Tuesday, December 3, 2013

Oh, The Humanity: The Danger of Anonymity

And now for something a little different. Throughout our “Oh, the Humanity!” series, we want to demonstrate some of the most dangerous ways social engineers can infiltrate a company—and pretty often, that involves the phone or email. But every now and then, it’s a simple (and downright silly) move that gives a thief access to very sensitive information.

Security Breach: Signed, Sealed, Delivered

security breach, social engineering attack, red flag
Here's the story. When we begin a project with any company, one of things we most want to demonstrate is how easily we can get access to their network as outsiders. While social engineers are frequently insiders, we often attempt to replicate that level of access from our “basement.”

In one case, we discovered that we couldn’t just download a standard VPN client. This company required that employees install it from a preconfigured CD. We had to figure out a way to get the CD and not expose ourselves as social engineers.

We racked our brains for a while, coming up with complex scenarios that always fell short in the carryout. And then, the simplest option became the obvious choice: pretend we are out-of-town employees with VPN problems. We explained that our VPN wasn’t working, no matter what we tried, and that we probably just needed to reinstall it. We said we were staying at a particular hotel and asked if the company would mind Fed Ex-ing the CD to the hotel.

And of course, our clients were happy to oblige.

We went to the hotel, asked for a package for so-and-so, and walked away with a major building block for the attack.

The Takeaway: Anonymity and Red Flags

It is essential to educate employees on the danger of employees, vendors, or clients that demand anonymity—and help them recognize behaviors that should send up red flags.

Employees should be trained to make a mental note if they are:

  • Asked not to track or write down any information about a phone call.
  • Asked to call a caller back at a different number than the one listed.
  • Asked to just not mention a phone conversation or email they’ve received.
  • Asked to send a package to a public location instead of a published corporate address.

At best, these requests may indicate some sketchy employee behavior that may need to be investigated. At worst, they may indicate a social engineering attack in progress.