25. October 2010 · Comments Off on The Social-Engineer Toolkit (SET) – Computer Based Social Engineering Tools | Darknet – The Darkside · Categories: blog · Tags: Social Engineering
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
Here is a list of the attack vectors SET provides:
Our testing shows we’re spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?
Greg Shipley has written an excellent article about the state of information security. The hard copy version in this week’s InformationWeek magazine sums up the situation – “Epic Fail.”
…collectively, we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.
Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.
Greg points out what we’ve been saying for the last three years:
…sometime in the last few years a number of our key security technology controls crossed that threshold and ceased to be effective, yet as an industry we have yet to adjust. We’re pouring billions of dollars–literally–into security products that are gaining us very little. We don’t retire anything but rather pile on more layers, leading to increased complexity, expense, and exposure.
One of the big three security technology controls Greg calls out is firewalls. I would be more specific and say “stateful inspection” firewalls. These have been the staple of network security for 15 years. But Web 2.0 applications and social networking breeze right by the stateful inspection firewall. In fact, the stateful inspection firewall provides practically no control or protection at all.
Fortunately, we have begun to see the rise of what Gartner calls the Next Generation Firewall as exemplified by Palo Alto Networks. NextGen Firewalls are application aware and more importantly enable you to build policies based on applications and users rather than ports, protocols, and IP addresses.
Greg’s four recommendations are:
1) Start spending money on controls that are more in line with threats. This is in fact why Cymbel has embraced (and enhanced) the SANS 20 Critical Security Controls for Effective Cyber Defense. Controls were selected based knowledge of exploits. For example, Controls #1 and #2 are about Discovery of network assets and the software running on them. Unknown and/or unmanaged devices will thwart a patch management program every time.
2) Adjust assumptions and put to rest some age-old debates. For example the insider vs. outsider debate. Due to what we call the ‘inside-out” attack vector, the outside attacker becomes an insider once the attacker steals the insider’s credentials. We discuss this in more detail in the Threats section of the Five Forces of Change. This is why internal network segmentation based on application and user policies has become critical.
3) Stop rewarding ineffectiveness and start rewarding innovation. Here Greg repeats his observations about the ineffectiveness of (stateful inspection) firewalls and antivirus. It is for this reason that we developed our Next Generation Defense-in-Depth architecture, which features real, proven, innovative solutions which mitigate these new threats. Another good example is FireEye, which prevents 0-day and unknown malware attacks using heuristics plus virtual sandboxes to test suspicious code. The virtual sandbox capability practically eliminates false positives, the bane of heuristics-based intrusion prevention systems.
If you are not familiar with www.social-engineer.org, I strongly recommend it as a great source of information regarding all aspects of social engineering. Why is this important? In their own words:
Social engineering is a real and dangerous threat to Corporate America. In the simplest of terms, social engineering is manipulating a target to take an action that may or may not be in their best interest. As companies devote more resources to technical security, technical attacks become more expensive. Social engineering is a popular alternative for cyber criminals interested in operating on the cheap. After all, these attackers seek the same high return on investment as business owners.
If you don’t believe that social engineering is a major issue, read an overview about the social engineering contest that was held this past August at Defcon 18 in Las Vegas.
One of the most alarming findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company. Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies. For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.
Literally anyone who can read or work with a Mandarin Chinese website can go onto their self-service portal, create an account and pick their victim of choice for a DDoS attack.
The botnet’s C&C domains, located in China, are used to push out instructions to infected bots to launch DDoS attacks against a list of targeted domains. Researchers are unsure of the price of IMDDOS attack services and do not know the actual domain names targeted by IMDDOS customers.
Full disclosure: While this article was “stimulated” by Damballa’s VP of Marketing, I still thought it was newsworthy. We partner with FireEye, a Damballa competitor.
Social engineering hackers — people who trick employees into doing and saying things that they shouldn’t — took their best shot at the Fortune 500 during a contest at Defcon Friday and showed how easy it is to get people to talk, if only you tell the right lie.
Contestants got IT staffers at major corporations, including Microsoft, Cisco Systems, Apple and Shell, to give up all sorts of information that could be used in a computer attack, including what browser and version number they were using (the first two companies called Friday were using IE6), what software they use to open pdf documents, their operating system and service pack number, their mail client, the antivirus software they use, and even the name of their local wireless network.
Now I would understand the ease with which social engineering would work with non-IT workers. But this contest was focused on IT workers whom you would think are more security conscious. But I guess after the Robin Sage story, I am not surprised.
The Robin Sage story broke in early July and I am late in getting to it. I was going to skip it, but it’s such a good story, I wanted to note it. The Dark Reading version is quite detailed.
The key though is straightforward – people accepted invitations from someone they did not know. It’s that simple. This is a type of “inside-out,” social engineering attack vector which has become the primary method of cyber criminals. Why bother with the traditional “outside-in” attack on network device or endpoint software vulnerabilities when all you need to do is lure the victim to a malware-laden web page.
Running a Robin Sage type of “experiment” in your organization should be part of your security awareness training program.
Zscaler discusses yet another example of blackhats drawing unsuspecting fans to fake web pages containing malware. This time it’s a fake YouTube page designed to attract soccer fans during the World Cup.
I call this type of attack, “inside-out,” in the sense that the attacker draws an insider out to a web-page to initiate the attack rather than using the traditional “outside-in” direct attack method of finding and exploiting a network or application vulnerability. While traditional vulnerability assessments are still important, they do not provide the complete picture of your risks.
IRC-Junkie is reporting that researchers at TU Wien (Vienna University of Technology, Austria) have developed a software program that performs a “man-in-the-middle” attack between IRC users causing them to click on malicious links at a 76% click rate. As opposed to impersonating a user and attempting to perform one side of the conversation, this program sits between two users and simply makes changes to the words and inserts malicious links.
The so called “HoneyBot” is capable of influencing the ongoing conversation by “dropping, inserting, or modifying messages” and the researchers assert that “if links (or questions) are inserted into such a conversation, they will seem to originate from a human user” and therefore the click-probability will be “higher than in artificial conversation approaches”.
It seems to me that the high click rate is due to the lack of knowledge that such an attack is even possible and therefore people are not in the least bit suspicious. If HoneyBots become more prevalent, people will be more on guard.
In any case, approach each link cautiously – hover over the link and inspect the URL that is displayed at the bottom of the browser. If you cannot determine exactly where the URL is going to take you, don’t click on it.
Another thought, how long before we see this type of attack in the wild on Facebook?
22. April 2010 · Comments Off on Ten “Must Haves” for Secure Mobile Device Management · Categories: blog
Smartphones and tablets offer tremendous productivity enhancements because wherever your are, whatever time of day, you can get access to your entire enterprise – the corporate network, proprietary business applications, and sensitive data – from a device small enough to fit in your pocket.
This era of “the pocket enterprise” also creates serious enterprise risks with employee habits or behaviors that can lead to data loss, exposure of the corporate network, and compliance breaches. Have employees passcode-enabled their devices? Do they abide by the corporate mobile app policies? Have they tampered with the device.s security features? Do they synch non-public data using Dropbox or forward it to their Gmail account? And the most pressing question of all: How can the enterprise even begin to answer these questions?
Zenprise, the leader in Secure Mobile Device Management, and a Cymbel partner, has recently released a white paper entitled, The Ten “Must Haves” for Secure Mobile Device Management.
If you would like a copy of this white paper, please fill out the form on the right side of this page.
Achieve MA 201 CMR 17 Compliance by isolating private data, controlling access to private data, detecting and blocking threats at the gateway, and monitoring traffic flows for unauthorized transfer of private dat
20. April 2010 · Comments Off on Compliance & Security Services · Categories: blog
Cymbel provides a wide range of services related to automating compliance and reducing security risks.
Cymbel uses a four step process – Assessment, Policy Development, Policy Implementation, Re-assessment. The key to our approach is to gain real visibility during the Assessment process by using automated tools to collect actual operational data. Learn more.
Achieve MA 201 CMR 17 Compliance by isolating private data, controlling access to private data, detecting and blocking threats at the gateway, and monitoring traffic flows for unauthorized transfer of private dat
