Introduction

Social engineering is a common infosecurity threat. I once tried to track down a missing friend by calling up hospitals in our city and telling them that my brother was missing. Four out of five told me he wasn’t there, thus revealing information without confirming my identity in any way. The fifth one said that there’s no way they’ll provide that information over the phone. 

I was both frustrated by that answer and glad at the same time. At least one hospital was concerned with keeping a bit of infosecurity, even though just a few years ago the Swedish health service had leaked over 2.7 million phone call recordings. My calls made me aware of how a good infosec stack is never complete without proper employee training for various threat vectors.

An extremely common threat vector

Top governmental institutions were among the first targets of highly effective social engineering techniques, so there’s no surprise that former Cold War spy-grounds like the Scandinavian countries are really security-aware and prevent unwanted persons from accessing high-level governmental institutions.

Nevertheless, as I mingle with ethical hackers and pentesters in local cons and hacker camps, I hear dozens of absurd stories of how simple social hacks like tailgating (just walking into buildings behind employees) lets hackers into offices of companies almost on a daily basis.

Another common story from a decade or so ago, was that many institutions were penetrated by “AC repairmen” who were let into server rooms to “check the condensation” and left alone to do whatever they wanted. These examples are just the tip of the iceberg when it comes to social engineering techniques, and most governmental and financial institutions have employee training and processes to handle them.

Sadly, decades of counter-intelligence experience, employee training and security procedures might fail due to a single weak point and expose a well-protected network to physical penetration. This story is about one such high-level governmental institution in an unnamed country.

The setup

This governmental institution had a well-funded security procedure which encompassed digital security, as well as physical security. To keep their processes intact and up to date, the organization used fake attack simulations (like DDoS through proxy networks) and hired pentesters.

As a new round of penetration testing began, the organization got a couple of young ethical hackers to try their luck. Hired by the government, these two guys were pentesters focused on social engineering, so the first thing they tried was going into the building through the front door.

On the day of the test, before they even set up for a network scan, these two hackers came into the building wearing nice black suits and carrying classy briefcases. The entrance funneled every new arrival towards a security gate with ID tag access. A fit no-nonsense security guard from the state service was at the front desk.

The first miss

The pentesters walked up to the table and tried doing a simple approach. One of them pretended they had a meeting with an employee they knew was working there. Public governmental employee listings helped with that.

Since there was no meeting planned, the security guard refused to let them in. Fearing that  they might be apprehended and potentially questioned by the state security services, the pentesters decided to leave the way they came in.

The hole in the armor

Before settling down on a nearby bench to try and catch a WPA2 handshake, the two hackers took a second stab at the physical office. The building was a single-entrance office with cameras covering almost every corner. The only other access point was a fire escape staircase, barred by a waist-high chain.

One of the testers left his briefcase and hopped over the chain to check whether the staircase was actively monitored. Surprisingly, it wasn’t. The staircase led up five floors but had no roof access. It was empty but for a single item: an ash bin with some cigarette buds on the fourth floor. The employees had been secretly sneaking out onto the fire escape to have a smoke. The hackers had a way in without ever opening their laptops.

Sometimes all it takes is a cigarette

The pentesters were not smokers, but here they were, standing on the fourth floor of the fire escape staircase, cigarettes in their mouths, waiting. A dozen or so minutes passed before the first government employees came out to have a smoke. They said “Hi.” Pentesters chatted them up about how they were going to spend the whole day in meetings. Usual office water-cooler talk.

A couple of minutes later, they were done with the smokes and employees let the pentesters inside, wished each other a nice day and went on their separate ways. Within minutes, the pentesters had found a printer with admin-level network access to one of the most important networks in the country.

In terms of speed, this was one of the fastest successful government network penetrations in recent history. It took only 30 minutes.

The key takeaways

Information security is as much about network security (for example, not leaving easily accessible printers with admin-level access on a network) as it is about the human side of the organization.

The office building in this story had several little security holes: the unmonitored fire escape, no real physical barrier to access it, an unprotected printer in the office. These are all fixable, but the important part is that even though the employees knew they weren’t supposed to use the fire escape for smoking, they still did. It just seemed the natural way to go without the hassle of going four floors down to have a smoke. But that is how a combination of network security and employee security combined to create a potentially dangerous situation.

Any organization that spends resources on cybersecurity should also consider hiring physical penetration testers to experience out-of-the-box tests of their security processes. Such exercises become memorable stories that keep employees aware of what is important in situations where they face unfamiliar people.

The takeaway here is that every little thing counts, and your company’s security stack might be penetrated in unforeseen ways. Sometimes, the resources and effort you spend to prevent cyberthreats might be more efficiently used to make your employees more security-aware and conscious. Or, in some cases, an easily accessible smoking area or a smoking prevention campaign might work too.

 

Sources

  1. What is social engineering, Imperva
  2. What Is A Proxy, Smartproxy
  3. What Is A Penetration Test And Why Would I Need One For My Company?, Forbes