Rachel Tobac and Joe Gray opened their talk at RSA by highlighting how important social engineering has become. For example, Ubiquity Networks lost $39M in 30 minutes through social engineering. Whoever took the money targeted the company's finance department with what appeared to be an internal email, getting some usernames, passwords, and account numbers. The hacker then transferred the money out of a Ubiquity subsidiary in Hong Kong to other overseas accounts. Those of us working in the semiconductor ecosystem see discussions of encryption, and whether a "secure enclave" is the right way to protect keys, and any number of technical debates about details. It is easy to forget that people are the weakest link. This applies to systems that semiconductor products end up inside, but it also applies to the security of our own companies on a daily basis. SECTF There is even a competition held at DEF CON each year to find the social engineering champion. Its long name is Social Engineering Capture The Flag, but people just call it SECTF. Competitors are given a Fortune 500 company, and certain "flags" to be captured. They have 3 weeks to get ready by finding out what they can about the company from publicly available sources. In particular, they are not allowed to call or email the company during this phase. This seems to mean about 50 hours of work in practice, since the contestants usually have day jobs too. Then, live at DEF CON, sealed in a glass box, they have 25 minutes to make phone calls and extract as many of the flags as they can. Call spoofing (making it look like the call comes from a number you choose) is allowed. That's Rachel in the box in the photograph below. The main function of SECTF is not so much for the contestants to show how great they are, although that is part of it. It is educational, to raise awareness about social engineering, and how the barriers are not as high as people used to believe. In fact the subtitle for SECTF is "Security through Education." As the DEF CON post event blog said: SECTF once again proved that social engineering is a very valid vector, companies are not properly educating against it, and even novices can get tons of flags while sitting in front of hundreds of their fellow con goers. Rachel and Joe have both been winners of SECTF, Rachel in 2016 and 2017, and Joe at the inaugural SECTF at DerbyCon. Rachel is the CEO of SocialProof Security. Joe is a security architect at IBM. OSINT OSINT stands for Open Source Intelligence, and refers to the information that is freely available. So this obviously means the general internet, but also mass media, academic journals, social media. Joe pointed out how unaware people are of how much information bleeds. Someone sent him a group photo once, and a moment later he sent back a photo of the building where the group photo had been taken. "How did you do that?" he was asked. "The metadata in the photo gave the location, then I found a picture of the building there." He said that sometimes even reflections in a photo give you useful hints. Rachel's strength is social media. Well, she pointed out another "strength" later. She is a 4' 10" woman, so the most unthreatening un-hacker-like person you can imagine. If you look at the photo at the top of this post, the only reason she looks so tall is that she is standing on a box. Her go-to site is Instagram. She said that 60% of the information she gets if from Instagram. Generally, she goes to the geolocation. Instagram will then tell you what hashtags are being used in that location (which means inside the target company). Facebook is the other huge resource. Unfortunately, they have just turned off the capability to search for someone by their phone number. But she generally uses Search Is Back , which bills itself as the "unofficial facebook advanced search engine" (not FB approved). That's one of the search boxes on the right. Joe likes to use props such as office noises (when on the phone), uniforms or toolboxes when showing up in person. People will hold the door open for you if you are carrying a ladder. Badges are great too—not the badge for the company you are attacking, but a convincing badge from a company that might be a supplier. Takeaways Here are what Rachel and Joe call the emoji takeaways. Photos: don't take photos of your office, there is just too much information in the picture you won't even think matters. Be aware that other photos, such as lots of photos of you with a running club, can also be used against you. You will naturally be happy to talk to a fellow employee you've never met who seems to be into running. Women have the edge in social engineering. "Women are not expected to be hackers. That's sad, but it's the truth, so you can use it." Training: Yes, you have to do the annual check-the-box security training. But do refresh training throughout the year. Just 15 minutes per quarter keeps security in people's minds. Be aware of different roles. HR is expected to receive unsolicited emails with attachments, and open them. Finance, not so much. Be realistic. Phishing will happen and be successful sometimes. People will click on bad links. Make sure to integrate that into your incident response and do what you can to encourage reporting ("I just did something silly, and clicked on a malicious link"). A good idea is to do a fake phishing attack before training, so that you know how bad it is and can use your success as a teaching moment. You can contract a company to do OSINT on the employees of your own company (and filter just the relevant stuff back to you, so you don't lose the trust of your employees). Have your employees step into the shoes of a hacker and see what they can find out about your company. Incorporate social engineering into your pen tests (penetration tests, which are normally either network attacks, or attempting to get into the building past the security guards). The situation is getting better, and social engineering attacks are getting more well known. Employees are more aware that a person in a pest removal company uniform taking photographs of everything might be just that...a person in a pest removal company uniform. As security guru Bruce Schneier said to a journalist after taking two bottles of saline through airport security ("one for each eye") that "you can take two bottles of anything through security...it just has to be labeled saline solution." One of Bruce's claim to fame is inventing the phrase "security theater" to describe what goes on at a TSA checkpoint—it's not really to be serious about security, it's to convince the general public that the TSA is serious about security, even though they fail every "pen test". One thing that people find odd is that airline crew have to go through security too (but not the maintenance people and cleaners). But Bruce pointed out that it wouldn't be very secure if anyone who looked like an airline crew member could bypass security. Like his saline solution. Outward appearances count for a lot. Sign up for Sunday Brunch, the weekly Breakfast Bytes email.![]()
↧