The emergence of ever more sophisticated malware produced by teams of cybercriminals — and the repeated mass breaches they’ve produced — has put the perils of remote data exfiltration in the headlines. Unfortunately, this has overshadowed many more traditional attack vectors that pose equal or greater threat, as they’re focused techniques used by determined attackers, as opposed to the target-of-opportunity/mass phishing scam shotgun approach often used by cybercrime rings. Industrial espionage is receiving approval and funding from state actors in a wide variety of industries, and increasing proliferation of miniaturized technology and employee personal information has lent new weight to pre-internet espionage techniques. Prime among these are social engineering, on-premises intrusions, or worse, a combination of both.
“Social Engineering” is a ten dollar word for “lying like a rug” and covers any attempt to trick or coerce an employee into surrendering login credentials. The most prevalent example is “spear phishing,” a phishing e-mail targeted at a particular individual. Attackers labor to write a personalized e-mail using the employees name and job position, and/or do their best to mimic a legitimate, automated “change your password” notification e-mail, including a link to a web page where they can enter their credentials to “change” it. The web pages are often on custom registered domains with a name as close to the real website as possible, with visual design and UI to match. Should the user cotton to the ruse, they might still fall victim to malware attacks on the linked page designed to exploit browser flaws, opening up a new attack vector. For this reason, links in emails should never be trusted, and not even clicked on. URL shortener links are just as bad; they effectively obscure the real domain name from the user until they’re clicked upon.
The key to spear phishing (and any other social engineering attack) lies around building an aura of legitimacy that encourages users to make simple assumptions. The advent of social media (such as LinkedIn) has made this far easier; with a single search attackers can turn up all sorts of personal data (co-workers, acquaintances and family member’s names) that can be used to personalize the attack to greater effect. Combating pernicious attacks like this requires a combination of user training and good communication with IT staff; a simple typo in an email between a user and IT staff led to the devastating Podesta email leaks.
“Phishing” can take more technical forms as well, such as the “evil twin” attack, where a Wi-Fi access point is set up with an SSID that mimics a legitimate one, in hopes that users will connect to it and try to authorize by typing in their Wi-Fi password. This can be expanded past the premises; running an AP near the closest coffee shop to the office, for example, and mimicking their free Wi-Fi’s SSID to harvest employee passwords for use in later attacks. (This is why e.g. Android phones won’t connect to “ad hoc” Wi Fi access points broadcast from a laptop’s wireless card by default.) This is (yet another) reason to enforce randomized passwords and management thereof, as users are targeted on and off the premises.
Social Engineering On The Premises
Bald-faced lying can be used in even bolder personal attacks which exploit users perceptions of data intrusion as an “internet thing.” If you look serious and carry a clipboard, there’s almost nowhere you cannot go. One security consultant successfully bluffed his way into the offices of a major financial services firm, gaining free physical access to filing cabinets, data left on desks, and even the server room itself. Simply “tailgating” someone (following them through a locked door they’ve opened with their ID card before it closes) is enough to gain this kind of access. This (literally) opens the door to a tremendous number of attacks. Do your users write passwords down on post-it notes and leave them lying around on desks? Do they lock their machine when they step away from their desk for coffee? Drop a USB drive in the parking lot and see how many people plug it in to see what’s on it (a phenomenally bad idea.) This is just the beginning of the danger; a determined intruder can make a brief personal visit into a permanent on-site intrusion with the right equipment.
A dizzying array of devices exist — freely available online — to exfiltrate data. The most obvious are the ubiquitous keyloggers, which memorize every keystroke entered into a keyboard. While keyloggers as a software threat are well known, they’re also available as physical devices which look like a simple USB extension cable and record keystrokes in flash memory. One of these left in place can siphon every line of code written at a workstation over months and be retrieved later – and compromise the users password credentials as well.
Another example is the infamous “Pwn Plug,” a self-contained, Wi-Fi and cellular 3G/4G broadband equipped computer that’s easily hidden under a desk, giving an intruder a permanent physical “presence” to attack a network with. Sold as a penetration testing tool for security consultants, one can only wonder what custom-made solutions determined attackers could build with cheap single-board computers (which could even be hidden inside the casing of another product, like a laser printer – does your vendor ever leave the box unattended between their warehouse and your office? How good is their site security?) There’s also budget options for the cash-strapped attacker and/or the disgruntled employee.
User education — and vigilance — is absolutely essential to combating attacks like these. It’s also an excellent idea for IT staff to perform “management by walking around,” examining the physical components of their network from time to time to ensure no surprise gifts have been spliced into a CAT-5 run in a dusty closet somewhere. Inventory management is a powerful tool here; it’s a lot easier to determine if that AP wasn’t there last week if Financial has no record of buying it. Be aware of how these techniques can be combined – an evil twin Wi Fi access point might prompt a scramble for the parking lot, but the source could be inside your own building. Consider equipment vendors as an attack surface and vet their security practices accordingly. And above all, educate your users – they can’t be suspicious of threats they’re ignorant of!