the human firewall maintaining your guise as a social engineer tim roberts / brent white offensive...
TRANSCRIPT
The Human FirewallMaintaining Your Guise As A Social Engineer
Tim Roberts / Brent WhiteOffensive Security Consulting Services -
Solutionary
• What to do as a Penetration Tester• Moving beyond “Intuition Alarms”
• Rebuttals to being “caught”.
• Client: Security Awareness• Knowing our methods to strengthen your Security Awareness
Program
Objectives…
Hacker: “Just to validate, I need you to confirm your password.”
Target: “I’m sorry, I cannot give that to you over the phone…Who did you say this is?”
from: Tom Hacker <[email protected]>[email protected]: “Umm…who is Tom Hacker? I don’t see him in Global.”
Dilemma… “Experience has shown, and a true philosophy will always show, that a vast, perhaps the larger portion of the truth arises from the seemingly irrelevant.”
– Edgar Allen Poe
Hacker: “Just to validate, I need you to confirm your password.”
Target: “I’m sorry, I cannot give that to you over the phone…Who did you say this is?”
Example Situational Responses:
Answer Approach“This is Kevin James from Help Desk.” Note: Kevin James should be a real employee of whom you are impersonating.
Diversion Approach“And that is the answer we were looking for. Good job!”
• Note: In the case of a Cold Call, you should consider ending on this note and wrapping up the conversation.
Dilemma Responses
The ability to “roll with the punches” helps to avoid backing yourself up into a corner. Often times we will want to avoid the question all together or come back with one of the following:
“Answer”: Use diplomacy.
“Block”: Stop the conversation.
“Counter”: Answer a question with a question.
“Diversion”: Hey, look over there…
Skills and Traits: Improv
Remote Guise
• Employee• Hostname• Name, Department (HR, IT,
Security etc.) , Signature Block• Phone Number
• Auditor / Assessor• External (NIST etc.)• Internal (Corporate)
Physical Guise
• Employee• Name, Department, Dress Code, Supervisor
(Name drops)
• Vendor• Legit: Look at Vendor Log• “Wondering Salesman”• Physical Security Contractor• Maintenance• Lawn Care• Cleaning Crew
Fake Badges and Pigs
Proximity badge cloning is possible and publicly available.
As simple as:• Using a blank HID Proximity badge• Adhesive printer paper• Photoshop skills.• Local print company
Why have a fake badge?
• Less likely that an employee or a security guard is going to stop you, if they see a badge.
• How often do employees actually pay attention to the response of the badge reader?• Red/green light and “Error” tone
Identifying Attackers: Pig Hunting
How to identify piggybacking:• Suspicious Activity
• Hanging around the door (waiting)• Following close • Inconvenienced by inquiries• High sense of urgency• No badge
Identifying Attackers: Badges
How to identify fake badges:• Flipped over • Covered badge
(card, family photo etc)• Photo inconsistency• Does it work?
How to prevent cloned badges:• Where is your badge?• Why is this guy rubbing up against me?• Who is that carrying a weight scale around
with them?• Don’t always go cheap.
Be Skeptical
Calmly and patiently listen to what others have to say, and recognizing when they’re feeding you garbage.