Earlier this year at our Level conference, Jamie Woodruff, the ethical hacker who has hacked everything from Facebook to Kim Kardashian, gave us an insight into the methods social engineers use to access to our personal data.
In Part 1 we learned more about social engineering, and how it originated. Here we explore the different methods of deception that Jamie urges corporations to look out for:
This trick is simple yet effective. Many corporate devices have barcodes on them and once you know that, it’s easy to distract the owner and install a ‘RAT’ (remote access Trojan) onto their device. It’s as simple as: “Excuse me, you’ve forgotten your change”… bam, you turn around for a split second and an attacker sticks a USB into your device that’s riddled with malware.
Phishing and Whaling
Phishing, there are many different ways of coordinating a phishing attack, and the potential cost to a business is huge. A company close to Jamie lost a quarter of a million pounds in two days when someone impersonated the Managing Director, sent an email to the Finance Director to pay a cleaning bill in Russia. The Financial director did and they ended up paying the bill twice before they realized.
Tailgating and bating
Dropping USB pens still works, particularly if you write bonuses or confidential on them. Tailgating – following someone inside a building is still really easy to do. Most companies say they have a policy in place, but many do not educate their employees or exercise the policy. It’s imperative that if a device is lost, it’s blocked straight away.
Wireless access points
Mobile devices are always looking for known networks when you walk into Starbucks your phone will automatically connect to the Wi-Fi. The Pineapple mark 36 is a device which forces all devices around it to connect to it via wireless. From there you can do a man in the middle based attack so you can see the communications going in and out of the devices, potentially in plaintext. Although, not all devices are vulnerable to that aspect. It is even possible to strip away SSL certificates on certain devices and just implement your own.
Jamie planted a QR code at a conference. Every time someone scanned it, it pinged a website on the screen. If he was there maliciously he could’ve downloaded and infected an APK file, or even reroute them to a seemingly legitimate website which looked like it was downloading something and taken over their device.
Jamie often uses impersonation to gain access to areas or even just to blend into the background to gather information. You’d be surprised how easy it is to blend into large corporate firms, given the right guise. Jamie spent days serving tea and coffee and even being told off for not doing it correctly.
Real life examples of social engineering
A slice of the action
Jamie was hired to gain access to the server room of a large financial organization. After realizing they ordered pizza from Domino’s every Friday and the delivery guy was getting buzzed into the building and through security. Jamie got a job at Domino’s, the following Friday he went to the office a few hours early to deliver the pizza. He was buzzed straight into the building. Next, he located the server room and saw it had a keypad attached to it. He used luminol to figure out what buttons had been pressed and gained access to the room.
The weak link in your armour
Employees are often the downfall. They are the first line of defense and the last line of defense. In one case Jamie printed his own badge which belonged to the alarm company they used. He went back a few weeks later saying he was there to service their alarm and easily gained access.
Most people have quite a fixed routine. For a hacker this is great, they know roughly where you are going to be after a week of following you. If this is someone following an MD they can figure out where your devices are going to be and where you are the most vulnerable. The best thing you can do is be aware of your surroundings and question them.
There are always ways around things, when you patch one bug, you get 5 more, and that is always the way it is going to be in cybersecurity – a cat and mouse game.Jamie Woodruff, Ethical Hacker
It’s not all doom and gloom
Most businesses have security like a huge wrought iron gate surrounded by knee-high bushes. The gate is your technology, the bushes are your employees. It is vital to educate your staff to change their perception of hacking and understand there are malicious people are out there.
Small steps count. Most people will set simple passwords for their iPads/laptops and make it easy for their kids to access. But if we start setting complex passwords in our personal lives it becomes second nature in our business.
It is important for everyone to know and be aware of Cybersecurity.Jamie Woodruff, Ethical Hacker
Is mobile phishing the biggest mobile security risk?
Phishing is not only far more prevalent than you might think, but it has also become a major security threat on mobile devices, not just desktop. Find out where phishing attacks are happening, in which apps, and on what operating systems.