Crippling a Company by Telephone
By Ira S. Winkler © 1
It took only three days and little more effort than you might expend making airline reservations. Using only a telephone and a certain facility for prevarication, I was able to infiltrate a large financial organization, secure computer access to every significant computer system, and accumulate a wealth of information about the company's employees and the projects they were working on. I could have obtained additional personal information about employees, including credit card numbers, home addresses, and the names of their next of kin. If I had been a true spy, my activities would have been devastating to the organization. I could have crippled the company at will.
This case study demonstrates what can be accomplished by a persistent attacker in a very short period of time through nontechnical means. Specifically, this study looks at a pure social engineering strategy, in which the telephone is the only tool.
To protect my clients, the example described here is actually a compilation of several penetration test attacks launched by myself and accomplices against very large financial institutions. The tests were part of a comprehensive vulnerability assessment commissioned by the organizations. For the sake of clarity, I've assumed the lead role in the narrative. Every activity described here, although not always carried out by me personally, actually happened at several banks.
The goal of this penetration exercise was to identify holes in the company's operational procedures that could be exploited to compromise the bank. I was after not merely computer access but wide entry into the bank, which would provide ongoing opportunities to compromise the entire organization. Although the corporate officers of the bank were aware of the test, the remainder of the company's employees were not.
In this penetration test, I had no previous knowledge of the organizational structure, function, or personnel of the target company. Time constraints required that I utilize a bolder than-normal approach; a true social engineering attack would likely have taken weeks, if not months. Also, an actual attack would probably have included several visits to the company's offices; an attacker might even have secured a job at the company. And, of course, a real attacker would have used the information gathered to further his or her criminal aims.
I began the attack, as I very often do, with a search of Internet based library databases and resources, along with other open source information. In a local telephone directory, I found the telephone number of a company office in my area. A call to the local office furnished me with a copy of the company's annual report as well as the toll-free telephone number of company headquarters. From the annual report and the Internet searches, I found lists of names of numerous company employees and officials, their job responsibilities and the projects they worked on, a large number of news articles about senior company officials, problems with computers, strategic directions of the company, and more. All this would prove to be critical information.
To conduct an effective telephone attack, I needed to get my hands on a copy of the corporate telephone directory. I expected this document to contain a tremendous amount of information useful to a telephone-based attack, including all corporate locations, the names of all employees at those locations, important telephone numbers, lists of all departments, and a comprehensive view of the company's corporate structure.
The first thing to do to start any attack is to figure out how a company handles its internal charge-back procedures. Toward this end, I called the company's toll-free number and asked for the mail room, claiming to be a new employee needing information about how to ship packages both within the United States and abroad. I learned that generally two numbers were required to perform a transaction within the company: an employee number and a cost center number. A call to the corporate graphics department confirmed the importance of these numbers.
My team reviewed the list of people we had collected information on, and we chose an executive that we probably knew the most about. This executive's recent accomplishment had been noted in the annual report. I put in a call to his office through the company's toll-free telephone number and spoke with his secretary. Claiming to be from the company's public relations department, I told her that I would be highlighting her boss's recent success in an upcoming edition of the corporate newsletter and I therefore needed some information about him. I asked a series of basic and harmless questions about the executive's background.
I then told the secretary that I might have more questions later, and that if she gave me the executive's employee number I could probably look up the information myself. She gladly gave me the number. A later call to the secretary by an accomplice posing as an auditor secured the man's cost center number. My accomplice merely inquired about what department should be charged for the employee's computer usage.
I called the department responsible for distributing corporate telephone directories. Posing as the executive, I requested that a directory be sent to a "subcontractor" with a valid need for the book. After I gave the employee and cost center numbers, the department shipped the directory to me via overnight courier at the company's expense.
Once I had the telephone directory in my hands, I was able to contact dozens of employees, at all levels of management and in every department, to obtain general corporate information and their employee numbers. I usually obtained the numbers by impersonating a human resources employee who had accidentally contacted the wrong employee to pick up a travel package. The travel package ruse worked because it caught people off guard, and it was easy to joke about the "mix-up." I started each call by saying that I had a travel package to San Francisco ready for pickup. After the initial shock wore off, the person usually told me that he or she wasn't going to San Francisco. The quick joke, "Well, would you like to go?" put the person completely at ease. I then asked for his or her employee number and apologized for the confusion. To obtain corporate information, I pretended to be a new employee who needed to know something in order to do my job.
In this way -- by simply lying over the telephone -- I was able to accumulate a significant amount of sensitive information. This included information on sensitive projects throughout the firm and detailed information about its people and computer architecture. While it might not seem important, I had the specific knowledge required to know how to take down the most important systems in the firm, along with detailed information on the financial systems.
We were about two days into the attack, and the results were staggering to the target. Our contact inside the bank wanted us to be more aggressive and to actually obtain access to the computer systems. Selective computer access would make it possible to exploit much more information in a very short period of time and to get to the financial systems. To gain the access I needed, I would have to acquire user IDs and passwords to a variety of accounts on systems throughout the company and at least one point of entry on to their network. I decided that the most vulnerable targets for this level of attack were new company hires. Not only were new hires likely to be the most naive, they would also be scattered throughout the company.
To obtain the names of the company's newest employees, I called the new hire administration office. My plan was to pretend to be the assistant to a high-level executive who wanted to personally welcome new employees to the company. My boss was extremely upset, I would claim, because the list of new hires was overdue. (I found the executive's name in a variety of open sources. The company telephone directory and the annual report indicated that he was one of the most senior people in the firm. Scouring through the directory provided the name of the employee who could be his assistant.)
As luck would have it, my initial call to the new hire office was picked up by an answering machine. The message on the machine revealed that the office had moved, and it gave the new telephone number as well as the name of the person assigned to the telephone number. Learning the name of the person in the new hire office was critical, because knowledge of a specific name increases the credibility of any ruse.
It was late afternoon when I called the new number. I asked for the new hire administrator by name; the new hire administrator had left for the day. The person who took my call turned out to be a relatively new clerical worker with full computer access. I simply told the clerk that the absent administrator provided me with the information I wanted on a regular basis. Because the information was already overdue and my boss -- one of the most senior people in the company -- was upset (and because my pleading was so pathetic), the clerk told me everything I wanted to know. In short order, I'd obtained the names of all the employees who had started work in the past three weeks, along with most of the names of their departments. In total, I acquired the names of fifty-five employees in departments throughout the organization.
Impersonating an information systems employee, I contacted the new hires, supposedly to provide them with a "computer security awareness briefing." I had decided to avoid contacting any actual information systems employees, because they were more likely to be aware of the importance of protecting passwords; this criteria eliminated seven of the fifty-five employees. I used the security briefing ruse, because people are usually intimidated by any contact dealing with security and they usually provide all requested information without challenge. Additionally, people are unlikely to suspect that anyone would commit such a brazen impersonation.
I started my "awareness briefings" by first finding out about their hardware and software environments. I obtained information about the types of computers the employee used, the names of the systems, the types of software applications used, and the employee number of each person I spoke with, along with their user ID and password. If the person accessed the company via modem, I asked for the modem number and password. During one of the telephone interviews, an employee did not know the information I asked for, so she put her supervisor on the phone. Her boss gladly answered all my questions.
I did not start out the interviews by asking, "What's your password?" This type of question is extremely sensitive. It is a Red Flag question. If a person has even a basic understanding of security issues, he or she would stop the conversation in its tracks. Using basic intelligence elicitation techniques, I asked the innocuous questions first (I even tried to sound bored as I was asking them). After I asked a series of questions that anybody would answer, I started working in the sensitive questions. After I had the answers to those, I then asked some additional boring questions. This leaves the impression that no important questions have been asked. After the questioning ended, I made up some basic security guidelines to tell the employee as part of the official briefing.
From the telephone directory, I was able to identify all of the banks telephone exchanges. One of my accomplices then used a war dialer (a computer tool that dials every telephone number in a specified range to search for possible modems) to find the computer access points. A call to the information systems help desk enabled me to locate some additional modem lines. The modem numbers provided me with computer access and the ability to exploit the compromised user accounts. Obtaining the modem information effectively circumvented a very sophisticated firewall system and rendered it useless. During a later attack, I used similar social engineering methods to establish my own computer account with the company. I also was able to convince company employees to send me communications software that accessed a "secure" modem connection.
Despite strong technical security countermeasures, the penetration activities described in this case study were extremely successful in a very short period of time. This attack bypassed millions of dollars of technical security mechanisms and put the company at my team's mercy. By the time I was finished, I had access to almost all significant systems.
Although the attack appears to have focused on computer access, I should point out that the company's computers were targeted only because of the information or services they could provide. Many of the early telephone attacks were exploratory in nature, designed to determine which departments and systems were critical to the organization. Certain individuals were targeted because of their access to information.
The attack might seem from my description to be very complicated and time consuming, but it was a relatively simple operation, accomplished in less than three days. It was also cheap: I used the company's toll-free telephone number and resources to pay for any costs incurred in telephone calls and overnight delivery expenses.
Even though my cumulative activities were unusually blatant, no reports were made to security about any strange or unusual incidents. This is understandable, since the assault was built from many small actions, which were, in themselves, innocuous.
Many of the vulnerabilities exploited in this penetration exercise are common to most companies and definitely to investment banks. The following discussion of the specific weaknesses I took advantage of should provide insights that will help you protect yourself against social engineers.Information As the Target
If the goal of the attackers in this case had been only to obtain computer access, they could have easily accomplished this by randomly telephoning people and asking them for their passwords. The parts of the organization attacked would also have been totally random. Little research would have been necessary, and the attack could have been accomplished in about an hour.
What I was after, however, was specific data that would allow me to significantly compromise a large cross section of the entire organization. I first conducted research to determine which information was valuable, and then I conducted further research to develop a plan of attack. The specific targets in this attack were carefully chosen for the information they could provide.
Computer access is important, because it can provide access to large volumes of data from remote locations with minimal effort. However, when financial organizations are involved, the potential volume of information obtained is irrelevant when compared to the potential value of a specific piece of information. I was very well aware that a single report containing insider information about a stock purchase or information about how to perform financial transactions was much more valuable than the combined value of millions of other random files. Using this knowledge, I chose specific parts of the company to attack. This allowed me to weed out a lot of garbage and focus on targets most likely to have extreme value.
Open Source Information
I began my attack by examining open source information. Open source information is any piece of information that is publicly available, including newspapers, corporate annual reports, library computer search facilities, help wanted advertisements, and technical magazines. I acquired an incredible amount of "internal" knowledge by examining these kinds of materials, which are freely available to anyone.
This information provided accurate details on corporate budgets and major company projects. I also used it to learn about the individuals leading current projects, the names of major hardware and software vendors, and any significant problems in the organization. Through the publicly available annual report, my team learned about the company's high level organizational structure and was therefore able to determine which groups within the organization were most likely to have the types of information we wanted. By accumulating information about the ongoing activities of the company, I was able to present myself as a company employee. Armed with this information, I was able to talk and act like a true insider.
Desire to Help
Most of the people I contacted during the attack were genuinely interested in helping out a fellow employee. This is an extremely desirable attribute, but one that is easily exploitable. Although some employees did attempt to verify my identity, once I offered a valid employee number, they handed over great chunks of information. More important, even if I had been the person I was claiming to be, I really had no need of the information I was asking for. Whenever I connected with a very helpful person, I "played dumb," which inspired my targets to fill in many gaps in my knowledge and give me much more information than anyone would have needed.
Anonymity within Large Corporations
Every phase of this attack was enabled by the immense size of the target organization. Most employees only know a small percentage of their fellow employees personally, greatly reducing my chances of impersonating a friend or colleague.
Additionally, most employees know very little about the jobs of other employees. For example, even though an employee might work for the information systems department, there is no way for another employee to know whether that person is actually responsible for providing a "security awareness briefing."
Reliance upon Common Internal Identifiers
During the early phases of the attack, it became clear that the employee number was a critical identifier used throughout the organization. This number was used when requesting capital assets and when requesting help desk support. Unfortunately, the employee number was used much too frequently (it appeared on all personnel forms), making it natural to disclose the identifier to just about anyone within the organization that seems to have any need for the number. To an employee, it is a tool for getting things accomplished and not a piece of information that needs to be protected. Even employees who were reluctant to disclose information to me during my attacks were willing to hand over their employee numbers with minimal coaxing.
This situation is common in every large organization in this country. When numbers are so widely distributed, they cannot be considered valid identifiers. In organizations using Social Security numbers, this problem is even more serious. A criminal who obtains an individual's Social Security number can impersonate that person in all aspects of his or her life. Numerous cases have involved a criminal using a Social Security number alone to retrieve a credit report, which contains all information about credit cards and bank accounts. The information was then used to reroute checkbooks and credit card statements, while the criminal ran up balances on the credit card and withdrew all funds from the bank accounts.
Organizations must differentiate between personnel identifiers and personal validation codes.
Assumption of Common Sense
Security professionals, especially information systems security professionals, tend to believe that individuals understand basic security principles, such as protecting computer passwords and locking up sensitive information at the end of the day. They believe that everyone is aware of the threat to information and the importance of the controls in place. In the organizations penetrated in this case, an incredible amount of effort had been put into implementing very strong technical security mechanisms. Unfortunately, minimal (if any) effort was put into security awareness.
Common sense cannot exist without common knowledge. People were not made aware of which data was important or how to protect important information. In this case, even the technical people were compromised. Remember, this attack was I00 percent successful.
No Verification of Callers' Identities
Again, this case study is actually a compilation of penetration tests against several financial institutions. In every one of those institutions, I found no procedures for verifying callers' identities or their need for the information they requested. All the financial institutions in this case relied solely on employee numbers, which were very easy to come by and did not hinder the effort at all.
No Procedures in Place
Early in the attack, it became obvious that even if people had thought I was up to something, they could have done very little about it. There was no obvious place for them to report strange occurrences.
The problem here is threefold. First, the employees did not understand exactly what a possible "security-related problem" was. Second, there were no means for reporting unusual incidents to the right people (i.e., the security department). Third, assuming the incident was reported to the appropriate people, there was no way for those people to spread the word throughout the organization. In the absence of any one of these procedures, the attacks could continue with minimal modifications. Future attacks would only be improved by this detection, because it tells the attackers how to avoid getting caught.