Wednesday 21 April 2010

Social Engineering and 2-Factor Authentication

This article will describe the low-tech hacking method known as “social engineering” and provide a script scenario of how this might work. It will then describe some methods of protection against this, and how a strong company policy is required for such protection.

We have all heard about the dangers of hackers entering our corporate computer networks by using sophisticated (or not-so-sophisticated freely-downloadable) tools to hack in past network firewalls, and exposing sensitive corporate data to the competition or the outside world. We may also have heard of malware, or the more malicious crimeware, which has the purpose of performing identity theft. It runs on a corporate workstation and gets there either via the web browser or phishing e-mail.

If someone was motivated to enter your corporate network using these methods, however, they would need advanced network engineering (i.e. hacking) knowledge or some half-decent programming skills. Fortunately for the data thief, however, access to your network can be obtained using none of these methods, and the only tool needed would be mediocre sales skills.

Social Engineering
The thief does a Google search on his target company, ABC Corp. He finds a corporate partner, XYZ Ltd., on ABC’s “Partner” page on their web site and the name of a director from their “About Us” page. He then goes to XYZ’s web site and obtains the name of any director or employee. He phones ABC corp.

Call #1
Thief: Good morning, this is Adrian Andrews, from the IT department from XYZ Ltd. One of my directors, Brian Bookman, needs me to FTP some information to Charlie Crisp, your Finance Director. Could you give me the name and e-mail address of one of your IT people so that I can request the technical details from them by e-mail?

Receptionist: Certainly Mr Andrews, you can contact Duncan Drisedale at

The thief digs a little deeper on the Internet to see if he can find any new people starting or transferring to ABC Corp. If he does, it’s a bonus, otherwise, he just gets as many employee names as he can, about a dozen or so. He would probably get this from the downloadable annual report.

Call #2
Thief: Good afternoon, may I speak with Eleanor Ewing? She’s just started so I don’t have her extension yet.

Receptionist: Certainly Sir.

Eleanor: Eleanor speaking.

Thief: Good afternoon. We haven’t met yet; I’m Duncan Drisedale from corporate IT; you probably see my name on the phone list. I just want to make sure that you understand the remote access procedures for getting into the network from home. Did one of my people show you this, or did you get the instructions?

Eleanor: Oh yes, I was shown last week.

Thief: Would you mind terribly if we went through the procedure now, just so you’re completely comfortable with it? We’re trying to reduce out-of-hours support calls when getting access is more urgent than a relaxing trial run during the week. Perhaps you could just run through the steps, telling me exactly what you’re doing each step of the way. I’ll stop you if anything needs clarifying.

Eleanor: OK, this is what I’m doing, as per the sheet: step one [details].... step two [details]..., etc...

Thief: Excuse me, just checking, are you typing “http://url” or “https://url” [with more detail].

Eleanor: No, I’m typing “https://FullURL/etc” [details]

Thief: And tell me, are you entering your user name or e-mail address? Could you please confirm for me exactly how so I can be sure you have the correct syntax?

Eleanor: Yes, its.. [details]. Oh, I’m in! Thank you very much; this will be useful.

Thief: You’re quite welcome. Goodbye.

Call #3
Thief: Good morning, may I speak with Frank Feilding?

Frank: Frank speaking.

Thief: Good morning, this is Duncan Drisedale from corporate IT. Listen, we had a system glitch last night and I see that you have used the remote access system at least once before. We need to do a test, but we can’t do that using our IT administrative accounts; we need to use a real user ID to test the full business functionality. Would you be able to help us? It would take five minutes of your time.

Frank: Sure.

Thief: OK, what I’m going to do is test the remote access from here, but logged on as you. I have the procedure here; could I just verify that you would do this the same way as I have documented?

The thief goes through the whole remote access connection procedure correctly, talking out loud as he goes, as he learned it from Eleanor. It is a familiar procedure to Frank. Finally at the log on...

Thief: OK, your user name and password? Is it “”? and?

Frank: Yes, and the password is [password].

Thief: [Humming and hawing] Yes, it all seems to be working fine. I’m logging off now. Thank you very much for your time.

The thief now has Frank’s user name and password, and he knows how to use the company’s remote access system. No hacking or programming required. Admittedly, the scenario above is best-case for the hacker, but if the line doesn’t work on user #1, he has another twelve or a hundred user names to try these two calls on. Some may not give out the information, but out of a dozen, it’s safe odds that one will.

He can now log on as Frank at leisure to ABC network from an Internet café (virtually untraceable computers rented using cash) and download all the corporate secrets Frank has access to.

While logged on, if the thief had an extra layer of IT sophistication, he could download and install a password cracking tool (search Google for "windows password cracking" and you will get 121,000 hits) to get passwords of system administrative accounts and have access to every file on the network. This could take as little as another hour for an amateur to accomplish.

This is social engineering hacking. Obviously a smooth voice and some sales techniques help, and there are many variations to the scenario shown above. It boils down to the thief getting on your network not through machines, but through people, who are fallible.

Two-Factor Authentication
Two-factor authentication is something the end-user knows and something he possesses. This is where the person possesses a physical token, often in the form of a key fob that either shows a constantly changing number to be typed in, or contains a USB key that plugs into most computers. For the user to gain access to corporate resources, they must provide something they know, their user name and password (and the remote access procedure in the first place); and something they possess, the number on the token or the physical key. The “possession” piece could, in fact, be a corporate laptop. It is possible for remote access connections to be verified to be coming from these laptops only, and thus not allowing access from Internet cafés or corporate computers at client or partner sites.

This is the technology that can prevent social engineering attacks. The scenario above wouldn’t work, as the thief would also require a hardware key to log on. In the case of an RSA key fob that displays digits, he may just be able to get those numbers read to him by an unsuspecting user one time, but it would be unlikely he could get it twice. End-user training is also required.

Corporate Policy
A senior executive, Gerry Garabaldi, is on the road and cannot access the corporate intranet. He calls the IT Help Desk and Henry Hooper, who only started here two weeks ago, answers the call. It is possible for an IT administrator to over-ride the two-factor authentication and provide a temporary PIN to a user over the phone.

Gerry: I’m in Milan at DEF Corp. on one of their workstations, and I can’t log on to our corporate intranet.

Henry: OK, sir, I can reset your Windows password to [password]. Now if you could try again, please?

Gerry: Hmm, it’s still not working. It keeps asking me for this secondary password. What is that?

Henry: Ah yes, that is where you enter in your key fob number.

Gerry: Oh no, I’ve forgotten it! You’re going to have to disable that or over-ride it, or something.

Henry: I’m sorry, sir, I really cannot. You could be anybody at all trying to gain access; I’m not allowed to let anyone in with no credentials in this manner.

Gerry: Now you listen to me! If you don’t get me onto that site in the next fifteen minutes, we’re going to lose a ten million pound deal! Let me speak to your manager right now!

So what does Henry or his boss do? Does he allow the person on the phone in? If he does, he could be allowing a hacker onto the network who has just successfully social-engineered his way past two-factor authentication security, thus rendering it useless. If he does not, he could be holding up a huge deal Gerry is about to make.

The policy can only be decided by the business users of the system and, as can be shown by the example, must be approved and backed by the highest level of management. Without such a policy, written down and published, many security solutions become useless.

No comments:

Post a Comment