Your Peace of Mind is our Commitment

Contact Us English Recent Articles

The Biggest Vulnerability

There is no shortage of vulnerabilities; in December, a major one, described as "the worst default security vulnerability in Windows ever" by the discover was found in Microsoft's Universal Plug and Play (UPnP) system. February saw the announcement of Multiple Vulnerabilities in many implementations of the Simple Network Management Protocol (SNMP), described as "serious" by CERT/CC and a "fiasco" by some commentators. By the time this is published, I am sure there will be several more vulnerabilities competing for news coverage, which is the biggest hole?

Unfortunately, the biggest vulnerability comes not from technology, but from people, often the same people that you are depending on to protect your organisation's information assets. The basis of the flaw is how people decide who, or what, to trust and abusing people's trust is called Social Engineering. The infamous hacker, Kevin Mitnick has publicly claimed that most of his successful intrusions were based on social engineering. The exact scope of social engineering is not well defined, but some examples will help:

A confused user calls the helpdesk and asks for a password change. Of course, the user is not confused; it is the attacker. The more confused the user appears to be, the more the helpdesk will try to help with clues and extra information.

The helpdesk might ask for additional information, like full name, user-id and birthday - a preceding call to a secretary might help, "Hi, it's from , I was planning to send Bill a birthday card…"

An alternative approach is intimidation - like the extremely busy Vice President calling the new system administrator demanding access to their account.

Reversing the scenario, a user may receive a call from the system administrator, asking them to do something, perhaps re-entering their password.

The key to all of these is acting ability: convincing the victim that they are who they claim to be. In general, these techniques work best at large companies, but Small/Medium Enterprises, where everyone knows each other, are not invulnerable, they are probably using an ISP and the customer support there might have some very bad procedures. Three of my local ISPs have asked me for my password when I have called up with a technical problem. This reveals that they do not allow Customer Support root access to their servers - why should I trust this person I have never met with my password when their employer, who has had a chance to do a background check does not trust them? Most customers will be less suspicious, but it reinforces a bad lesson. If you are used to calling customer support and giving out your password, it is a small step to give out your password when "customer support" calls you. The attacker might then be able to misuse the account for attacking other systems, or, if the victim is using the same password for their own machine, break into the victim's machine (and the SME's LAN) while they are online.

Although tricking people into revealing their passwords is easy to write about, that is not the limit of social engineering, in fact, Kevin Mitnick claims to have never asked for a victim's password in his attacks. An attacker might seek any information that could help with the attack, such as the names of important servers, the software being used or network configuration. Information about the company culture and organisation can help with further social engineering, so that the attacker never asks one person for so much information that they become suspicious.

We can also call it social engineering when email or instant messaging is used. A typical scenario here would be to get a user to accept a Trojan and execute it, "Try this screen-saver, it's really cool." Most of the major email viruses use social engineering in this way. The specific hook varies: love (VBS/LoveLetter, subject "ILOVEYOU"), curiosity (VBS/VBSWG-X, message "You've got to see this page! It's really cool ;O)", fame or sex (VBS/Onthefly, better known as the Anna Kournikova virus) or work (W32/Sircam, various messages: "I send you this file in order to have your advice", "I hope you can help me with this file that I send" , "I hope you like the file that I send you", "This is the file with the information that you ask for"), or software updates (W32/Gibe has a message that describes it as a Microsoft Internet Security Update). Novelty appears to be an important factor: the recent VBS/Britney virus that claims to have pictures of Britney spread only a fraction of VBS/Onthefly; people are now suspicious of unsolicited "pictures" of celebrities.

How do we protect against Social Engineering attacks? There are no patches we can download to make our staff paranoid, we must rely on policies and education. Some security experts regard user education as a waste of time, but for social engineering there is no other protection. The education can be more effective if the message is kept simple, and there are no contradictions. There is no point in having a policy, "Never tell anyone your password" if the helpdesk routinely asks for it when a user needs something reconfigured. You should also remember that staff have home Internet connections, and they might be getting bad habits from calling their ISP's customer service.

However, biggest does not mean only, and the hardest thing about security is that we have to get everything right, our opponents just have to find one weakness to exploit.