Man is the main vulnerability. A little bit about social engineering at PHDays V

Positive recordings of speeches from Positive Hack Days V appeared on YouTube - several dozen reports on practical security in Russian and English . In 2015, the forum spoke not only about hardcore hacking methods, but also about “non-technical” attacks. Many people remember the report of Chris Hadnagi (Chris Hadnagy), who uses the human psyche for information and does not believe in technical progress: “While you are looking for zero-day vulnerabilities, we simply pick up the phone and find out your secrets.” In this material we will tell several stories and observations from the practice of 42-year-old American.

How to make PIN code from credit card

“If I were a real criminal, I’d be rich, famous or dead long ago,” Chris says in his book Social Engineering: The Art of Human Hacking . The founder of the site Social-Engineer.org used social engineering in casinos, in the sweepstakes, at the auction - always for demonstration purposes only, to show the shortcomings of protection.
')
One day, Hadnagi took part in the shooting of the BBC channel: he had to steal a purse with a credit card, and then force the victim to tell him the PIN. The TV crews, who didn’t believe much in the positive outcome of such an experiment, chose the target themselves — a woman who, unwittingly, dined at a restaurant. Chris settled down at the next table and waited for the right moment to “attack”. A friend was sitting next to the “object”, and the woman’s hand was on the bag, which made the task very difficult. When it began to seem that nothing would work out, the girlfriend left for the restroom, and Chris set to work, giving a sign to his assistants, Alex and Jess. The “happy couple” approached the woman and asked to photograph them, which the victim gladly did, removing her hand from the bag. While the woman was taking pictures, Chris hid her bag in his briefcase.

No sooner had a fake couple come out of the cafe, as the woman discovered the loss and got up, looking frantically. She clearly needed the help that Chris was quick to offer. Our hero convinced her to calm down and remember what was in the bag. The bag had a phone, some cash, a cosmetic bag and a credit card. First of all, Hadnagi found out the name of the credit organization. How fortunate, Chris used to work in this bank! Everything will be fine, he comforted the woman of Hadnaga, you just need to cancel the card. The woman agreed, after which Chris dialed the number of "support services", which was played by his assistant Alex, who was on duty in a van on the street. There was an office noise in the car, the recording of which Chris had downloaded from some website. Alex assured the victim that her card would be blocked. But in order to verify her identity, it was only necessary to enter the PIN-code on the telephone keypad. (The phone belonged to Chris). The rest you can guess. True thieves, of course, would immediately go to look for an ATM, but Chris already has enough of the fees he receives, exposing the scammers' technicians. The woman thanked Chris when he returned the bag, but he replied: “Not worth it. I stole it. ”

Hadnagi and the creator of Linux

Nowadays, Hadnagi teaches corporations to calculate social engineers and arranges competitions in which friendly people in front of a full auditorium on the phone learn the secrets of large companies. But Chris started small. One of his first experiments was conducted at a technical conference at the Javits Center in New York.

Next door, in the famous FAO Schwarz toy store on Fifth Avenue, a closed party was held, which included top managers from HP, Microsoft and other large companies. Chris and a friend decided to get to the event no matter what. They took a position at the registration desk, met the girls responsible for issuing the badges, and began to wait. Very soon, none other than Linux creator Linus Torvalds came out of the room. Chris quickly grabbed a plush toy with the Microsoft logo from one of the booths and asked Linus: “Would you sign an autograph on my toy?” Torvalds smiled, patted Chris on the shoulder and said: “See you inside, young man.” Friends immediately received two tickets to the party.

Engineers stop plants

People are so focused on new techniques of computer attacks, that they completely forget about the attacks of “human,” writes Hadnagi in his blog at social-engineer.org. Social engineering is simple, but effective, so criminals, hacktivists, and even state-sponsored groups do not stop using this vector. All security experts Kadnaga advises carefully read the book of the former CIA employee Michael Basel "Intelligence based on open sources of information."

Chris has assembled an extensive collection of high-profile attacks in 2014 using impersonation, phishing, vising, and other social tactics.

• Physical damage to a German steel company. This story was discussed in the report “IT-Security in Germany” ( Die Lage der IT-Sicherheit in Deutschland 2014 ). Details of the capture of the enterprise’s computer network are not specified, but it is known that the attack took place in two stages. First, the hackers took control of the e-mail of the plant workers, sending them letters with phishing links. Through the mail of employees, hackers gained access to the company's office network, and then to the system that managed the blast furnaces. As a result, plant workers lost control over the equipment: the furnaces were no longer displayed in the electronic system, which resulted in damage to the entire control system. The specialists noted that the hackers were well versed in the specifics of production equipment and electronic plant management and the attack was targeted.
• The hype associated with a hacker attack on Sony, most likely began with the use of social engineering techniques for key employees.
• Social engineering was also used to obtain confidential data from AT & T users.
• In the case of attacks on companies Target, Home Depot and JP Morgan, which suffered significant financial damage, phishing was used.
• In case of iCloud hacking , techniques of sociotechnical information collection were used for the subsequent brute-force accounts of the stars and receiving their private photos.
• Phishing had a place to be when conducting APT against a number of banks (mainly from Russia), which lost $ 25 million.
• Experian was hacked as a result of “impersonation”: the attacker introduced himself as a private detective and entered one of the company's branches.
• The hacking of the eBay database, when encrypted passwords and other personal data of 145 million user accounts fell into the hands of intruders, was probably the result of cheating someone from eBay employees.

You can watch Chris Hadnagi's performance in PHDays V playlist on YouTube.



PS The best moments of the past PHDays V forum we collected in a special video .