J0hn_D0ugh$ – So there I was once again enjoying my victory. I wasn’t technically done yet, however all of the hard stuff had already been done. I’m not a hacker just for the money. I’ve made enough of that already. Such is the life for a modern day hacker. It’s really more about the challenge. Sadly however, many of these organizations aren’t that much of a challenge, but it’s still fun. I will say it’s getting a little bit tougher as organizations understand what they’re facing, but the fact remains it’s almost always easy to get to this point.
And thus begins our narrative of how a criminal uses multiple hacking techniques to get the gold. From motive and hubris to social engineering mixed with physical security breaches to hardware and network hacking… a successful attack smoothly blends all aspects into a seamless set of fluid decisions. This article will not only share with you the mindset of the hacker and modern tools and techniques, but also address how to handle them in your organization. Now let’s humor J0hn_D0ugh$ and allow him to continue his story.
So, where was I? Well I was standing here in the server room of a reasonably sized not-for-profit organization. I didn’t work here; I didn’t belong here; I wasn’t even a contractor. I was here to steal some data and make some money. In my toolbox, I had my trusty Raspberry Pi running Raspbian with autossh already configured and tested, some network cables, power adapters, and everything I need to put this neat little device in their network. It was quite easy to do. They weren’t running any security controls that would prevent me from plugging devices directly into the network. All the ports on all the switches were enabled, and the network was absolutely flat. A little double-sided tape on the bottom, stick it to the inside of an upright rail in the rack, and it’s liable to go unnoticed for a very long time.
They aren’t all this way. Some organizations do a decent job segmenting the networks and employing port security, but this wasn’t one of them. They just hadn’t made it to that level of maturity yet. Those controls, when deployed, make a bit more work on my part, but once I’m in the server room, it’s really “game over” regardless. All I need to do is plug in my Pi, power it up, and I have myself a nice little reverse shell into the network. There are other ways to attack as well. For example many organizations don’t disable USB ports on their servers, opening themselves up to all sorts of attacks including one of my favorites, the “Rubber Ducky”. A lot of places don’t even lock the doors to the racks. Once I have physical access like that, it’s a losing battle for the organization. Many organizations assume if you make it past the locks and were in this room, you were meant to be in this room. That’s really how a good chunk of these attacks work anyway. All you have to do is convince the employees that you belong wherever you want to go, and you end up there. A little confidence and a clipboard go a long way.
Let me tell you how I got here.
Selecting the Right Target Makes My Job Sooooo Easy
So why did I decide to hack this organization? Nothing personal, I just spotted them one day and decided hey, this looks like it could be a fun opportunity. I remember that it was a press release that caught my eye. Basically, they had managed to land a very large grant and that helped trigger other independent donations. Reading between the lines, it meant that all of a sudden the smaller organization was swimming in money.
I don’t really care what they do, but I do know that rapid growth often times leaves big holes in security. When a company gets a sudden growth spurt like this, not only is new technology deployed quickly, often without proper testing, to allow them to keep up with the growth, but new employees are added as well. Strange faces in the hall, lots of new technology and complexity happening quickly. This is like Christmas to someone like me.
Data Gathering = Efficient Hacking
Once I decided that Christmas is right around the corner, I started gathering the information I would need to pull this off. It’s really amazing how much information on organizations exist out on the Internet. Most places don’t think about how much data is out there, and that’s just fine with me. The more people assume data is only known by people within the organization, the more they trust anyone that has access to that data. What they don’t realize is, much of this information is actually public or easy to find.
Take for example information about executives. A lot of organizations have an “About Us” page on their website that is designed to make people feel more personable toward the organization. It’s also a decent place to get started if you’re planning something like a CEO fraud attack. These pages often list the names and titles of the executives and board members. Sometimes, if I’m really lucky, the organization is trying to push how socially responsible they are, so they describe things such as where are these executives volunteer in the community and some of their hobbies and interests. This is all fantastic information when you’re setting up the pretext for an attack.
Besides the company websites, which also holds things like the press release I mentioned earlier that caught my eye, there’s of course LinkedIn, Facebook, Twitter and the other usual suspects of social media. But even better is that many organizations have to divulge a lot of information in publicly available tax forms. This includes my favorite for not-for-profits like this one, the IRS Form 990. This document is just full of juicy information about not-for-profit organizations. Part VII, Section A is simply jam packed with information about the senior leadership and an organization, which in many cases includes salary information. This form will also list other organizations and contractors that these entities use, which is great information for phishing as well. If you know the organizations a company does business with regularly, that just makes things a whole lot easier.
In this particular case I took the easy way out, and, noting what I could see with the quick Google search, I was able to determine that they used a <First Initial><Last Name>@ format for their email addresses. That’s pretty typical so no exciting news there. Using that I crafted some emails that were completely benign but had externally hosted images. All it took was a few emails being sent and viewed by the employees, and I was able to tell the source IP address of the requests. From there a simple ARIN look up netted me the name of the carrier providing Internet access. There are a lot of other ways to find out who the ISP is, but this worked just fine. 20 more minutes on eBay, and I had ordered some nice polo shirts with the ISPs name and logo neatly embroidered on the chest. It could be a bit tougher if it’s a smaller ISP, but in this case it was a national name. It just doesn’t get much better than this.
Now it took a little longer to find an Internet photo of the ISP employee name badge, but eventually I found a Facebook post with someone very proud of their new job, taking a selfy with the badge in view. 30 minutes later, I had downloaded the ISPs logo and built a badge of my very own. I already had very well-worn tool belt I picked up from a pawnshop for previous jobs, so I was pretty much ready to go.
Executing the Attack
Executing the attack was every bit as easy as gathering the information. I showed up at the organization and parked in a far corner the parking lot. I didn’t want them to notice that I wasn’t driving an official ISP company van. Wearing my polo shirt with the internet carrier’s logo, I donned my aforementioned tool belt, a tablet PC and a smile. I started walking purposefully around the building paying attention to anything that looks telephone or communications related. I made sure to walk by the front door a couple of times to get the receptionist used to seeing me outside.
After a few minutes of that, I came in the front door and the act really began. My story was that we have been seeing a lot of errors on their circuit, and I was trying to locate the cause. I asked them the usual questions about any noticeable slowdowns and Internet access, etc. Just to keep setting the tone. I was completely in character right now, and when they called one of the IT folks down, I was already prepared to rock ’n roll.
I repeated my story about the dropped packets, but also said that we dynamically increased the bandwidth to account for the errors to ensure they didn’t notice any impact. I told them that I was there to try to get to the root of the issue. On the inside, I laughed at my own pun. By looking the part, being confident, and having a decent story behind me, it took nothing to get the IT person to walk me into the server room where the circuit connected. They were even nice enough to describe the internal network infrastructure to me to “help me troubleshoot”. People are so nice. I let them know it was going to take a while to run some tests and had them give me their cell phone number, telling them I would call them when I was done.
And that’s how I got here, alone in the server room.
Getting out was just as easy. So is selling the data on the black market. An easy second income I feel rightfully is mine, since my own employer doesn’t recognize how talented I really am. Maybe I just found my next target.
Defending Against a Modern Day Hacker and the Blended Attack
All of the above was a fictional account based on actual attacks that have occurred in real life. But in listening to his story, anyone could have found numerous places where the security of this non-profit organization could have been handled with more care. But without a constant eye on the basics, every small victory this organization achieved led to the slow yet inevitable decay of their security posture.
Social engineering is a very powerful tool being used to attack organizations and, in many cases, the attackers never even have to leave their keyboards. Instead they can rely on well-crafted spear phishing emails and open source tools to do most of the dirty work. Tools such as the Social-Engineer Toolkit (SET) can make it easy to clone websites in seconds creating very convincing credential phishing pages, deliver Metasploit payloads and more. Time and time again we see organizations fall prey to these attacks.
Figure 1: The Social-Engineer Toolkit (SET)
Hardware tools such as the Raspberry Pi are very powerful for their size and are very easy to hide. A $35 Raspberry Pi or even a $10 Raspberry Pi Zero with a USB NIC or WiFi connection would be perfect to run Raspbian or Kali. Then, using a tool such as autossh, you can create a reverse shell you can control from outside of the network. To help counter an attack like this, use an asset scanner to know when new devices are connected to your network and shut down unused switch ports, or better yet use an authentication mechanism such as 802.1x to control physical network access.
Whether it’s physical access, fraud, ransomware, or banking Trojans, it really doesn’t matter. Employees are a soft target. When you couple this with the fact that getting sensitive information about organizations is not difficult, you have a recipe for a successful attack. As shown above, a great example of publicly available sensitive information is the IRS Form 990 for not-for-profit organizations.
Figure 2: A sample IRS Form 990
To address the human issue, it’s important to build a strong security culture around awareness, policies, and procedures. The organization’s culture should allow people to challenge each other, if they see strange behavior or violations to these policies. For example, if your organization requires that people wear name badges at all times, the other employees should feel not only empowered to, but even obligated to challenge people that are not wearing their badge.
Because employees and users are such an easy target, it is vital to have strong policies and procedures for them to follow. Not only do you need to have these policies and procedures, but the employees also need to know where to access them easily. This can be very important in situations where you have a lot of new employees at one time, as in cases like outlined above where a company has a significant growth in the short amount of time. Don’t forget to include escalation procedures in these policies and procedures as well.
When it comes to awareness, making people aware of the types of attacks that are common and the ability for attackers to access information that might initially seem privileged, can make a big difference in their ability to defend against it. I was recently at an event where there was a professional pickpocket showing his skills off. By distracting people at key moments, he was able to do amazing things such as removing the watch right off a person’s wrist without them knowing it. Once the person was aware of the trick however, it was much easier for them to feel the watch being removed as they were able to better ignore the distraction. The same principle applies to other attacks as well. Once a person is aware of the existence of something like the infamous “tech support scam”, they are immediately able to make a better security decision and will have little problem hanging up on the scammer.
This improving awareness is reflected in the “Four Stages of Competence”. As the organizational security culture moves from the “Lack of Awareness Stage” toward the “Skilled Stage”, the odds of an attacker’s success using these attacks drops rapidly. This is why employee security awareness training and coordinated simulated phishing campaigns have such an impact defending against phishing attacks. Once the user is aware of how to spot an attack and has a chance to practice that response with the simulated attacks, their ability to defend against real attacks is greatly improved.
Figure 3: The Conscious Competence Ladder
In the end…
Finally, understand that the traditional network perimeter that many of us have been working with for many years is very quickly dissolving. Avoid assuming that if someone is in a place, that they actually belong there. I mean this physically and virtually. Become familiar with the premise behind the ”Zero Trust” model. Essentially, this means that even if you have identified someone as having some access, they are still limited to certain places within the network and within the building.
These attacks are not going to stop happening; therefore, being prepared to spot and defend against them has never been more important. And using J0hn_D0ugh$ as our guide, his determination was his biggest asset. He even admits himself that the information he garnered and the actual attacks he performed were all pretty simplistic and easy to accomplish. With the same amount of ease, we can stop criminals like J0hn_D0ugh$. But the big question is, do you have the determination? It can make all the difference in the world.
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec.hackingkronraspberry pirubber duckysetsocial engineering