I recently travelled to the Midwest to follow ethical hackers from cybersecurity firm RedTeam Security as they tested the systems of a major power company.
One of the most interesting tactics they used is called social engineering.
Social engineering is the tried-and-true hacker tactic of deceiving someone and trying to convince them to do something they normally wouldn’t do. It happens often over the phone, like when a cybercriminal pretended to be a computer expert who wanted to help get a supposed virus off my computer, for example.
“Social engineering is also referred to as people hacking,” says Jeremiah Talamantes, president and founder of RedTeam Security.
Though social engineering over the phone is less risky, in-person contact can be rather fruitful, as RedTeam’s efforts showed. The team was hired to test the physical and virtual security of eight different locations and they gained useful information, or in one case, full access, just through this method.
Here’s how they did it.
Pretending to be the IT guy
For its first social engineering test, RedTeam had the goal of gaining access to the network server room at one of the company’s office locations. If successful, the hackers would be able to install hardware that called back to them over the internet, or they could just take over workstations in the building.
As RedTeam director Ryan Manship explained before going inside, a social engineer’s confidence is critical, as is the right pretext — or having a legitimate-sounding reason for being where you are. For the office, Manship chose to pose as a technician with the local internet service provider doing work inside, which would not be all that uncommon.
What was uncommon, however, was that Manship didn’t have a truck from the ISP, a work order, or identification showing he was who he said he was. He just had a clipboard with two papers he printed out with the ISP’s logo on it, some tools and network cable on his belt, and a simple, but somewhat convincing story.
“Hi, we’re here from [the ISP],” Manship told the woman sitting at the front desk, a few moments after we walked in. “We spoke with Janet*, we’re here to check on some speed issues and some other stuff with the Internet.”
I was surprised we weren’t asked for ID or any paperwork. But the secretary immediately accepted Manship’s two-sentence explanation of our presence, which sounded more legitimate since he used the first name of one of the company’s network administrators.
We made small talk, and the secretary was clearly uncomfortable with making us stand in the lobby. She apologised profusely and mentioned “new security rules” while frantically trying to reach someone in IT to escort us. Manship sighed and acted inconvenienced, hoping to tap the secretary’s natural human inclination to help and let him in.
Still, Manship continued to push. At one point, he picked up visitor badges from the counter and put them on. He tried to assuage the secretary’s fears of breaking protocol, telling her: “It should only be a few minutes. We’ve been here before.”
Around this point, another woman appeared and asked, “What if I just go with them?” It seemed like we were almost in.
But then a sceptical supervisor appeared. He almost immediately asked for ID, which Manship deflected by saying he didn’t have it on him. The supervisor then made a phone call to an IT manager — the person who actually hired Manship and RedTeam to test them — and handed him the phone. The jig was up.
We walked out the door, ultimately failing in the goal of getting access to the server room. But Manship was quite satisfied with how close we came. Had the supervisor not shown up, he was sure that a few more seconds of his smooth talking would have gotten us in. And he also knew he’d be back in a few hours to try a more traditional approach: Covert entry.
Two college students with a big project
The second try at social engineering was more successful.
RedTeam wanted to shoot video and photos inside the office location to get a sense of the space, and if possible, data from an employee’s RFID badge that could unlock office doors. Like, for instance, a door to a server room.
A day prior to the in-person contact, RedTeam consultant Kurt Muhl called the office posing as a college student from a local technical college. He said he was working on a class project on renewable energy and would like to interview someone, and he got a call back to set up an appointment early the next day with Bill*.
With the pretext set — two college students needing help — and someone already expecting us, Muhl was confident this try would be easier than the last. And he was right.
As before, we walked in the front door and approached a secretary, this time explaining we were students here to meet with Bill.
“Sure just go ahead and sign in,” the woman told us, explaining that he would be right out.
I had an entire back story made up of why I possessed a California ID card when I was going to college in another state, but as it turned out, she never asked for either of ours.
Bill came and met us, and took us back to a small conference room. We took our seats, and on the table he had various print-outs about the power company, along with his computer. We made friendly conversation, and Muhl asked various questions over about 20 minutes.
It was all smoke and mirrors, of course; a way for Muhl to build rapport so he could get what he really came for: Bill’s access badge.
Muhl brought along what looked like a laptop case to carry his notepad, but what was really inside the black bag was a device to scan anyone’s RFID badge who happened to come within two to three feet of it and store it in memory, so the hacker team could clone it for later use.
Still, it wasn’t all a breeze. At one point during Muhl’s questioning, the subject of nuclear energy came up, which Bill shared his opinion on. He then posed the question back at us: “What are they teaching you guys about nuclear in class?”
We were both scribbling in our notebooks various answers to Bill’s questions and I looked over at Muhl, who was still writing. I quickly thought of a good way of defusing the question, telling Bill, “Oh, we are really early in the class so we haven’t even gotten there yet.”
The answer had the added benefit of also thwarting any other questions regarding our supposed college class.
“It’s all about thinking fast on your feet,” Manship says.
With questions regarding our “college project” answered, Bill offered a tour of the building, pointing out areas of interest to Muhl as I took video. Though we told him videos and photo would vastly improve our college PowerPoint presentation, in truth it was indispensable to the rest of RedTeam for planning of that night’s after-hours entry.
“After 9/11 and [The Department of] Homeland Security,” Bill said as he led the way. “They’re worried that if they get into our dispatch, we have the technology now where you can send one command to turn off people’s power. Because we’re all automatic metered.”
I noticed that throughout our roughly 15 minute tour of the facility, Muhl was trying to inconspicuously position his bag near Bill’s badge. At some point during the tour he got the device close enough to capture it, making his worry about someone getting in a reality.
Fortunately, this was only a test of the company’s security. It was the good guys who were demonstrating the vulnerabilities, but it was no less frightening to think of the dangerous possibilities were the “college students” actual criminals.
You can see how social engineering and the rest of RedTeam Security’s test went in Tech Insider’s mini documentary below.