The life of a social engineer: Hacking the human
A clean-cut guy with rimmed glasses and a warm smile, Jayson E. Street looks nothing like the stereotypical hacker regularly portrayed in movies (i.e. pale, grim and antisocial). But he is one – he just “hacks” humans.
Street is a master of deception: a social engineer, specializing in security awareness and physical compromise engagements. He’s outspoken, friendly, always wearing a smile, and besides working in the field, he’s also the InfoSec Ranger at Pwnie Express, and is well-known for his books and conference talks around the world.
Social engineering skills
Information security professionals generally agree that humans are the weakest security link. Employees need access in order to do their job, and so attackers increasingly target them instead of the network, in order to infiltrate the system.
A successful social engineer has to have a wide set of skills, ranging from psychology to IT. Most importantly, he has to understand the depth of human emotion. Reading people’s faces, interpreting gestures, especially in a foreign country with a noticeably different culture, is a complex undertaking that takes plenty of practice and skill.
Essentially, a seasoned social engineer is the closest thing we have to a mind reader. He has to instantly size up the person and the situation he finds himself in, and create a scenario that gives him an advantage.
As Ernest Hemingway said: “When people talk, listen completely. Most people never listen.” Well, successful social engineers do.
The world through the eyes of a social engineer
Information is the most valuable commodity in today’s world, and Street knows how to get it. During our talks I learned that he broke into seemingly highly secure places all over the world, including the US, Malaysia, Jordan, Germany, Jamaica, France and Lebanon.
Some of the gear used in the field
“I’m breaking into banks in Beirut, Lebanon, and I’m wearing a DEF CON leather jacket. I don’t speak Arabic or French, and frankly, I don’t blend well in this city,” he recalls one such engagement.
As you can imagine, that didn’t stop him. He ended up twirling in an office chair after talking a teller into allowing him to plug in his Hak5 Rubber Ducky USB into their computer system. In addition to that, at the end of that particular incursion, he had the bank manager assistant’s user ID, password, and smart card.
Street in action behind the teller line
“Armed with this information I go to another branch during business hours. I talk my way behind the teller line, disconnect a computer, and take it with me,” he recounts. “And what do I do next? I go to a third branch and find my way into their internal LAN.”
The Hak5 USB is in
The owners were shocked at the lax security. They knew that someone with this kind of access could have committed all sorts of fraud.
The point Street is trying to make is simple – if you want strong information security, you need proper physical security. In order to protect your data, you need to safeguard the hard drive on which the data resides.
“I’m not the best coder or exploit writer. I’m never going to be that guy. But I don’t have to be if I have a screwdriver and I can take a hard drive from your server. I don’t have to bypass the firewall if I can bypass the receptionist,” he says.
The importance of physical security
Street says he’s never failed to get access to target assets. But he loves to challenge himself, and sometimes his approaches seem outwardly ridiculous.
For example, last year he managed to penetrate the entire infrastructure of a high-class hotel on the French Riviera while wearing Teenage Mutant Ninja Turtles pajama bottoms and walking around barefoot.
Self-assurance is key, and he knows how to deliver. During this job he stumbled upon an unprotected entrance to the employee area, and within 30 minutes he was in the corporate office. They never expected anyone to have access to these premises after office hours and security was nonexistent: keys on desks, unlocked computers – game over.
“I’ve never had a problem with guards anywhere, even at government or financial institutions. Actually, a night guard once helped me carry the server out of the computer room to my car,” he remembers merrily.
You may have guessed it, he’s not supposed to be there
How to prevent social engineering attacks
“Never mistake what I’m doing for red teaming. I’m not trying to destroy an organization. I do social awareness engagements – my job is to educate and make people understand,” he explains.
As a matter of fact, Street genuinely likes getting caught. In the last stage of an engagement he does obviously suspicious things deliberately in order to be unmasked.
“I always come with warning labels. I broke into a highly secure building in New York across from Ground Zero, wearing a shirt that says ‘Your company’s computer guy’,” he remembers.
After the compromise he goes back to the building and explains to the people involved what just happened and why. The point of his job is to increase security awareness through effective teachable moments.
“Despite the outcome of my engagements, I’ve never met a stupid user,” he notes. “I see uneducated users that haven’t been properly trained. And explaining the importance of security should be an essential part of employee training.”
He’s of the opinion that most social engineering attacks can be prevented, and offers the following tips:
1. If you get a feeling that something isn’t right, listen to the voice in the back of your head telling you this and react.
2. Organizations should have a number for people to call when in doubt, an email address through which they can reach out for help. Every employee should know that if they see a suspicious person walking around, or they get a sketchy email, they can alert someone, and that someone will investigate. “Don’t approach the person, don’t open the attachment, inform security,” he advises.
This advice might sound deceptively simple, but Street’s adventures around the world prove that even the world’s biggest organizations still haven’t implemented basic security measures or trained their employees. Until we introduce the proper measures, humans will remain the weakest security link.
Is there a specific infosec job you’d like to find out more about? Are you doing something our readers should know about? Let me know.