Your American tax dollars (and login credentials) at work.

Aug 07, 2007

Earlier this year, pen-testers hired by the Internal Revenue Service attempted a time-worn attack as part of their assignment: They phoned up 102 people who work at an IRS office while pretending to be tech support and asked them for their usernames. The people called were also asked if they could temporarily change their passwords to something simple (love? sex? secret? god?) as part of a troubleshooting effort.

61 of the 102 people complied with the request of complete and total strangers. If this hadn't been a pen-test, those office networks would have been sitting ducks. Only eight people called someone they knew in their organization to confirm the identity of the individuals who called them up out of the blue (and not help the callers, one would hope).

Some of these people were management, for crying out loud - the people who are supposed to write the policies that are supposed to prevent people from doing dumb things like this. If they'd give out their usernames so readily to total strangers, what else would they do if requested? Go to a certain URL in Internet Explorer and potentially compromise their workstations? Download and run a certain application from Somewhere Out There (like a trojan horse or RAT)? How about read off some SBU (sensitive but unclassified) information, such as the IP address of a certain publically accessible server? This is a social engineering tactic so old that I babysat its grandkids for pocket money in high school!

For the love of Saint Isidore, if you're management or IT, instruct your end users to not blindly follow the directions of someone who randomly calls or IMs them while they're at work asking them to run commands or give out their login credentials. Tell them who to call to confirm the identities of people contacting them with such requests, even if it's just their supervisor. If they have any doubt, they need to confirm with someone they know is in their organization. The thing about social engineering attacks is that they can be used to open other attack vectors from the inside, including vulnerabilities at the desktop.