BSidesSLC 2015 -- Social Engineering: The Good, the Bad, and the Ugly -- Stephanie Carruthers

so let's jump into it my name is Stephanie and this is The Good the Bad and the Ugly of social engineering first I'm going to do a quick little introductory about myself I am a Utah transplant a lot of people wonder what brought us here before moving here we were briefly in DC and before that in San Diego my husband and I are both Consultants so we have the ability to pretty much move wherever we want so we decided to play a game of chance we narrowed it down to two US cities which was between here and also a place hotter than hell in Arizona and we flip the quarter we have been here for about a

year now and we really like it I am a wife and a mom I have two little boys so the ER doctors practically knows my name now and my favorite hobby is special effects makeup I really hope to one day be able to incorporate this on SC pentest where I can actually go in and create disguises kind of elevated something more than just a FedEx uniform and my kids are my biggest guinea pigs so that's a little bit about myself now about my company since winning the black badge I started snow offensive security which covers all aspects of social engineering so we do OSN vising fishing physical security and I also do security awareness trainings all right

that's me my company now what are we going to be speaking about today I'm going to be going over the good which is my experience winning the black badge which is one of the more prestigious Awards and it also gives me a lifetime admes to deathcon I'm going to be talking about the bad which is mistakes employees are making I'm going be showing you things that I see when I do my pent test and the Ugly excuses that I hear why companies aren't actually having dedicated social engineering pentest I'm going to wrap it all up and show you some solutions that have helped my clients out and we'll hopefully help you guys out too all right the good has anyone here

been to Defcon okay has anyone actually gotten to see the competition the social engineering capture five well yeah all right so before I jump into it I kind of wanted to Define what social engineering is just so we're on the same page social engineering at its core is manipulation it is manipulating people into doing or saying things that may or may not be in their best interest all right about the competition the social engine Capture the Flag or I'll also refer to it as the secf is held yearly at Defcon and what a lot of people don't realize is there's actually two phases to it before the live calls there is a information gathering and

Reporting phase and then whoever has the highest combined scores of both of the phases is the winner last year marked the 5-year anniversary for having the secf and they decided to kind of mix it up a little bit instead of it being being a solo competition they made it a tag team so once you were chosen to compete you received your target um your Target and then also you received a random teammate and there were nine teams competing seven of the nine teams were female male combinations and then the other two were male and male about the flags so the flags were pretty much broken up into three categories which was it information vendor information and employee

information but when I say employee information we weren't looking for things like their passwords or their social security card numbers this competition it targets the company not its employees so nobody was getting victimized and then for scoring the higher the risk the higher rewards so something like what's your schedule like maybe only five points but if you can actually get the uh version of the browser that's worth 15 points all right any guesses what the highest value flag might be what's something kind of malicious you guys think that we could get someone to do over the phone no guesses all right password well we weren't victimizing but that's a good guess we were actually seeing if we can

get someone to go to a specific URL so on the phone having them type it in my um teammate and I were able to do that four times during our calls and so phase one this is the information and Gathering phase we had four weeks to collect as many flags as we can find but we couldn't actually go to our Target company in person or call them them up we had to find it all on the line online and document it and for every flag we were able to find we got half credit and when I say open source intelligence The Way We Gather things it's information that's available online it's public so places like Google and

social media and even the company's own website this is a graph I actually used in my report it kind of breaks down the sources of how I found all of my Flags so about 75% was between Google on social media and I say social media I was able to find a lot of information between Instagram and Linkedin all right phase two this is actually getting in the soundproof booth at defcom which I have some pictures I'll show you soon we were given 30 minutes total time to actually make our calls to gather as much information as many flags as we could but one of the rules this year was no call spoofing so if someone calls you the first thing you

do is you look to see who it is that was working against us most employees know all right corporate is this phone number or at least this area code but that was already working against us and then also because it was a tag team we had to tag out or just transfer the call um at least one time during our call and then every time we were able to transfer the call we got an additional 10 points okay so 20 minutes before my scheduled time to actually make my calls I'm texting my partner trying to get a hold of them and and he finally replies that he is way too hung over to leave his hotel room I was pissed so I freaked

out I tried to get my husband to be on my team but he was already competing so that wouldn't work but I didn't want to be disqualified I had to find someone so I was asking around and my husband got on his phone and called one of his friends who was at the competition and said hey I need you here right away so he shows up and I explain my situation and he decided to help me out so we were given a few extra minutes to kind of go over our pretext our Target and what flags we were going to be going after so the pretext we use is the background story it's who we were

pretending to be why we were pretending to call and then also what flags we were trying to gather so I already knew I was going to have red flags going off with no call spoofing so I want to try to make it seem as realistic as possible so I decideed we should play stereotypical roles I being the female doing more of an administrative type position and then Steve being the male more of an IT guy kind of fits I mean no red flags and when I was doing my um information gathering stage I was able to find information on each store that we called so I found the manager's full name I found the store number and I also found

internal lingo so we were able to make five successful calls in our 30 minutes Gathering us a lot of points and then here's a picture of us actually in the soundproof booth if we look scared it's because we were it it is very intimidating not only is it like hot and dark you can kind of see you see the reflection you see all the people sitting on the ground this competition has became so popular at Defcon that there's actually a line last year there was a line 45 minutes just to get into the competition and this is a cool graph that I got from the Defcon 22 social engine Capture the Flag report just kind

of showing you the total teams and my team was LE smoo operators and then another graph from the same report from high to low it shows you which companies gave out the most information during both phases pixer didn't happen this is us at uh Defcon closing ceremonies getting the black badge and then another picture so this kind of wraps up the good my experience with the soci during capture of the flag so now let's move on to the bad I'm going to show you some big vone abilities that I'm finding when I do my SC pen tests but first I want to clear up a common misconception so you hear all the time that humans are

the weak link which is true but you'll hear things like you can't patch stupid or users are stupid but that's not true people are smart we hire them to do specific jobs because they know what they're doing but we can't expect them to know about security if we're not training them properly all right so when I do my scen test I always start with oin whether I'm doing Vishing fishing physical security or security awareness trainings so I look and I see what information I can find and gather on these people so when I do physical security I look at badges I mostly look at them so I can replicate them I get the orientation of

how the layout is where pictures are placed is there a logo kind of that feel and I also look for trappings I look for how your employees are dressed is it casual is it formal things that I want to blend in you can also see she has um her badge on her hip that's something I would prefer cuz it's further away from the eye it's a little less it's not your face I also look if they have any additional credentials so not only does she have a badge she also has a name tag that has two logos her name and her position another giveaway is lanyards you want to make sure you're blending in so you need to see if they're company

lanyards or if they're personal lanyards if I wouldn't have the time or budget to actually recreate a company lanyard I would try to do something like at least get the same color and try to get the same thickness all right this person works in the medical field and when you're looking at badges you really want to pay attention to symbology there's letters numbers colors symbols all these things on these Badges and they all have a purpose so you can see the S on the corner by her picture let's just say that stood for the South wing of the hospital so if I were to replicate this badge I wouldn't show up in the north wing of the hospital that you know

people question me it could mean she has access to sensitive data or maybe a secure area and you can see it has a yellow on it this just could be the standard um standard employee badge or it could mean that maybe it's she's a nurse so it's or so it's yellow or doctors have green you want to try to find as many badges as possible so you can kind of get the general overview all right visitor badges this is something else I look for if you're going into a small company they're going to be able to pick you out if you're trying to be pretend to be one of their employees so this one actually has a lot

of stuff going out for a visitor bag you can see the QR code and barcode so you definitely want to scan those to see what kind of information they're putting out before you go try to do your pen test this one actually has a sponsor's name if I'm in this position I like to use someone like CEO or the CFO as the sponsor because nobody will question you nobody will mess with the CEO's guest and makes them more likely to comply if I ask them for a favor or question this badge would not be that hard to duplicate again paying attention to detail the actual date is on the top but the expiration date is the next day

I personally would take off the escort required because I wouldn't want an escort and then workstation for whatever reason people are putting pictures of their workstations on social media sites which I look for and all these pictures by the way are things that I found off the internet they're not my client's pictures but but this picture is actually more of a placeholder it reminds me of a similar story that I couldn't use the picture for so my client they had their company logo set for all the desktop pictures and do you guys know the decal of the bad boy peeing on something it's nor like a different like Ford or things like that so he cropped the picture of the bad boy

peing onto the company logo and he took a picture just like this and posted it on Twitter or no it's Facebook so a couple days later I found this picture so I spoofed my number and called him from my te I explained that my boss was pissed and he's going in and changing settings so as he's scared he's more likely to comply so I say since I have since you've messed with settings we need to kind of go over and do a quick audit to make sure you haven't changed anything else crazy for whatever reason this person took a picture of their Outlook I I don't even know why like the hashtag was workflow so I what I would do if this

was yeah so what I would do is I would get all the information on here which is their vendor what they're ordering in the bottom you can see the account number all this information and I would call up this employee and SPO myself as the vendor and get as much information as I could out of them this guy is an actual government contract employee he thought he's taking a picture of his cool healthyish lunch it's healthy it's true forgivable I guess and what he didn't realize is what he left was his VPN credentials this was on Facebook guys his VPN credentials okay so I also look for vendors there's a reason why vendors are a whole category in the social

engineering um capture the flag and the reason why we look for vendors like let's say Best Buy with my clients I want to see who's associated with them so I can replicate their uniform or I want to [Music] see um I want to see companies who are bragging like these are all my employees so not only can you duplicate their uniform you can use this information for fishing or fishing my last client I was able to find 10 of their vendors so in addition to janitors or Pest Control like this company there's also lawyers Food Service vending machine companies trash companies even shreddit what if I found out someone use shredd it I could duplicate their uniform show up and

think of all the information I can get just from those bins all right let's talk about social media it's kind of like the workstations different things I'm seeing people post pictures of a lot of people like to brag on LinkedIn so not only do you see that he's using Windows XP he lists two different VPN clients think of his if his coworker was the same guy who put his VPN credentials out there no crazy hacks and this guy I want to take a picture of his work schedule what I look for is vacations I love it when people are on vacation that gives me an inn I would show up when he was gone explain to the receptionist

that he's expecting me to bring him these important papers and that's it I'm in okay this is what I call crazy cat lady she wanted to show off her new magnets cets and she posted this to Facebook right next to cat butts was the SSID name and password just in plain sight so as I'm going through all these I kind of want you to think is this information that is covered in my social uh sorry my security awareness trainings or are my employees or co-workers putting this information out there not realizing things that are right next to cat butts so as I said before people aren't stupid they're not they're not trained well so this Twitter set likes the Point those

people out they retweet pictures that people put up of their credit cards and this is actually me blocking that this isn't Twitter people don't realize the risk involved so for this thread for example someone said oh thanks for the information I'm going to go shopping now and the person replied yeah haha you don't have those CCV codes but that's not true they don't realize the risk you can go there's a number of sites where you don't need the CCV code all right let's talk about fishing traditional physical security or I'm sorry traditional tests with fishing it's not really social engineering there's no back and forth communication you just send out an email and see how

many people will click a link or how many people will download something so this is kind of a story that's been um a big fish that's been going around it's the a transaction it's been big for about two years now so what these bad guys do is they send out emails to your co-workers to your employees and what they're looking for is they're getting a sense of their writing style their signature do you go bu any nicknames as much information as they can then they create this fake email thread which is pretty much from the CEO to the CFO and it's going back and forth and it starts with like I'm so excited we got this new

vendor and you can kind of see him going back and forth for a little bit and then one of the last emails would be from the CEO saying hey I just talked to these guys they haven't gotten paid they're pissed off what's going on we need to get this taken care of so the CFO will actually take this whole thread and email it to someone in accounts payable and say I need this amount of money to go to this account as soon as possible and most of the time they do it so that's a really big fish that's going on right now that's more of a social engineering one okay fishing also known as voice

fishing but it's pretty much Social Engineering over the phone for one of my clients I was using the pretext I was was calling from it so I needed their phone number so I was able to spoof it I couldn't find it online so I thought maybe I can just call the receptionist and get the phone number before finishing my sentence she just transferred me to help desk so Andrew answers the phone and I explained to him oh I'm sorry I think I might have gotten the wrong number what number is this so that way I had the number and he said hold on I'm new and I like wanted to pause the phone so I could squeeze for a second I

love new people and interns they give me the most information so once he got back on the phone and gave me the number I went on to say my computer's acting crazy and my boss said just call it and figure out what they're using so you know to mimic it and use the same stuff he was so excited to help me he spent 10 minutes in detail going over all the software inversions and he said make sure you're using Internet Explorer 9 because Internet Explorer 10 is wonky with some of our stuff so we ended the call with him actually giving me the SS ID and wireless password because apparently I was on the wrong

one all right I have a lot of clients who want to see if I can just get passwords that's just strictly what percentage of their employees will give me their password so I made my list of names and numbers I was going to be calling and I got to one particular employee and I like getting passwords because not only like is it a challenge it's also kind of funny what people have their passwords as so I go through my whole pretext of we ran patches and it looks like your computer didn't receive the patch I'm going to have to be working overtime on the weekend just so when you come in Monday everything's going to be

fine and so I said I just need your login credentials so I can get this done so you'll be able to work just fine on Monday so he's quiet which makes me nervous when people are quiet but before I can open my mouth and explain keep going seeing what I can get out from he said he starts to whisper I have people in the room and my password contains profanities so I you know tried not to laugh and then I said let me just walk you through how to change your password so that way it's something you feel comfortable so not only is it funny to see what people have their password as it's funny to see what they'll change

them to when they think that they're going to be giving it to it so he changed his password to I love my job 13 so that was actually a learning experience for me from that last client I was able to get 59% of passwords but I realized people aren't comfortable telling you their password a lot of times they're personal things or their Grandma's names or maybe they're stupid it doesn't matter they're not comfortable so I changed my pretext up well I used the same one with about the patch but then I said let me explain to you how to change it so once I did that on the next CLI I was able to get 78% of

passwords all right physical security who here is a hoan a come on more hands come on guys all right so for those of you who don't know this is a psychic paper trick this is just a blank piece of paper that the doctor carries around with him through time in space and anytime he gets question he pulls us out so if someone wants to know who he is he pulls out and they kind of project who they think he should be well this is my version of that trick at the time I didn't realize I was doing it until I was explaining it to a friend and she's like oh you just did the psych paper trick so for my

client they wanted to see if I could access um get in through tailgating and things like that but they also want to see if I can make it to through a secure floor on their building so I get in through tailgating and whatnot so I make it to the um certain floor I keep walking I smile at the Garden keep walking he says hey you need the form I was like what form so as confident as I could I have a mom purse I mean it's full of crap it's full of fruit snacks and forms luckily so I pulled it out and the first thing I saw was kindergarten registration forms so I just folded it up put it you know and I

was talking to him making a small talk and I just kind of yeah it's right here I he did so you can kind of see a couple fields and I was on my way so that's my psychic paper trick tailgating so social Engineers like to play to human nature I know if I'm coming at you with a box or something you're probably going to hold the door open for me but I know if I'm coming at you with a box of donuts you'll probably ask me for one as you're holding the door open so I have to make sure there's actually Donuts in the box but if I were to give someone one they're more likely

to help me out later with a favor I wish it was this easy sometimes sometimes tailgating and picking locks doesn't work so I kind of created my own version of this does anything look weird with this picture other than the missing core what about now so this is how I added a UV marker and a black light to my kit so when nobody's around I just take the marker and make the strip down give it a couple um I just wait till a couple people come in and out and then I take my flashlight and I see which ones that they marked off I go back to my car and I make a list of possible choices it

could be that's kind of my version of finding those all right let's talk about the ugly these are excuses that I'm hearing companies make why they don't have dedicated social engering pentest they are because it works we have a yearly security awareness training in place or because it's too expensive and this is my response they don't make sense at all so let's break it down because it works so you're telling me because social engineering Works you're not going to train against it or don't you want to know how it works so you can train your employees things to look out for or we have a yearly security awareness training already security awareness training suck they are so so

bad I'm going to get into that in a little bit but you're spending all of this money on a mandatory security awareness training it's just a check in the box and then that brings up the next point of spending money so some companies are really expensive that's true but how much did you pay for your security guards for your cameras for special locks add all that up how much did you spend on it don't you want to validate it shouldn't you test it to see if there's any vulnerabilities also to get the most out of your money I think you should do a hybrid approach which is not only having your external yearly test but constantly

be doing internal tests and solutions these are things that have helped some of my clients in the past so to protect all of your technology you have IDs firewalls and the list goes on and on but what about people you can't superglue a firewall to a person's head unfortunately so what about people how do we protect people how do you patch a person let's take it from nature how do we prevent prese sorry prevent disease we vaccinate we slowly introduce the disease to the person's body to build immunity and this guy right here is Edward Jenner he created the first vaccine in the late 1700s I'm not saying find some H1 cyber one and inject all of your employees I'm

saying constantly be doing things to keep them secure dir minded constantly be testing them it's not just a once a year thing so with testing have teachable moments this in itself will create such a lasting memory with them it's a mini training so after I gather a password I I explained to someone hey I'm a good guy I could have easily been a bad guy this is what you did wrong and this is what you show did and then when you test social engineering make sure you're testing all aspects you can't just test fishing what if the bad guys are in through physical security you need to see where your vulnerabilities are okay and then your security

awareness training sucks it's bad it's distracting it's not engaging everyone here has to take it it's mandatory so just think about the last time you took it you're sitting at your desk your email's going off your boss is calling your wife is texting you to bring home diapers the list goes on and on you're distracted it's not a oniz fits-all thing different companies have different vulnerabilities so what they should have they should be in person you need to be away from distractions you also need to have real life examples shown so like all those pictures I showed you you need to have those in your security awareness train so people can realize oh I'm not

supposed to do this and you also need to empower your employees to say no they need to feel like if they get suspicious of a caller that you'll have their back you need to have the CEO up there saying hey if you hang up on someone that's okay if you feel uncomfortable that's all right don't give them information and this is kind of the framework work or lifestyle that life cycle that's helps them Mylo so you have your external pen test once a year and then off of the risks you create a customized training so they can see examples of what they're doing wrong but also internally you need to be testing you need to be doing training off of

more vulnerabilities so that's constantly going on all right so let's do a quick recap I talked about the good which is my experience with the soci Sher capture of the flag I talked about the bad I showed you examples of things people are putting out there that they shouldn't be also talked about the ugly some excuses that we hear and I showed you Solutions so this is how we change culture we need to make our employees immune to this it has to be just second nature to them so constantly testing they need to know internal testing is going on as well all right so what's going on with me in the future I'm actually doing a social

engineering 101 training this is going to be at Circle citycon in June and it's free kind of you just buy a ticket to get in and all the trainings are free so it's just a 4our 4our course and I'm going to be going on over information gathering so I'm going to show you how I found those pictures pre-text building elicitation techniques so getting people to say yes or give you information and how to read body language I'm also developing a physical security tool like I said before sometimes lockpicking or tell G will works so this will help with that I don't want to get into it too much because it's still being developed and I'm also working on a

research project this is a foot in the door technique this is a part of reciprocation so how I use this in Sol is I'll show up to your receptionist and I'll explain um how I'm lost and ask if she can give me directions to maybe another company that's close by so it's like a small request I'm kind of asking for directions and then I'll maybe ask for another small request and that leads to a big request which would be hey I have this interview I'm running late do you mind printing off my resume here's my USB rubber ducky so that's how the foot in the door technique would work sorry guys I talked really fast thank you guys for coming

and listening if you guys have any questions I'll be hanging around thank you so [Applause]

much