Social engineering: anatomy of a hack

As the founder of US security consultancy Lares, social-engineering expert Chris Nickerson is often asked by clients to conduct penetration testing of their on-site security. Nickerson leads a team that conducts security risk assessments in a method he refers to as Red Team Testing.

Nickerson and crew recently took on just such an exercise for a client he describes as "a retail company with a large call centre". With some prep work, Nickerson says the team was able gain access to the company's network and database quite easily. Read on to find out how they did it and how to shore up your organisation's defences.

Chris Nickerson: On-site security vulnerability testing requires the most memory and intelligence gathering, because you need to start off by gaining information on your target. When I'm doing my information gathering, I like to target holidays or time-relative events. In this particular exercise, there was a high-profile horse-race going on in the area. In the area where the company was located, it was the big thing to go to this horse race. Everyone in the city geared up and left the office to go to it. That was a perfect time for me to arrive at the company and say I have an appointment.

I had decided to go in and say I had to meet with someone we'll call Nancy. I knew Nancy wasn't going to be in the office because her MySpace profile revealed she was planning to go to the race. Then her Twitter profile said she was getting dressed to go to the event. So I knew she wasn't in the office.

I was wearing a Cisco shirt I had bought at an op-shop for $4. When I arrived at the office reception I said "Hi, I'm the new rep from Cisco. I'm here to see Nancy." The front desk attendant replied, "She's not at her desk."

I said, "Yeah. I know. I've been texting back and forth with her. She told me she is in a meeting and the meeting is going over."

This was right around lunch time and I said, "Since I'm waiting, is there anywhere around here where I can go get some food?" I knew from surveying the area the closest thing was about five miles away, because the company was sort of out in the sticks.

The receptionist responded, "Four or fives miles down the road there is a McDonalds. But we have a nice cafeteria here. If you want, you can just eat in there."

Being allowed to go to the cafeteria gave me full access to the facility, because the only thing that was guarded was the door. The cafeteria lead right into the rest of the building.

So I went into the cafeteria and ate. While I was there I did USB key drops. I had put files on them with names like 'Payroll' or 'Strategy 2009'. The USBs had rootkits on them. Many contained an autorun rootkit. Others had Hacksaw, which is a little piece of tech that you can use with a U3 drive. You plug it into a machine and, if the machine has auto run on the CD-Rom running the computer, it will just start dumping all the passwords, usernames and all that. The USB will also put a hook into the machine to start emailing that information out to an email account you give it to contact. So, even after I left, I could still be filtering information. The drives only take about 30 seconds to enable themselves.

When I do this kind of exercise, I put USBs in areas that people are in where they might forget something: the bathroom, for instance, on the sink. Another good area is near the coffee machine. Areas where people naturally put things down where they might not remember to pick them up. I've never done a USB key drop without success.

Meanwhile, I had one of my guys get in through the smoking door at the back. At first he hung out and had a cigarette with people who came out to smoke on their break. When they were done, the door opened and he just cruised in. Yet another exercise to prove it really doesn't take much to get inside.

Once he was in, I had him come and get me in the cafeteria. That was so it appeared on the security tapes as if someone had come to get me out of the cafeteria, to escort me to whatever meeting I was going to attend. We went through and inside this giant 10,000 square-metre cube farm, we found a few seats that were wide open and just sat down.

There was no one nearby. So, we started pulling keys. We used things like Ophcrack to start cracking Windows passwords and dump them into Linux. We started putting our machines on the networks so we could start doing pen testing and hacking active servers in the environment. We put up things like WRT 54G routers: the little blue Linksys wireless units. We took those, stuck them under a cube, put Unix on them and opened WRT. That made it so I had a wireless access point I could hit not only from the parking lot, but it also beacons and calls home so I had a Unix box that sits inside the company's network.

A short time later, a full team of people came in. A lot of the staff at this facility worked shifts and it was shift change time. Because we had done our homework we were at the two of three cubes that were vacant, so there were no conflicts or questions.

Everyone sat down around us. I announced myself as the Cisco engineer who was working on the phone system. Many of them responded with jokes and said things like, "Honey, please don't fix it. I don't want to take any calls today."

One thing I have learned is that cookies are the key to everyone's heart. When I'm doing the type of exercise where I'm posing as a tech, or a VAR, I like to bring cookies. I did for this exercise and I started passing out cookies to everyone in the area. We were all laughing, having a great time. Meanwhile, we were in the middle of hacking their entire network.

What we exposed for the client was the vulnerability of their physical access, while demonstrating some of the blended techniques we used to get in. We were able to show how, with social engineering, we were able to hack the SQL Server and dump the whole database of everybody's account information. This kind of breach could have cost the company a great deal of money, as we had access to all of its database because of these vulnerabilities. We wore button cams and hat cams so that later they could watch how it was done.

Companies need to run security campaigns. You need to tell employees what to look for and how to look for it. Companies need to teach employees they do trust the people within the organisation, it's that there are people out there trying to do this every day. It is just a good awareness technique to do this sort of exercise.

If someone is coming to work on your environment, you should probably know who they are. If you think of your company like your home, you would do things differently. You are not going to just let someone walk into your house. That is the kind of philosophy companies need to inject into corporate culture.