The focus of this chapter has been on password cracking, because that is the main security threat posed to most companies. The key to remember is that an attacker will take the path of least resistance, to acquire the information that he is after.
For example, if I want to secure my house, one way to accomplish this is to heavily secure the front of my house. I put bars on the front windows and have a big steel door with a guard dog chained to the lamppost. From most perspectives, this is fairly secure. Unfortunately, if you walk around to the back of the house, the back door is wide open and anybody can walk in.
This might seem bizarre, yet this is how most companies have their
security set up. They concentrate all of their efforts in one area and forget about everything else. This is true for password security. Even though the main threat is password cracking, if your passwords are very secure and cannot be cracked, someone can still compromise your passwords.
Following are some of the other methods for compromising your passwords:
• Social engineering
• Shoulder surfing
• Dumpster diving
Social Engineering
In most companies, if you trust someone, you give them access to
privileged information. In the digital world we live in, you give someone a user ID and password so that someone can access sensitive information.
In most cases, this means employees and trusted contractors get access and no one else.
But what if an attacker convinces someone at your company that he is a trusted entity? He can then obtain an account on your system. It’s the essence of social engineering—deceiving people to give you information you should not have access to because they think you are someone else.
If you, as a help desk administrator, think I am an employee of the
company and all employees need accounts on the system, you would give me an account. This technique seems very simple and easy but is
extremely effective.
Let’s look at an example. Let’s say an evil attacker performs a whois on your domain name and pulls off the technical point of contact. The technical point of contact is a required field for all registered domain names. It provides contact information for the person who should be
notified if you have any technical questions with that domain. In this case, her name is Sally. The attacker then calls information and asks for the general number for your company. After the operator for the company picks up, he asks to be connected to the help desk, at which point he explains that he is a new contractor at the company working for Sally. The company is having some problems with the network and he has been brought on to help fix them. This is a high-priority problem and has
visibility up to the CEO. He explains that Sally told him that this is not the normal procedure, but based on the circumstance and the urgency, you can help him out. He also offers to give Sally’s number for approval.
In most cases, if the attacker has a convincing voice, he is given a user ID and password and receives access to the system. It is that simple; if you
do not believe me, get written authorization from your management and give it a try.
Shoulder Surfing
Another simple but effective way to obtain a password is to watch someone as he types his password—shoulder surfing. In an open environment with cubicles, it is fairly easy. You just walk up behind someone when he is typing his password and watch what keys he types.
This is usually easier if people know who you are. Hopefully, if a total stranger walks up behind you, you would question what he was doing.
However, if the person behind you isn’t a total stranger, you wouldn’t question his presence, which where a little social engineering comes in handy.
I was performing an authorized security assessment and was trying to obtain some valid passwords, so I decided to give shoulder surfing a try.
It was winter in New York (20 degrees Fahrenheit), so I parked my car near a back entrance. When I saw someone get out of her car, I followed her in wearing a long coat and carrying what appeared to be a very heavy box. I asked if she could hold the door open for me and she did, without asking if I had a badge. Mission #1 accomplished—getting access to the building. I then found one of the administrator’s cubes. Because I wanted domain administrator access, I pulled his name off a document he had on his desk and waited for him to come in. When he arrived I said, “Good morning, John. I was hoping you could help me. We are running a test and I sent you an email and wanted to see if you received it.” At this point, John said “Hold on one second and let me log on to the system.”
Mission #2 accomplished—I looked over his shoulder and obtained administrator access on the system. In this case, the excuse was pretty lame, but if you know more about the environment and do a little
research, you can come up with an explanation that anyone would believe! And so could an attacker.
Dumpster Diving
You would be amazed at the information people throw out. They discard emails, documents, proposals, and passwords without even tearing them in half, let alone shredding them. Most companies have dumpsters where all of the trash is thrown. Most cleaning crews clean the offices in the evening so if you swing by your favorite dumpster at 2 o’clock in the morning, you might find some very useful information.
To see a great example of the power of dumpster diving, just rent the movie Sneakers.