The audience in the room is weirdly quiet. The contestant is in a small plexiglass booth with nothing but a phone, a laptop computer and some notes. On a set of speakers outside, the booth broadcasts the sounds of a dial tone as a woman on the stage begins to dial a number. It is apparent she is not phoning a friend. The dial tone changes to a ring tone, and moments later, the other end picks up.
“Hello…<company redacted> IT department. How can I help you?”
And with those words, the game begins.
Human beings—well most of us anyways—are wired to help. If we see someone in trouble, we want to assist them. It is what has kept our rather soft and squishy species alive when there were lions and tigers and bears trying to eat us. Strength in numbers and all that. When we see a car broken down on the side of the road, and if we notice that little, old lady trying to cross the street, there is that instinct to lend aid.
In the social engineering world, attackers depend on and exploit this instinct. There is a rather common cliché in InfoSec: the weakest link in computer security is the human. You can have the strongest firewalls, the most expensive intrusion detection, and/or the most complex security system in the world, but none of that matters if the janitor leaves the doors unlocked or if the front desk staff freely gives out information about your company.
To put it bluntly: social engineering is the tactic of using human psychology against a mark to get them to do what they normally would not (should not) do. Or as PT Barnum once said: “There is a sucker born every minute.”
And that is what takes us back to the game. Every year at DEF CON, one of the most popular and well-attended series of events is held at Social Engineering Village. A theme is chosen, and contestants are given a series of target companies to try and “hack” their way into. Unlike the more traditional, computer-oriented methods of hacking, the goal here is to get as much information about the company, from the company and eventually into the company as possible.
Contestants are given the chance ahead of time to recon the company. They will browse the pubic facing websites of the organization looking for clues or other tidbits of information that will help them. Do they publish their company directory? Who are they partnered with? Is their campus accessible from the street? Who are the executives? Are they on LinkedIn? LinkedIn by itself can be an interesting trove of information. Who are they connected to? Is one of those people the IT Director at the company? Someone else who can be leveraged?
Once they have done their reconnaissance, the real game begins live and onstage in front of an audience. Using the information they gathered, they begin calling the companies and trying different tactics to convince the person on the other end of the line that they are “employee so and so” and that the CISO needs them to get some information from them ASAP. Or that they are in the IT department and that their installation of Adobe Reader is out of date and that they will be sending them a new version to install. Sometimes to add a little urgency (and the contestant I was watching worked this angle), they add the sound of a baby crying in the background as they pretend to be the wife of an employee trying to get some information their husband needs to complete a task for the CISO.
Social engineering is not always so ethereal, either. The hacker will commonly find out what kind of uniforms the security guards or janitorial staff members wear. What does the badge look like? Does it have the name of the company on it? Pictures? Is there a smoking area by the back door that the staff leaves open when they step out for a smoke?
When organizations think about security, they are often focused on the computer and network side of things. Firewalls, IDS, DLP, etc. The physical elements, such as locks on the doors, cameras, and security guards, might go overlooked.
It’s the human element that is often neglected. Training the innate desire to help everyone out of employees is hard. Not only that, but organizations often do not have written policies or training on what kind of information can be given out when contacted by a third party.
With my own LinkedIn profile, I am always getting calls from folks trying to sell me or my company something. Most of them are probably honest and sincere even. But when they find out that I don’t work in the department that would buy their widget, that’s when things get interesting. Who should they be talking to? What is their number or email address? When would be the best time to reach them?
Those questions seem innocuous enough. After all, my company may need XYZ widget. What’s the harm in giving out that information? Well, if the person at the other end of the call is not an honest and sincere salesperson. I have just given them a nugget of data that they may turn around and use on the next person they call.
I have also been that next person.
“Hello…this is Bob from XYZ Widget…<name redacted> gave me your contact information so that we could…blah blah blah…”
And so it goes. For the social engineer, it’s a numbers game. They keep calling and keep gathering data until they hit that perfect combination of names and information that keys the right person the right way, and then they are in. As games go, it’s one of the most common yet least known ones in the industry, and every day some company fails…hard. Passwords are given out, access is granted, someone slips through the break room door, and the real data loss begins.