Cyber-attacks detection and prevention

Social engineering cannot be considered directly to apply across the board to a cyberattack, but it is a prerequisite for a number of cyberattacks to be successful.

If we wanted to define the concept of social engineering, it could be said that it is about influencing, persuading or manipulating people in order to force them to take a certain action or to obtain information from them that they would not otherwise provide. The purpose is to give a victim such an impression that the situation in which they are is different from what it really is. To put it more simply, it is the “art of deception”, with Mitnick distinguishing two specialisations in the profession of artist-manipulator. “The one who makes money from people is an ordinary fraudster, while the one who uses manipulation and persuasion against companies – usually with the intention of obtaining information – is a social engineer."[1]

I am convinced that this Mitnick's claim from 2003 would not stand up in today's digital world as many attackers use social engineering techniques to obtain information or data and use it, for example, in crime-as-a-service. Furthermore, these techniques are used not only for companies but also for individuals. An actual attack does not have to take the form of fraud, but subsequently this information can be sold or misused for a more serious attack.

The main idea of social engineering is not to use various purely technical approaches or tools, for example to break a password, when it is much easier to mislead a victim, who can voluntarily reveal the password. The weakest link in the security system is and always will be a person (the user). Since there cannot be a computer system in the world that is not dependent on humans, at least at some stage (whether it is the operation, setup or maintenance of a computer system), the easiest way is to obtain the necessary information from people.

It is the simplicity of an attack aimed at the weakest link in the whole system that usually makes it the most effective form. Social engineering came to the fore with the case of Mitnick[2], who is considered by many to be a hacker, but he actually considers himself to be a social engineer. In his books[3], Mitnick shows how easy it is to obtain information that is sensitive and poses a security risk to individuals and organisations. At a hearing before U.S. Senate Committee on Governmental Affairs[4], in which Mitnick testified about obtaining passwords and sensitive information about the computer systems of the companies he hacked into, Mitnick said: “I introduced myself as someone else and simply asked for them.”

For social engineering, one of the key factors is to obtain as much information as possible about the target of the attack (whether a computer system, a legal entity or a natural person). There is often a long-term effect on a key person and building “trust” between an attacker and a victim before an attack, while the attacker typically exploits human carelessness, trust, willingness to help others, laziness, weakness, fear (e.g. so that the person does not get into trouble), irresponsibility, stupidity, etc.

The above human characteristics greatly help an attacker to carry out his attack. Ask yourself how much do you verify your counterparty, for example when making a phone call or communicating via ICT? How much do you check the storage media (USB disks, memory cards, etc.) that you received as a gift for the presentation event?

Especially in the field of ICT, it is possible to observe increasingly more sophisticated and elaborate attacks [e.g. well-prepared fraudulent e-mails, real institutions (used as an alleged sender), redirection to fraudulent sites or installation of malware contained in a document attachment or on a storage medium, etc.].

Social engineering attacks are usually conducted in three ways, and these methods are combined with each other:

1.     Collection of freely (publicly) available data on a target of an attack

2.     Physical attack (for example, an attacker pretends to be a service agency employee – such as a printer service, maintenance worker, etc.), in which the attacker tries to obtain as much information “from inside” the company, or sensitive information about individual employees (including e.g. searching garbage, etc.)

3.     Psychological attack

The most common methods of social engineering attacks include:

1.     Fraudulent e-mail or fake website

2.     Telephone call

3.     “Face to face” attack

4.     Dumpster diving as well as “data straining”

5.     Searching websites, social networks, etc. (This is an easily accessible open source of data for attackers of social engineering, which helps to identify or verify information about a potential target.) Public information available online (e.g. CVs, theses, papers, proposals, etc. published on the Internet). Annual reports and other publicly available information about a company

6.     Delivery of advertising or other materials on CD, DVD or other storage media

7.     Leaving a storage medium (USB, etc.) in an area of ​​interest (such as company, employee's house, etc., such medium then typically contains malware)

8.     Offer to try a service online (e.g. offer of a cloud storage, or an interesting service for free, etc.)

9.     Delivery or finding of equipment (computer system)

10.  Fake service technician

11.  Others

            As for targets of social engineering attacks within an organisation, possible targets may be, for example:

• management position,
• IT department,
• helpdesk workers,
• receptionists (secretaries),
• security staff,
• building management,
• cleaning etc.

A social engineer is able due to his capacity to manipulate people, however, simple manipulation is not enough in some cases and it is necessary to link this information with technical knowledge in the field of ICT.

At the end of this chapter, I give an example in which Mitnick demonstrates the connection between social techniques and ICT knowledge:[5]

A young attacker I'll call Ivan Peters set out to retrieve the source code for a new electronic game. He had no trouble getting into the company's wide area network because a hacker buddy of his had already compromised one of the company's web servers. After finding an unpatched vulnerability in the web server software, his buddy had just about fallen out of his chair. When he realised the system had been set up as a dual-homed host, which meant he had an entry point into the internal network.

But once Ivan was connected, he then faced a challenge that was like being inside the Louvre and hoping to find the Mona Lisa. Without a floor plan, you could wander for weeks. The company was global, with hundreds of offices and thousands of computer servers, and they didn't exactly provide an index of development systems or the services of a tour guide to steer him to the right one. Instead of using a technical approach to finding out what server he needed to target, Ivan used a social engineering approach. He placed phone calls based on methods similar to those described elsewhere in this book. First calling IT technical support, he claimed to be a company employee having an interface issue on a product his group was designing. and asked for the phone number of the project leader for the gaming development team. Then he called the name he'd been given, posing as a guy from IT. "Later tonight," he said, "we're swapping out a router and need to make sure the people on your team don't lose connectivity to your server. So we need to know which servers your team uses." The network was being upgraded all the time. And giving the name of the server wouldn't hurt anything anyway, now would it? Since it was password-protected, just having the name couldn't help anybody break in. So the guy gave the attacker the server name. Didn't even bother to call the man back to verify his story, or write down his name and phone number. He just gave the name of the servers,  ATM5 and ATM6.

At this point, Ivan switched to a technical approach to get the authentication information. The first step with most technical attacks on systems that provide remote access capability is to identify an account with a weak password, which provides an initial entry point into the system. When an attacker attempts to use hacking tools for remotely identifying passwords, the effort may require him to stay connected to the company's network for hours at a time.

Clearly he does this at his peril: the longer he stays connected, the greater the risk of detection and getting caught. As a preliminary step, Ivan would do an enumeration, which reveals details about a target system. Once again the Internet conveniently provides software for the purpose (http://mtslenth.0catch.com). Ivan found several publicly available hacking tools on the web that automated the enumeration process, avoiding the need to do it by hand, which would take longer and thus run a higher risk. Knowing that the organisation mostly deployed Windows-based servers, he downloaded a copy of NBTEnum, a NetBIOS (basic input/output system) enumeration utility[6]. He entered the IP (Internet protocol) address of the ATM5 server, and started running the program. The enumeration tool was able to identify several accounts that existed on the server.

Once the existing accounts had been identified, the same enumeration tool had the ability to launch a dictionary attack against the computer system. A dictionary attack is something that many computer security folks and intruders are intimately familiar with, but that most other people will probably be shocked to learn is possible. Such an attack is aimed at uncovering the password of each user on the system by using commonly used words. We're all lazy about some things, but it never ceases to amaze me that when people choose their passwords, their creativity and imagination seem to disappear. Most of us want a password that gives us protection but that is at the same time easy to remember, which usually means something closely connected to us. Our initials, middle name, nickname, spouse's name, favorite song, movie, or brew, for example. The name of the street we live on or the town we live in, the kind of car we drive, the beachfront village we like to stay at in Hawaii, or that favorite stream with the best trout fishing around. Recognise the pattern here? These are mostly personal names, place names, or dictionary words. A dictionary attack runs through common words at a very rapid pace, trying each as a password on one or more user accounts.

Ivan ran the dictionary attack in three phases. For the first, he used a simple list of some 800 of the most common passwords. The list includes secret, work, and password. Also the program permutated the dictionary words to try each word with an appended digit, or appending the number of the current month. The program tried each attempt against all of the user accounts that had been identified. No luck. For the next attempt, Ivan went to Google's search engine and typed “wordlists dictionaries” and found thousands of sites with extensive wordlists and dictionaries for English and several foreign languages. He downloaded an entire electronic English dictionary. He then enhanced this by downloading a number of word lists that he found with Google. Ivan chose the site at www.outpost9.com/files/Wordlists.html. This site allowed him to download (all of this for free) a selection of files including family names, given names, congressional names and words, actor's names, and words and names from the Bible. Another of the many sites offering word lists is actually provided through Oxford University, at ftp://ftp.ox.ac.uk/pub/wordlists . Other sites offer lists with the names of cartoon characters, words used in Shakespeare, in the Odyssey, Tolkien, and the Star Trek series, as well as in science and religion, and on and on. (One on-line company sells a list containing 4.4 million words and names for only $20.) The attack program can be set to test the anagrams of the dictionary words, as well – another favorite method that many computer users think increases their safety.

Once Ivan had decided which wordlist to use, and started the attack, the software ran on autopilot. He was able to turn his attention to other things. And here's the incredible part: You would think such an attack would allow the hacker to take a Rip van Winkle snooze and the software would still have made little progress when he awoke. In fact, depending on the platform being attacked, the security configuration of the system, and network connectivity, the complete English vocabulary can, incredibly, be tried in less than thirty minutes! While this attack was running, Ivan started another computer running a similar attack on the other server used by the development group, ATM6. Twenty minutes later, the attack software had done what most unsuspecting users like to think is impossible: It had broken a password, revealing that one of the users had chosen the password “Frodo,” one of the Hobbits in the book The Lord of the Rings. With this password in hand, Ivan was able to connect to the ATM6 server using the user's account. There was good news and bad news for our attacker. The good news was that the account he cracked had administrator privileges, which would be essential for the next step. The bad news was that the source code for the game was not anywhere to be found. It must be, after all, on the other machine, the ATM5, which he already knew was resistant to a dictionary attack. But Ivan wasn't giving up just yet; he still had a few more tricks up his sleeve. On some Windows and UNIX operating systems, password hashes (encrypted passwords) are openly available to anyone who has access to the computer they're stored on. The reasoning is that the encrypted passwords cannot be broken and therefore do not need to be protected. The theory is wrong. Using another tool called pwdump3, also available on the Internet, he was able to extract the password hashes from the ATM6 machine and download them. A typical file of password hashes looks like this:

With the hashes now downloaded to his computer, Ivan used another tool that performed a different flavour of password attack known as brute force.[7] This kind of attack tries every combination of alphanumeric characters and most special symbols.

Ivan used a software utility called L0phtcrack3 (pronounced loft-crack; available at www.atstake.com; another source for some excellent password recovery tools is www.elcomsoft.com). System administrators use L0pht-crack3 to audit “weak” passwords; attackers use it to crack passwords. The brute force feature in LC3 tries passwords with combinations of letters, numerals, and most symbols including @#$%^&. It systematically tries every possible combination of most characters. (Note, however, that if nonprintable characters are used, LC3 will be unable to discover the password.) The program has a nearly unbelievable speed, which can reach to as high as 2.8 million attempts a second on a machine with a 1 GHz processor. Even with this speed, and if the system administrator has configured the Windows operating system properly (disabling the use of LANMAN hashes), breaking a password can still take an excessive amount of time. For that reason the attacker often downloads the hashes and runs the attack on his or another machine, rather than staying online on the target company's network and risking detection. For Ivan, the wait was not that long.

Several hours later the program presented him with passwords for every one of the development team members. But these were the passwords for users on the ATM6 machine, and he already knew the game source code he was after was not on this server. What now? He still had not been able to get a password for an account on the ATM5 machine. Using his hacker mindset and understanding the poor security habits of typical users, he figured one of the team members might have chosen the same password for both machines. In fact, that's exactly what he found. One of the team members was using the password “gamers” on both ATM5 and ATM6. The door had swung wide open for Ivan to hunt around until he found the programs he was after.

 Once he located the source-code tree and gleefully downloaded it, he took one further step typical of system crackers: He changed the password of a dormant account that had administrator rights, just in case he wanted to get an updated version of the software at some time in the future.

To reduce the risks posed by social engineering, it is necessary to raise awareness of possible threats not only within the organisation, but within society as a whole. As I mentioned earlier, social engineering helps to carry out an attack, and it is entirely up to the attacker to determine who will be his target. It is much easier for an attacker to focus his attack on the masses of inexperienced and ignorant people than on a relatively well-protected company.