cookies are the keys to everyone's
heart. When I'm doing the type of exercise where I'm posing as a tech,
or a VAR, I like to bring cookies. I did for this exercise and I
started passing out cookies to everyone in the area. We were all
laughing, having a great time. Meanwhile, we were in the middle of hacking their entire network.

In the end, what we exposed for the client was the vulnerability of
their physical access and we showed them some of the blended techniques
we used to get in. We were able to demonstrate how, with social
engineering, we were able to hack the SQL Server and dump the whole
data base of everybody's account information. This kind of breach could
have cost them multiple billions of dollars. And we had access to all
of it because of these vulnerabilities. We wore button cams and hat
cams so they could watch how it was done.

Companies need to run a general social engineering awareness
campaign. You need to tell employees what to look for and how to look
for it. Companies need to teach employees that it's not that the
company doesn't trust the people within the organization, it's that
there are people out there trying to do this every day. It is just a
good awareness technique to do it.

If someone is coming to work on your environment, you should
probably know who they are. If you think of your company like your
home, you do things differently. You are not going to just let someone
walk into your house. That is the kind of philosophy companies need to
inject into corporate culture.