Aetheric Research, Ltd.

RSA, a well-known manufacturer of two-factor authentication systems based around cryptographic tokens and developer of numerous other security-based products, announced last month that their security had been compromised, specifically that surrounding their flagship SecureID tokens.  Yesterday, they finally revealed some of the details behind how that particular compromise happened.

The description given by the WSJ above is one of an attack carried out with ‘sophistication’–but looking deeper in reveals that this is apparently face-saving propaganda, given that the description matches up with a textbook social engineering-mediated trojan installation.

In short, a spearphishing campaign–a phishing campaign focused at a specific person or group–was carried out to solicit a person with some level of privilege into opening a document in which was embedded malicious code–in this case, an Adobe Flash object.  This malicious code proceeded to install what’s known as a RAT–a remote-access trojan–which connected to a remote server to allow the infiltrator to observe his target’s activities and gain access to secured information.

At that point, the infiltrator was able to package and upload private information concerning the cryptography used in the SecureID token system to a server that he controlled elsewhere.

As per the usual texbook example–and the phrase is chosen deliberately, given that it is, in all respects, materially identical with the majority of examples given in this text on social engineering–the target was induced to deliberately open a suspicious attachment.  Said attachment had been put into the ‘spam’ bucket (though attachments had not been stripped, as best practices would dictate for such arrangements) and it was deliberately retrieved and opened by the target at the infiltrator’s inducing.  

This cannot be stressed enough: the initial infiltration was accomplished through mundane means, by convincing the target to act against standard security policies.

It was only through the user’s deliberate violation of standard secure practices that the infiltrator was able to gain access to the network and carry out his work.  

There were a few other failures in security that this appears to put into play–RSA has several products that they market specifically to prevent these sorts of infiltrations, to detect and counter intrusions; these were apparently not in use inside the company, which rather places doubts on their effectiveness.  Attachments, as mentioned above, were not automatically stripped from external emails; this is fairly standard practise with any reasonably well-administered mailserver, as it cuts down the possible attack surface significantly.  The corporate firewalls did not, apparently, block outgoing FTP traffic to sites not known-good; this allowed for easy exfiltration of private company data.  

Any one of these failures has the potential for a breach; all of them together combined to make that breach much easier and much less detectable than it might have been otherwise.

To RSA’s credit, they at least determined that a breach had happened before they were notified by some outside agency; oftentimes, insufficiently secure networks are infiltrated and no notice is taken of any odd function or other telltales of intrusion until, for instance, the company domain is blacklisted for being a spam origination point.

The countermeasures to prevent this sort of breach are obvious: secure the corporate network according to standard best practices.  Ensure that all users are fully aware of security policy, and ensure that all users follow said policies–even if that means disabling the accounts of executives until they have time to receive training.  Configure the mailserver to strip out unknown attachments–frankly, in an enterprise of that scale, email attachments are entirely unnecessary; a CMS should be used for departmental file storage and sharing.

The SecureID product is probably, given RSA’s extreme reluctance to disclose what information was leaked, irreperably compromised–at least until such time as RSA develops a new algorithm and a new implementation for it.  

RSA can learn some lessons from this breach, but it remains to be seen if they will put those lessons into practice.

Social Engineering: The Art of Human Hacking

Christopher Hadnagy

The review that I’d read on Slashdot fairly glowed with praise, describing Social Engineering as being the “definitive text” on the subject.  I’m going to have to modify that statement, as I have some fairly severe reservations about the book.

Available in both dead-tree and ebook formats, the book’s electronic edition is, at least, well put together and mostly* professional looking, with table of contents and an index–no glossary, however, which this book might benefit from like other introductory texts.

And it is an introductory text–the language is obviously aimed at the novice, someone for whom ‘social engineering’ is a buzzword they may have heard once.  Much of the first part of the book, before he gets into the ‘meat’ of the subject, is spent trying to make the case for why you should read the rest of the book.  

When he does get though his spiel of trying to both concern and reassure the reader–that social engineering is a real and dangerous phenomenon that is so all-pervasive that you may not be aware it’s happened and that there are ways to be able to tell, respectively–and gets into the subject the book is nominally about, the content improves significantly.

The book is laid out according to his ‘system’–that’s really what he’s selling, here: a way to organize and categorize social engineering as a teachable system–where he outlines various ways to pursue an ultimate goal of finding out information that the target wishes to keep hidden.

There’s a broad sketch of information gathering techniques–a couple of software packages are namedropped as a means to organize and collate information–followed up with sketches of elicitation (more or less congruent with other standard resources on the subject; links are provided therein to government pamphlets and the like), reading body language (mostly concerned with facial microexpressions–almost nothing on other body language interpretation) and an overview of building pretexts (mostly concerned with selecting the correct one).

The section on causing “buffer overruns” in humans is fairly interesting and well put together, but he either doesn’t recognize or purposely deemphasizes the general case (that of distracting the conscious mind in order to plant suggestions or issue short commands that will be followed without immediate objection) for several specific method-driven cases.

There are some other bits and pieces which might be useful to the budding social engineer–recommendations on how to bypass physical security, for instance, and methods for seeding exploits into locations where the target might conceivably run them.

At the end, there are some case studies–discussing a couple of cases from Mitnick’s book on the subject; a couple of his own cases; and a couple of cases that, dramatically, are hightly obfuscated as “top secret” and intimated to be about “high profile” companies and the like.  If you’ve actually read the book up to this point, you’ll likely realize that the language chosen to introduce that section in particular is more than a little loaded.

As an introduction to the concepts and processes of social engineering, it’s not a bad book.  It does cover most of the bases of social engineering and some related concepts, but there are a few rather large holes.

If I were to take Mr. Hadnagy at his word–which, given the context of the book, would be a rather foolish thing to do–pretty much everything he does is elicit enough of an opening to introduce spyware onto a corporate system using a PDF exploit.  It’s always the same methodology in every case that he describes his personal involvement in, and it reads like a particularly bad spy thriller when he does so.  I get this impression of inexperience in the field, as well–he takes a sort of “gee whiz, ain’t that cool!” tone with the exploits of others that he describes, who have little to recommend them beyond their audacity in taking on the targets they did and their talent at maintaining their pretext.  

He also continually refers to his “mentor” in such a way that makes me question whether the Master knows the Apprentice is writing and marketing books based on work they may have done.  

If you’re entirely unaware of social engineering–if you’ve never seen a spy movie, or a heist movie, or read about Frank Abignale or any other famous con-men; if you’ve never considered ways in which people would be able to steal your information or convince you to take an action that you would not otherwise take–then feel free to read this book.  If you’re after a more serious education as to how social engineering works and how to present yourself in a certain way to gain another’s sympathy, then take an acting class–you’ll get a lot farther.

*One does not make one’s source citations in-line.  One makes one’s citations in footnotes like a civilized person.  Mr. Hadnagy should take note.