You probably don't know if you were Socially Engineered.
- Kaiju Security
- Jul 31, 2024
- 4 min read
Seriously, what are the odds that we will have someone break into our facility? How likely is it, really, that someone is going to try and social engineer their way into our company? We've NEVER had a break in...
Yeah, you're partial right. You never HAVE had a break in or a Social Engineer... that you know about.
What makes what I do so dangerous for clients is that they simply don't know. They have cameras, observant people, security guards and alarm systems. If someone were to break in, or social engineer their way into their company, they would know.... RIGHT? Or would they?
Story Time:
So there we were, Justin Wynn and I were onsite at a financial institution, we had posed as customers earlier in the day and used duct tape on the rear door of the shared building so that we could gain entry that evening. We entered into the building with obvious ease and were able to work on the companies exterior doors (interior to the building however) with total concealment. No one could see us, there wasn't a guard, or any one observant to notice us work, or so we thought. We found a back door that wasn't alarmed (It's VERY easy to check with an application on your phone that picks up magnetic fields) and were in the process of using a cutting board to bypass the door. When suddenly I felt the cutting board get pulled from my hand from the otherside of the door. We had not seen the shared building janior when we were looking to see if the offices were occupied, and now he's got us dead to rights ... or so we thought. We quickly retrieved out "Get out of jail free" letter from our pockets and attempted to show the janitor that we were indeed security professionals conducting a red team. We placed the letter on the glass of the office double doors (we had since moved to the front so he could see us) and a strange thing happened, the janitor started waving his hands back and forth. "I don't care, I don't want any part of this" He said over and over. Justin and I tried to engage with him, we didn't want him to feel threatened or in danger, so we attempted to continue to reassure him. We suggested that he call someone from the company to verify that we were who we said we were, to verify that we weren't real thieves trying to break in. Yet the more we tried, the less interested he became and a very strange thing happened, he turtled up walked backwards, put his hands up and simply said, I don't care.
Well then... we said to each other, that's a first. We took out letter back, bid him a good evening and apologized if we scared him and we left the facility for a half hour or so where watched from a park bench about a half a block away. When we saw the janitor leave, we simply walked back in and went back to work. We made entry into the company and while inside collected multiple user names, account passwords (not only company accounts, but third party applications the company used for business). We were able to gain a persistent foothold in the network and one other small detail, the word of the day. In many financial institutions they will have a code, or a word of the day that employees can use to verify that someone is who they say they are... it works for the most part, unless you have access to it. In this case, after securing this code, we decimated this company with social engineering.
And, here is the kicker...
That janitor NEVER REPORTED US! This is part of what makes this kind of testing so important. Our entry through social engineering was easy because no one was trained to check the doors before leaving for the evening. The alarm was bypassed because no one alarmed the back door, the cameras installed in the building/company did not cover the office spaces, and the one stroke of luck they did have (the janitor catching us) didn't help at all, because as he said, he simply didn't want anything to do with it, "this is not my problem." Had we not reported the things we were doing in a daily call, the company would have had no idea that we were there. Our follow on social engineering was backed with the word of the day (and our SE is preeeeetty good if I do say so myself :) ), we were believed, no one questioned us, we gained entry to everything as we eventually secured RFID badges that gave us access to the entire company. It could have all been prevented, had the janitor just spoke up...
Once upon a time we thought we were simply the luckiest duo alive. We would have people walk right by us, hiding under desks literally in plain sight, only to have someone look right at us, but not see us. We've ordered and had pizza with security guards WHILE our team was upstairs stealing everything under the sun, only to have that security guard later come to our rescue when we set off an alarm. After years of similar stories, we started to realize, it isn't luck, it's simply opportunity and the human condition. Once you understand how to rely and manipulate the second, the first seems to be everywhere.
So yes Company X, you might have cameras, you might have alarms, you might have the most observant employees in the world, but it doesn't mean you haven't had someone malicious like us in your offices. You don't know what you don't know, and most people don't know 1. how absolutely malicious people like us can be, and 2. How well your people, processes and technology actually stand up to people like us. The good news is you can find out, but you need to let go of the idea that tradition security is enough. Would you build a boat, load it full of people and sail it across the pacific without making sure it is seaworthy and floats first? No of course not, you test it, make sure what you built works as intended.
So why is it, so many company's never test the security that they've built? People like Justin Wynn and I can walk away with half your company secrets in a single night, but we give them back, what would a real malicious actor do?
Commentaires