Saturday, 6 May 2017

Socially Challenged By Social Engineering

Socially Challenged By Social Engineering - A study on Social Engineering trends in corporate culture.

Troy Hunt had advertised about the new Ethical Hacking course availability on Twitter, and since then I had wished to opt for Pluralsight learning (where this course was made available.) I got ample opportunities to implement the lessons I was learning this week.
A few scenarios that were opportunities in disguise for me to exercise the lessons learned are as follows:
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scenario 1

The first attempt — Creating a sense of urgency.
A co-worker lets say ‘X’ who had met the team twice and had spent a considerable amount of time to get to know the work we do, had wished to seek some more information. And it came as an email request. This information which needed to be shared, yes was secure information.
What seemed obvious at first but suspicious next because there was a sense of urgency in the email sent. “Need this information by end of the day”. It did not though say who was the consumer of this information.
While I made a genuine effort to fetch the information, it occurred to me that — Why is X asking me this information? (When X knew someone else in the team who had spent a lot of time with X and had built a rapport already as compared to me.)
So, I cross-checked with all the others on the team. I inquired, “Did any of you get a similar request to share this information?”. The answer was ‘No’. I registered this.

The Second attempt — Introducing an unknown character.
My next suspicion was, X had made an indirect attempt to seek information via a new supposedly a ‘girl’ before sending this email request. This girl was unknown to me. I wondered ‘who could this be’ when I got the request from this stranger. There was no attempt made by X to introduce the ‘new girl’ to me. This was the giveaway move. Because when X knew me, ‘why’ make an attempt to introduce a stranger to seek this information. What was X thinking? (Now that X has realized what he did and has spoken to me about it, I will attempt to know the why.)
Interesting at the same time suspicious to know why to introduce a ‘new girl’ when X who knew me, could have directly contacted me.
Next day, the ‘new girl’ started pinging me (and again with a sense of urgency) to gain this information which by now was already asked over an email by X. ‘New girl’ then told me that person ‘Y’ wanted this information. I did not know who Y is nor I was introduced to Y before or during the conversation. I clearly replied, I do not have access to this information and as I have replied to the email, let us wait for the authority to grant us the access. And I included Y in the email who was the ‘CONSUMER’ of this information.

The third and the fourth attempt: Cause fear and threaten.
Rest assured, I bid the new girl bye benevolently and logged off. Then X who obviously is aware that I have not given the new girl any information so far, calls me on my phone and it is evident from the start of the conversation that he is not in the right frame of mind. X then tried the third mode: To cause fear in me to gain access to the information. When that did not work, X then uses the fourth mode: threatens me by conveying that ‘I will go to the highest level of escalation’. I am calm and composed as I knew that I am not the authority to give X this information even if I had access to it.

To brief, Person X’s tries/attempts to gain information are as follows:
  • Create a sense of urgency for reasons (valid/invalid).
  • Introduce an unknown person (a girl, don’t know why?) — This being the incorrect move for obvious reasons. X had undermined himself as the first POC to reach out to me and had caused me to have my first suspicion. Please take note how this gullible new girl was victimized in the entire process.
  • Cause fear which then culminated as a threat.
  • Know and seek information from the right sources.
  • Quote valid reasons for seeking the information.
  • Inform who is the end user of this information so that it can be sent directly to the consumer and not to the others who should not have access to this information.
  • If the seeker is the end user then it can be helpful so the mediators do not gain access to this information.
  • Learn and know how to talk to anyone and professionally.
  • Educate the gullible, they need help so that they are not a part of the terrorizing culture.
This scenario not just helped me to implement what I was learning but also led me to another knowledge source. When I was at a bookstore recently, my eyes lit up when I saw this book 'Maatu Hegiddare Chenna'? authored by Girimane Shyamarao (ಮಾತು ಹೇಗಿದ್ದರೆ ಚೆನ್ನ, ಗಿರಿಮನೆ ಶ್ಯಾಮರಾವ್) which roughly translates to 'How words spoken/uttered must be?' It is a good read for anyone who wishes to be a good speaker.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scenario 2

corporate social engineeringA co-worker ‘A’ was made an easy target for wrongdoings of similar patterns from his past and the authorities were trying to action against A for the same. I wrote to A about the allegations that were made.
A was taken aback and replied with proofs of what was happening.
I probed further, as I had spent a lot of time setting things right with A. This probe revealed that these were false acquisitions and was not done to offend anyone in the process. But A did reveal that he had only faulted with me and not with the others, assuming that I will forgive but the others wouldn’t. I rested this case but was glad that I inquired to get the proofs when there were false acquisitions being made on A. When I reported the authorities about the false acquisitions, the authorities understood while they also exhibited suspicion that A could be lying.

  • Information coming from a senior needn’t always be true/correct. Please know this and investigate, especially in a terrorizing culture.
  • Know that an impersonator usually disguises as someone with authority, is trusted, is a senior, is legitimate, is respected. This doesn’t mean that you fear them or fall prey for it. Instead genuinely question and learn about the intentions of the impersonator.
  • Learn from the past mistakes and know when to stop helping/investigating.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Scenario 3

This is a case of:
  • An attempt to please a person with authority.
  • Fear of senior/s.
  • Not learning from the past mistakes.
Some give away passwords in plain text when merely asked to share only the username, this scenario occurred when a senior with a sense of urgency asked for information from a new joinee. Newbies are unnecessarily petrified, help them out and create a safe environment rather than instilling fear.
Do not leave mobile devices/laptops unattended, that can cause anyone in the vicinity to gain easy access to the system. Have strong passwords (policies) and be aware of the fact that there could be a threat lurking around. Educate and be better equipped to address security threats in the form of social engineering.

  • Educate the new employees.
  • There is nothing to be feared, but only to be understood - Quoting Madam Marie Curie.
  • Instill a positive and safe environment to question and to learn from all.
  • Encourage learning and create a culture to reward learning.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
Final thoughts
  • It works isn’t sufficient. Know that SECURE systems are as much important and necessary. For any reason, security should not be of lesser priority. Introduce Secure Development Life Cycle at all stages of software development. Katie Moussouris introduced the term Secure Development Life Cycle at the NullCon Conference. She can assist with further learning about how to implement this along with any of the other SDLC stages.
  • Be aware of known vulnerabilities and address the security aspect of the system that we build and test.
  • Share professional information wisely and with the right consumer.
  • Do not share personal information where it is absolutely unnecessary.
  • Do not encourage personal information seekers.
  • Beware of what you share on open source mediums and free tools. Know about OSINT — Open Source Intelligence. Know nothing is free, your data is what you trade for using open source apps/free tools.
  • Socially challenged is what we become if we fall prey to social engineering.
Edited (April 2018) to include:

Optional reading/listening
If it's free you are the product, with IOT even if you pay you are still the product - Surya Mattu 

No comments: