Beyond Network and Apps: Pen Testing Wetware

1

• "Beyond Network and Apps Pen Testing Wetware"
• Terry Gudaitis, PhD
• October 2008, MSU

2
Agenda

• Defining the Wetware or Social Engineering
  side of pen testing
• How SE fits into a pen testing methodology
• Objectives of SE
• Collection Methodologies
• Physical
• Electronic
• Internet
• Case Studies/Examples
• Questions and Answers

3
Social Engineering

• Definition
• Human or social/psychological based
  methodologies used to persuade, coerce, or
  manipulate others into revealing sensitive,
  private, or confidential information.
• The methodologies may include direct or remote
  assessment, observations, interpersonal
  communication, lures, schemes, or traps to elicit
  information.
• In Historical Terms A Con Game

4
Social Engineering

• Human Vulnerabilities and Exploiting Cognitive
  Biases
• SE will target the human weaknesses
• Ignorance or naiveté
• Illness, vulnerability or psychological
  susceptibility (i.e., guilt, depression)
• Fear, uncertainty or doubt
• A desire to be liked, desired or respected
• A desire to be helpful, feel successful, or
  accomplish a goal
• The Objectives for the SE may be to Garner
• Cash or equivalents
• Account access, passwords, logins
• Identity information
• Proprietary or business knowledge
• Physical goods (i.e., badges, IDs, codes)
• Victims (Targets) are either the corporation, the
  individual or both

5
Social Engineering

• Most Popular or Successful Motivations include
• Get the Job Done
• Fear of Not Doing Their Job
• Wanting to be Helpful
• Severe Empathy and Willingness to Break the Rules
• Ease and Laziness (sometimes this is just due to
  lack of policies)
• The SE
• Confident
• Knowledgeable
• Correct Personality for the role

6
Social Engineering

• Basic Methodology
• Targeting
• Who, Why, Where, What type of Information
• How to conduct the collection of information and
  intelligence
• Data Collection
• Background data
• Understand the target Know your target
• Understand the Vulnerabilities
• Scenario Development
• Construct the plan to elicit the information
• Assess the plan Analyze the plan
• Implementation
• Collecting the targeted information
• Collection of targeted informationand beyond?
• Documentation of collection (times, dates,
  persons, means)

7
Social Engineering

• Targeting
• Who or What is the Target
• What types of information would be useful? Best?
• How will the SE be able to acquire the most
  useful information?
• Is it possible or necessary to collect
  information at the physical location or is that
  1) not possible or 2) too risky?
• What information may be able to be collected via
  electronic or via the Internet?
• Develop the targeting plan
• Start information collection
• Apply the collection of information/intelligence
  that has been gathered

8
Social Engineering

• Data Collection of SE Information via the
  Internet
• Targets website
• Related websites
• Partners, Vendors, Associates
• Name search databases
• Blogs
• Social Engineering Sites
• This is the initial starting point of research
• This is where the background and back-data will
  be gathered
• This will assist in the other types of data
  collection (physical and/or electronic)

9
Social Engineering

• Internet Intelligence Organizational Target and
  Human Target
• World Wide Web
• Blogs (Web logs)
• IRC/Chat
• Public email groups
• P2P
• Discussion forums
• Usenet
• Images, Vlogs
• Unsolicited Commercial Bulk Email (SPAM)
• People Finds

10
Social Engineering

• Data Collection of SE Information via Physical
  Means
• Dumpster Diving
• Shoulder Surfing
• Direct Observation
• What types of badges?
• Where are the physical entry points?
• What does the building/environment look like?
• What is the corporate culture?
• Interaction and Discussion with Employees and
  other workers
• Observation of personnel movements
• Where people come and go from and to
• Where do people park?
• How do they commute?
• Is everyone onsiteor do people telecommute?

11
Social Engineering

• Physical Means
• Recon of the physical target
• How to dress
• When to show up
• What type of demographic
• Understanding of the perimeter
• Observational Intelligence
• Just sit there
• Interact without Entrance
• Deliveries and Soliciting
• Gaining Physical Entry
• Coat-tailing
• Walking Right In
• Assessing Barriers (i.e., security guards, Xray
  machines, ID checks)
• Collecting Onsite Documents and Items
• Where is the low hanging fruit?
• Exiting with the goods!

12
Social Engineering

• Data Collection of SE Information via Electronic
  Means
• Using listening devices, trojans
• Telephone communications
• Personnel
• Help Desks
• Call Centers
• Email communications
• Virtual Games (i.e., Second Life)
• Posting of surveys, websites (phishing-like
  activities)
• Any information collected from thumb drives,
  CDs, etc

13
Social Engineering

• Electronic Means

• Recon
• Remote Assessment
• Softest Target
• May include foreign language usage
• May need obfuscation tactics
• Analysis of Replies and Correspondence
• Duration of pre-elicitation communications
• Plan to cease communications

14
Social Engineering

• Developing the Targeting Scenario
• Applying the background research, information,
  and intelligence gathering!
• Develop the scenario and point of contact with
  the target(s) in order to elicit the needed
  information (i.e., passwords, login data)
• Who are you going to contact?
• What is your story? and what is the backdrop?
• How are you going to contact them?
• When are you going to contact them?
• How many players do you need to make the scenario
  seem real?
• What psychological vulnerability are you going to
  focus on? and why?

15
Social Engineering

• High Profile Case VP Candidate
• The hacker guessed that Alaska's governor had
  met her husband in high school, and knew Palin's
  date of birth and home Zip code. Using those
  details, the hacker tricked Yahoo Inc.'s service
  into assigning a new password, "popcorn," for
  Palin's e-mail account, according to a chronology
  of the crime published on the Web site where the
  hacking was first revealed.

http//wikileaks.org/wiki/Sarah_Palin27s_E-mail_H
acked
16
Social Engineering

• Case Studies
• EX 1 Elicitation of Customer Data from
  Insurance Files
• EX 2 Gaining Access to Medical Systems and
  Patient Data
• EX 3 Gaining Physical Entry and Access to
  Internal Databases

17
Social Engineering

• EX 1 Elicitation of Customer Data from
  Insurance Files
• Targeting Company Access to Customer Policy
  Information
• Data Collection - Internet Only - Background
  data, P2P. WWW
• Scenario Development
• Impersonation of a legitimate customers family
  member
• Policy holder in jeopardy (medically unable to
  communicate)
• 3 Person scenario play on severe empathy
• Implementation - Phone call to Customer Service
  Desk
• Review
• Collected Policy and coverage
• Collected SS
• Follow-up contact could possibly get online
  account access credentials

18
Social Engineering

• EX 2 Gaining Access to Medical Systems and
  Patient Data
• Targeting - Help Desk of Major Hospital
• Data Collection
• Internet Collection (i.e., Docs resumes, nurses
  at conferences)
• Onsite Observation
• Scenario Development
• Impersonate a Doctor to gain assess to medical
  database
• 2 person scenario
• Implementation Email and then phone call to
  Help Desk
• Review
• Password and UserID (in fac,t re-set password)
• Access to Dr.s email account, address book, etc
• Access to medical database

19
Social Engineering

• EX 3 Gaining Physical Entry and Access to
  Internal Databases
• Targeting Executives of a large Financial
  Services organization
• Data Collection
• Internet background data
• Onsite Observation Onsite Data Collection at HQ
• Email/Postings to companys forum
• Scenario Development
• Create role of an executive assistant for each
  executive
• 1 person played all 4 exec assistants
• Implementation Gained Physical Access and
  Created Spear/Whale Phish to attempt to get
  password credentials
• Review
• Access gained to floor/office space of execs
• 2 of 4 credentials were elicited (the execs used
  the same choice of password for the phish as they
  did for their corporate accounts)

20
Social Engineering

• Summary
• Most everyone can be psyched into giving away
  information
• 5 Phases of conducting successful SEing
• Targeting
• Data Collection
• Scenario Development
• Implementation
• Review
• Planning, planning, planning!
• Thorough Understanding of the emotional and
  psychological impact
• Acting, acting, acting!

21
Questions?

• Contact
• Terry Gudaitis, PhD
• Cyber Intelligence Director, Cyveillance
• tgudaitis_at_cyveillance.com 703-351-2437