Saturday, 6 May 2017

Socially Challenged By Social Engineering

Socially Challenged By Social Engineering - A study on Social Engineering trends in corporate culture.

Troy Hunt had advertised his Ethical Hacking course availability on Twitter, and since then I had wished to opt for Pluralsight learning (where it was made available). I got ample opportunities to implement the lessons I was learning this week.
A few scenarios that were opportunities in disguise for me to exercise the lessons learnt are as follows:
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scenario 1

The first attempt — Creating a sense of urgency.
A co-worker let’s say ‘X’ who had met the team twice and had spent considerable amount of time knowing the work we do, had wished to seek some more information. And it came as an email request. This information which needed to be shared, yes was secure information.
What seemed obvious at first but suspicious next was that there was a sense of urgency in the email sent. “Need this information by end of day”. It did not though say who was the consumer of this information.
While I made genuine effort to fetch the information, it occurred to me that — Why is X asking me this information? (When X knew someone else in the team who had spent a lot of time with X and had built a rapport already).
So, I cross checked with all the others in the team. I inquired, “Did any of you get a similar request to share this information?”. The answer was ‘No’. I registered this.

The Second attempt — Introducing an unknown character.
My next suspicion was, X had made an indirect attempt to seek information via a new supposedly a ‘girl’ (before sending the email request). This girl was unknown to me. I wondered ‘who could this be’ when I got the request from this stranger. There was no attempt made by X to introduce the ‘new girl’ to me. This was the give-away move. Because when X knew me, ‘why’ make an attempt to introduce a stranger to seek this information. What was X thinking? Now that X has realized what he did and has spoken to me about it, I will attempt to know the why. 
Interesting at the same time suspicious to know why introduce a ‘new girl’ when X who knew me, could have directly contacted me.
Next day, the ‘new girl’ started pinging me (and again with a sense of urgency) to gain this information which was by now was already asked over an email by X. ‘New girl’ then told me that person ‘Y’ wanted this information. I did not know who Y is nor I was introduced to Y before or during the conversation. I clearly replied, I do not have access to this information and as I have replied over the email, let us wait for the authority to grant us the access. And I included Y in the email who was the ‘CONSUMER’ of this information.

The third and the fourth attempt: Cause fear and threaten.
Rest assured, I bid the new girl bye benevolently and logged off. Then X who obviously is aware that I have not given the new girl any information so far, calls me on my phone and it is evident from the start of the conversation that he is not in the right frame of things. X then tried the third mode: To cause fear in me to gain access to the information. When that did not work, X then uses the fourth mode: threatens me by conveying that ‘I will go to the highest level of escalation’. I am calm,very composed as I knew that I am not the authority to give X this information even if I had access to it.
To brief, Person X’s tries / attempts to gain information are as follows:
  • Create a sense of urgency for reasons (valid / invalid).
  • Introduce an unknown person (a girl, don’t know why?) — This being the incorrect move for obvious reasons. X had undermined himself as the first POC to reach out to me and had caused me to have my first suspicion. Please take note how this gullible new girl was victimized in the entire process.
  • Cause fear which then culminated as a threat.
Lessons
  • Know and seek information from right sources.
  • Quote valid reasons for seeking the information.
  • Inform who is the end user of this information so that it can be sent directly to the consumer and not to the others who should not have access to this information.
  • If the seeker is the end user, then it can be helpful so the mediators do not gain access to this information.
  • Learn and know how to talk to anyone.
  • Educate the gullible, they need help.
Outcome
This scenario not just helped me implement what I was learning but also led me to another knowledge source. When I was at a book store recently, my eyes lit up when I saw this book 'Maatu Hegiddare Chenna'? authored by Girimane Shyamarao (ಮಾತು ಹೇಗಿದ್ದರೆ ಚೆನ್ನ, ಗಿರಿಮನೆ ಶ್ಯಾಮರಾವ್) which roughly translates to 'How words uttered must be?'. Now reading and it is a good read for anyone who wishes to be a good speaker.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scenario 2

corporate social engineeringA co-worker ‘A’ was made an easy target for wrong doings of similar patterns from his past and the authorities were trying to action against A for the same. I wrote to A about the allegations that were made.
A was taken aback and replied with proofs on what was happening.
I probed further, as I had spent lot of time setting things right with A. This probe revealed that these were false acquisitions and was not done to offend anyone in the process. But A did reveal that he had only faulted with me and not with the others, assuming that I will forgive but the others wouldn’t. I rested this case, but was glad that I inquired to get the proofs when there were false acquisitions being made on A. When I reported the authorities about the false acquisitions, the authorities understood while they also exhibited suspicion that A could be lying.

Lessons
  • Information coming from a senior needn’t always be true.
  • Know that the an impersonator usually disguises as someone with authority, is trusted, is a senior, is legitimate, is respected. This doesn’t mean that you fear them but genuinely question and learn about the intention.
  • Learn from past mistakes and know when to stop.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scenario 3

This is a case of:
  • An attempt to please a person with authority.
  • Fear of senior/s.
  • Not learning from the past mistakes.
Some give away passwords in plain text when merely asked to share only the username, this scenario occurred when a senior with a sense of urgency asked for information from a new joinee. Newbies are unnecessarily petrified, help them out and create a safe environment rather than instilling fear.
Do not leave mobile devices / laptops unattended, that can cause anyone in the vicinity to gain easy access into the system. Have strong passwords (policies) and be aware of the fact that there could be a threat lurking around. Educate and be better equipped to address security threats in the form of social engineering.

Lessons
  • Educate the new joinee.
  • There is nothing to be feared, but only to be understand - Quoting Madam Marie Curie.
  • Instill a positive and safe environment to question and to learn from all.
  • Encourage learning and create a culture to reward learning.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
Final thoughts
  • It works isn’t sufficient. Know that SECURE systems are as important and for any reason security should not take a back seat. Introduce Secure Development Life Cycle at all stages of development.
  • Be aware of known vulnerabilities and address the security aspect of the system that we build and test.
  • Share professional information wisely to the right consumer.
  • Do not share personal information where it is absolutely unnecessary.
  • Do not encourage personal information seekers.
  • Beware of what you share on open source mediums. Know about OSINT — Open Source Intelligence. Know nothing is free, your data is what you trade for using open source apps.
  • Socially challenged is what we become if we fall prey to social engineering.

No comments: