Social Engineering - Christopher Hadnagy [165]
In the end, Keith used a number of important skills in the framework that do not involve personal onsite, in-person action.
The fact that governmental systems are run by people make them fallible to the hacking methods used in this story. This is not an argument for the invention of robotic or computerized systems to do these jobs; it merely points to the fact that many of these systems rely so much on overworked, underpaid, overstressed people that manipulating them is not a very hard job.
To be honest, improving upon this particular attack is difficult because it is not one I would ever perform myself and Keith did a superb job of applying the principles of the framework.
So many people are used to being mistreated, abused, and yelled at that a little bit of kindness can make them go to extraordinary heights to help out. This particular attack as relayed in Mitnick’s The Art of Deception shows how vulnerable systems that rely on people truly are.
Hadnagy Case Study 1: The Overconfident CEO
My experience with an overconfident CEO is interesting because the CEO thought he would be impervious to any social engineering attempt for two reasons: First, he did not utilize technology much in his personal life, and second, he felt that he was too smart and protected to fall for what he called “silly games.”
With that being said to his internal security team they decided to ask me to focus on him as the goal of the audit. They knew that if he did fail the audit it would be easier to get approval to implement many of the fixes that would help their security.
The Target
The target was a decent-sized printing company in the U.S. that had some proprietary processes and vendors that some of its competitors were after. The IT and security teams realized the company had some weaknesses and convinced the CEO an audit was needed. In a phone meeting with my partner, the CEO arrogantly said that he knew that “hacking him would be next to impossible because he guarded these secrets with his life.” Not even some of his core staff knew all the details.
My job as the SE auditor was to infiltrate the company to obtain access to one of the company’s servers where this proprietary information was held and retrieve it. The difficulty, as the CEO had mentioned on the phone, was that the passwords for the servers were stored on his computer and no one had access to it, not even the security staff, without his permission.
The Story
Apparently, the way in would have to involve the CEO, which presented a challenge because he was ready and waiting for an infiltration attempt. I started off as I did with any gig—by information gathering. I researched the company using online resources and other tools such as Maltego. I was able to harvest information such as locations of servers, IP addresses, e-mail addresses, phone numbers, physical addresses, mail servers, employee names and titles, and much more.
Of course, I documented all this information in a fashion that made it easy to use later on. The structure of the e-mail was important because as I searched the website I saw that it was firstname.lastname@company.com. I could not locate the CEO’s e-mail address but many articles listed his name (let’s call him Charles Jones) and title on their site. This would be information a standard, non-informed attacker would be able to obtain.
Using the firstname.lastname@company.com format, I tried to send an e-mail to him. It didn’t work. I was actually disappointed at this moment, because I was sure that the e-mail method would yield a lot of juicy details.
I decided to try a nickname for Charles, so I tried chuck.jones@company.com. Sweet success!