Pratum Blog

Ronald Reagan was right. “Trust…but verify”. Over the holiday weekend I was surfing the web and my anti-virus program detected some Java exploits on the pages I was viewing. It was a reputable site I was using to get some ideas for spring break vacation with my wife and kids. A seemingly harmless activity. I wasn’t lurking in the dark corners of the web. 

I don’t know the cause of the malicious activity. I didn’t take the time to hunt it down. The issue is that I would have considered this site to be trusted to a degree. Regardless…it still has to pass through an inspection. One thing I’ve learned over the years is that I can trust a person or organization’s intent without trusting their ability. 

Many times we are burned because we confuse the two. I know most of the websites I use on a daily basis aren’t out to intentionally infect me. The question becomes do I trust that they’ve taken every precaution to ensure someone else doesn’t use them to burn me? We must take the same approach with information security. Many of the breaches carried out use an unsuspecting user or trusted system to complete the attack. We have to remain diligent when defending our systems. Even those we trust could be the source of an information security breach.

Does this stance make me paranoid? Perhaps, but you can’t ignore the…Shhh…did you hear that?

Do you remember in school when your teacher and parents told you if you did all of your homework you’d be better prepared to take the test? Guess what? The same is true for penetration testing. Doing your “homework” before the hacking consists of a lot of reconnaissance work. You need to learn all you can about your target before you attempt to hack it. One of the best ways to do this? Dumpster Diving.

That’s right. I’m going to dig through your trash. It’s not just the stuff you see in Hollywood. We really do pull bags out of the trash, comb through it and find all sorts of valuable intel which allows us to target a system or organization. The information we get from a dumpster dive can help us directly attack a target from the technical side or provide information to launch a very successful social engineering campaign. Information security isn't just about information in digital form. It's about information in ANY form. Here are some of the things we’ve found in the past.

  • List of usernames and password

  • Credit card numbers, expiration dates, names, carbons with signatures

  • Architecture diagrams with hostnames, IP addresses, database table and field names

  • Listing of customers with the contacts authorized to access or change the account

  • Vacation schedules of key individuals

The list goes on and on. You can see just from this list that the things we find in the trash make our job of penetration testing or ethical hacking much simpler. I don’t have to brute force a password when it’s found in the trash. I don’t have to guess a table or field name to attack when I have the entire database schema in front of me.

The lesson here is shred everything. Things like vacation schedules don’t appear on the surface to be sensitive information. However they are very helpful in social engineering engagements. Other seemingly innocuous information is just as valuable. Shred it all. Oh…one more thing. Everyplace we found the information in the list above… they had a shred policy in place. How well is yours working?

As you read in one of my recent posts, social engineering is used frequently by hackers to aid in their attacks. Social engineering is simply the practice of using human nature to gain trust and then utilizing that trust for malicious purposes.

Getting someone to tell you their password can be a lot easier than trying to create a brute force attack against a protected system. Often it is also safer as it can be hard to detect or identify social engineering attacks. Flying under the radar and having your attack go undetected is the sign of a seasoned pro.

During recent social engineering testing engagements we created a phishing email scheme to test how well an organization’s security awareness training was working. We created a fake health insurance company and threw up a website with a logo and registration page. We sent links to this website via email and told people their company was changing its health plan and they needed to check out the site. It was such as terrible website that even some of the demo content from the content management system was on the home page. If you clicked any link on the home page it took you to a page that was completely demo content. “Welcome to Joomla…thanks for installing the CMS….etc., etc. etc.”

Guess what? Nearly 30% clicked on the link and visited the site. We even had people register on the fake website to “learn more”. Now we have usernames and passwords. Anyone want to bet at least one of those passwords is the same as a domain password for the organization?

Now here’s the really sad part. I had been onsite a week before and had an informal conversation with a handful of people in the employee break room regarding information security.  We specifically talked about phishing emails and two of those people fell into the trap anyway. Security awareness training needs to continue. We’ve made progress over the years but we’re getting lazy. Reviewing the same warning email or poster on the wall isn’t cutting it. We need to get creative and keep it fresh if we ever hope to keep up. Hackers adapt to a changing environment. Are you?

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.