Phone phishing, just one way to social engineer information from end users

Social engineering is used to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.

The following is a recent real life example which would seem very innocuous.

An associates phone rings.  The person identified herself as working for the accounts receivable department.  She indicated to the user that the phone extension he had was noted as sitting near an HP Color Printer.  She asked if he could provided the model and serial number for her records.  (Before we go any further, how many of you reading this sit “near” and HP printer?)

The user was keen enough to ask the caller’s name.  She responded with only a first name “Kathy”.  Fortunately this set off a red flag that something many not be completely legitimate with her request.  He then indicated it wasn’t necessarily a good time for him and asked if he could get the information and send it to her in an email.  Still suspicious but now afraid the caller may just hang up, the user stalled and answered “oh yes, there is an HP printer right here” and gave the model number, but nothing specific to the device or the company he works for (serial number or IP address).

After saying this, the caller seemed more interested again and continued to ask how they administer and maintain the printers.  The end user indicated he wasn’t sure and would have to ask.  He then asked for her last name to which she responded “White”.  Being resourceful, the user quickly checked the companies Active Directory.  No users matched that specific name.

He then offered to get the rest of the information and call her back.  The caller indicated that the phone she was using was only able to make outbound calls and she wasn’t sure what number would call her area (does this sound like any phone in your company?).  When he insisted he’d need to call her back, she quickly hung up on him.

By asking specific and probing questions, a caller may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.  While each of those pieces of information may seem insignificant by themselves, in total, they may give a hacker just the information they need to footprint a company or network in order to run a targeted attack on the environment.

Advertisements

iOS 4.2 is out! Update your iDevice!

Image representing Apple as depicted in CrunchBase

Image via CrunchBase

While many people (me included) are happy to update their devices to iOS 4.2 for the new features enabled, most are not aware of the security fixes included that are also necessary.  iOS 4.2 (like many iOS updates prior) includes fixes to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information on your iPhone, iPad, or iTouch.  (While there is an update for AppleTV also, I’m not aware of what, if any, vulnerabilities were addressed with that update).

A quick overview of these fixes includes fixing an issue with the new iAD service where the ads could send you to malicious sites, fixing mail issues where properly formatted HTML emails could send information back to the sender of the email, and a network issue where properly formatted PIM messages could cause a denial of service situation or the device to completely shut down.

To see a full list of the vulnerabilities addressed, please see Apple’s security page here:  http://support.apple.com/kb/HT4456

Related Articles

Android and iPhone exploits revealed in past week

Over the weekend, a new Web-based jailbreak became available for iOS devices, offering users a simple method to open their devices to installation of unauthorized third-party applications.  An error in the processing of Compact Font Format (CFF) data within PDF files can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page using Mobile Safari.

This is applicable to any iOS 4 device (all new iPhone 4s, iPads and any upgraded iPhone 3G and 3Gs).  On of the main features of iOS 4 was the SandBoxing approach to applications.  This exploit bypasses the SandBoxing by exploiting a third party app.  I have to say this doesn’t help Adobe’s popularity in Cupertino.

Time will tell if Apple will release a patch to iOS to resolve the issue or if Adobe will have to update their code.  For the time being, the best advice is to browse “safely” (if that’s really possible anymore) or just not browse at all.

The Andriod exploit has a completely different twist on it.  Spider Labs released a DVD at Defcon last week that provided a method to root the device.  Once the exploit is applied the Android device acts as a bot for the hacker who has full remote-control over the device providing access to all the user information on it.  What makes this more interesting is that Spider Labs is an ethical hacking team using this approach to incentivize manufacturer to provide  a fix to the issue more quickly.

“It wasn’t difficult to build,” said Nicholas Percoco, head of Spider Labs, who along with a colleague, released the tool at the Defcon hacker’s conference in Las Vegas on Friday.  Percoco said it took the team about two weeks to build the malicious software.

CNET reported that there were ten companies had data compromised.  The list included Pepsi, Coca-Cola, Apple, and Google amongst others.  All information was solicited through one phone call to an employee of the company.

************** UPDATE Aug 5th **********************

CNET has posted that Apple has acknowledged the issue and already have a fix.  They did not mention when it would be released but a software update is imminent.

************** UPDATE Aug 11th *********************

Apple has released iOS 4.0.2 for iPhone and iTouch as well as iOS 3.2.2 for the iPad to address this vulnerability.  Of course the a side effect to addressing this vulnerability is that it now breaks the functionality of JailbreakMe 2.0.  Not that this should be a surprise.

Russian spies are just like your average end user?

Funny as this may sound, it’s seems to be the case with the recently arrested Russian spies.

This article from Network World points out some of the issues the users had and how those issues helped get them caught.

As an IT or Security Professional, how likely are these scenarios in your workplace:

  • A 27 character password was enforced.  So the password ended up written down on a post-it.
  • Frustrated with trying to get a program to work, you turn to a complete stranger for help.  If that stranger happens to be an undercover FBI agent, handing him your laptop just made his day.
  • Waiting 2 months to get a new laptop and have it configured then being told you can get it fixed in 6 months if it doesn’t work.  Then telling your co-worker (or co-spy) “they don’t understand what we go through over here”.  Sound familiar?
  • Users/spies turn to off the shelf programs so they don’t have to wait for their IT department to install.
  • Having all new systems but not be able to run the programs necessary as it crashed or timed out before the application could finish.
  • Users/spies set up peer-to-peer wireless networks (without encryption) so they could transfer files easier.  Made it a lot easier to intercept those files during transfer too.

They seem so comical that it’s almost hard to believe they aren’t movie plot lines for Steve Carrell’s next Get Smart episode.

Cell phone security best practices – keeping your personal information personal.

In presentations I give on security, I have become accustomed to a pattern of presenting the information.  Step one, pose questions or situations that allow your audience to immediately identify with you or the subject.  Step two, provide case studies or scenarios that provide examples to support the subject.  Step three, give the audience some actionable items.

This article is all about supporting step three.  If I’ve done a good job of getting a person to identify with the subject and provided a reasonable explanation of the information, the reader/listener usually focuses in on the action items.

In this case, I wanted to provided supporting information to the Does My Cell Phone Have a Virus article. Also this seems very timely with the recent loss of the next generation iPhone at The Gourmet Haus Staudt in Redwood City, California. While I’m certain Apple has many more policies for device management, nevermind the policies around having a prerelease device, if Gray Powell had simply followed the first recommendation below, things would be much different…

But I digress…   Most all the offline questions I have received from my last article have had a common theme:

  • I did this, did I get a virus?
  • My insert_model_phone_name_here is acting funny what do I do?
  • I installed this app, is it legit?

Trying to address issues at that level and point is the “whack-a-mole” approach you want to avoid.  You want to put preventative measures in place so that these concerns should be minimized.

You will find a number of lists like this on the Internet, but this is my take on steps to take to safeguard your information on your mobile device:

  1. Loss is your biggest risk, don’t lose your phone.  Your cell phone can have the equivalent information as your birth certificate, bank statements, and diary all in one location.  Maintaining physical control of the device is the best thing you can do to avoid losing your information.
  2. Make sure you use a password (or PIN if that’s what your phone supports) to lock out the device.  This is the single biggest thing that users complain about the inconvenience of.  If anyone were to pick up your device, do not leave it wide open for anyone to read.  Protect it.
  3. If your device offers encryption of the device and any removable media, use it.  If you lose a device, the average person who picks it up will not likely have the ability to pull memory chips and decrypt your information.  Make it difficult for someone to get the data.
  4. Just because you can download hundreds of applications, does not mean you should.  Be aware that many free applications are made to get personal information from you (again see my other post on this).  Others may actually be malicious.
  5. When downloading applications, be especially careful of banking applications. Only download them from trusted sources.  If you can download directly from the bank, that is your best option.  If you download from an app store, read the reviews and make sure you are one of the first 10 people to download something.
  6. Only use Bluetooth if you absolutely require it. If you use Bluetooth, enable a PIN for pairing devices and do not leave your device discoverable.
  7. If your device supports WiFi, only connect to secure and trusted networks.  A network called “FreeWiFi” usually is not the best option.
  8. Limit the amount of data you store on your phone.  If you are working on things like tax documents or have personal information on the device, only leave it on the phone while you need it.  Limiting the amount of data on the device limits your risk if the device is lost or stolen.
  9. From a financial liability standpoint, inquire about cell phone insurance from your provider.  In a day where cell phones can initially cost $300 and cost $500 to $600 to replace, it may be worth the couple of dollars a month insurance to be able to replace it.
  10. If your provider offers the ability to remotely manage or wipe a mobile device, know how this works and be prepared to use it in case your device is lost.  If you remove all the data, you can limit your loss to just the device itself.
  11. Inquire with your provider and check with device manufacturer for device patches and upgrades.  Much like your PC, smartphone software is updated on an ongoing basis to fix functionality and increase security.
  12. If your device supports third party security applications (usually Windows Mobile, Symbian, or Palm devices) look to manufacturers like Symantec and McAfee for firewall, anti-virus and SPAM prevention software.

Some of these are configurations you can do on your phone while the others are things you need to know to modify your behavior while using your phone.  If you follow these steps, chances are you should be okay.  In the rare case you loose your phone (ahem… next generation iPhone in a bar) and it happens to get picked up by an extremely technical user who can tear it down (Gizmodo) know that all bets may be off.  But for the average person, you’re going to be okay.