un-earthed

Infamous social engineer, Kevin Mitnick

The IT helpdesk of XYZCorp in Sydney receives a call. A help desk operator by the name of Joe picks up the phone. Though the caller’s number is not displayed, it is clear it is an international call.

The caller says “Hi, this is Larry Smith”.

Joe quickly replies with “Hi Larry, how can I assist you?” Joe knows that Larry is the CEO and understands that the call is important and gets straight to the point rather than the usual pleasantries.

“I’m currently staying in the Sheraton Hotel in Seattle and am having problems accessing the VPN because I forgot my password”. Joe knows that Larry is in Seattle due to a companywide email that went out earlier in the week.

Joe responds with “OK, I’ll reset your password, but first I have to ask you two security questions”. This is part of the procedure to avoid social engineering attacks.

“Larry – first question: What is your date of birth?”

Larry Responds with “July 2^nd, 1968”, which Joe confirms to be true.

Joe then asks the second question “Larry, what is your dog’s name?”

Larry’s response is “Rover” which is correct.

Larry then hears some frantic keystrokes followed by “Larry, I have reset the password to Wednesday2031. When you access the VPN you will be prompted to change your password. Please choose something you can remember”

“Thanks Joe” and on that note Larry ends the call.

2.5 hours later Joe receives another call from Larry, saying “I can’t seem to login to the VPN…”

Joe, slightly perplexed, asks “Did you not hear me ask you to change the password to something you would remember?”

“When did you say that?”

“When you called a few hours ago” replied Joe.

“I didn’t call a few hours ago”

Joe’s face turns white as he realised what has just unfolded.

But how did the social engineer know so much?

A peculiar thing happened in the early part of this century. Social Networks were born, thus enabling anyone with an Internet connected computer or smartphone to rant and rave about anything and everything, and that they did. Who would ever have thought that the desire to know what others were up to every few hours of the day; what was on their minds and even, in some cases, what they ate for dinner last night would totally consume us? Suddenly we were on a first name basis with complete strangers, sharing mundane aspects of our life and the world started to feel like a very small place.

It seems harmless – telling the whole world that you just bought a new pair of shoes or that Friday night is pizza and beer night, but those could be valuable pieces of information for any would be social engineer.  Of course, there are much more valuable nuggets of information available to social engineers and they do not need to search very hard.

In our example above, the social engineer had looked at Larry Smith’s LinkedIn profile and TripIt indicated that he would be travelling to Seattle for a week. Larry used Facebook Places on his smartphone to indicate that he had “checked in” to the Sheraton Hotel in Sixth Avenue, Seattle. Also Larry’s Facebook profile provided additional information such as his date of birth, a connection to his wife, with her account being in her maiden name, though this piece of information was not needed in this case. Also not needed in this social engineering attack was information about Larry’s favourite music artist “Pink Floyd” which Larry tweeted a few days ago and finally Larry had also uploaded, late last year, to YouTube a video with his children, John and Samantha, playing with their Rottweiler named Rover.

Now, this is just an example, but it should make you think very carefully about what you publish on Social Networks, and who has access to that information because it may be valuable to social engineers and may make piecing together your identity a whole lot easier.