3 examples of human hacking

Social engineering expert Chris Hadnagy shares juicy tales of successful cons he's seen as a security consultant, and six prevention tips

1 2 Page 2
Page 2 of 2

Hadnagy started his test by calling the park, posing as a software salesperson. He was offering a new type of PDF-reading software, which he wanted the park to try through a trial offer. He asked what version they were currently using, got the information easily, and was ready for step two.

The next phase required on-site social engineering, and Hadnagy used his family in order to ensure success. Heading up to one of the ticket windows with his wife and child in tow, he asked one of the employees if they might use their computer to open a file from his email. The email contained a pdf attachment for a coupon that would give them discount admission.

"The whole thing could have gone south if she said 'No, sorry, can't do that,'" explained Hadnagy. "But looking like a dad, with a kid anxious to get into the park, pulls at the heart strings."

The employee agreed, and the park's computer system was quickly compromised by Hadnagy's bad PDF. Within minutes, Hadnagy's partner was texting him to let him know he was 'in' and 'gathering information for their report.'

Also read Social engineering techniques: 4 ways outsiders get inside

Hadnagy also points out that while the park's employee policy states that they should not open attachments from unknown sources (even a customer needing help), there were no rules in place to actual enforce it.

"People are willing to go to great lengths to help others out," said Hadnagy.

Takeaway 3: Security policy is only as good as it is enforcement

Takeaway 4: Criminals will often play to an employee's good nature and desire to be helpful

The hacker is hacked

Hadnagy gives a third example showing how social engineering was used for defensive purposes. He profiles 'John,' a penetration tester hired to conduct a standard network pen test for a client. He ran scan using Metasploit, which revealed an open VNC (virtual network computing) server, a server that allows control of other machines on the network.

He was documenting the find with the VNC session open when, suddenly, in the background, a mouse began to move across the screen. John new it was a red flag because at the time of day this was happening, no user would be connected to the network for a legitimate reason. He suspected an intruder was on the network.

Taking a chance, John opened Notepad and began chatting with the intruder, posing as a 'n00b' hacker, someone who is new and unskilled.

"He thought 'How can I get more information from this guy and be more valuable to my client?'" said Hadnagy. "John played to the guy's ego by trying to pretend he was a newbie who wanted to learn more from a master hacker."

John asked the hacker several questions, pretending to be a younger person who wanted to learn some tricks of the hacking trade and who wanted to keep in touch with another hacker. By the time the chat was over, he had the intruder's email, contact information—and even a picture of him. He reported the information back to his client, and the problem of easy access to the system was also fixed.

Hadnagy also points out that John learned through his conversation with the hacker that the hacker had not really been 'targeting' the company who he had hacked, he had just been out looking around for something easy to compromise and found that open system quite easily.

Takeaway 5: Social engineering can be part of an organization's defense strategy

Takeaway 6: Criminals will often go for the low-hanging fruit. Anyone can be a target if security is low

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline