Author: Roman Romachev — CEO, The Private Intelligence Company “R-Techno” http://r-techno.org FOR THREE YEARS THE US HAVE BEEN HOME TO A RATHER EDUCATING ANNUAL EVENT – A SOCIAL ENGINEERING CONTEST THAT WOULD PROBABLY BE A GOOD EVENT TO VISIT FOR TOP MANAGERS AND CHIEF SECURITY OFFICERS FROM LARGE RUSSIAN COMPANIES. Many companies today are obsessed with IT security while clearly underestimating the risk of confidential corporate data leakage caused by hacking via a regular phone call. Business intelligence professionals refer to this phenomenon as HUMINT - human intelligence. It is company’s own employees who often work as the weakest link in the security system developed by the company. The American social engineering contest is part of Defcon, a large hacker convention held in Las Vegas. The event has a rather civil focus: IT hackers probe IT security systems for their weak spots, social engineers hack large American corporations by engaging their employees in phone conversations and extracting corporate secrets from them. All of this happens in front of guests, some of whom rank rather high – among them are senior officials from the FBI, NSA, US Department of Defense and Department of Justice. What I think is interesting is that social engineers achieve their goal faster and more efficiently than their IT counterparts, and sometimes even help them out with tips for an efficient computer attack on the target company. The contest has a simple procedure. The organizers distribute a list of ten random organizations picked out of the Fortune 500 ranking, and a list of flags – the data that the competitors must obtain. Hackers have two weeks to choose their target, research it using publicly available data, analyze its weaknesses and develop a legend. During the contest they take their places in a transparent soundproof booth set on a stage, and have the phone number dialed for them, with the conversation audible through speakers to the audience to demonstrate the social engineering skills of the hacker. Each hacker has 20 minutes to collect as many points as possible. Many episodes of the latest contest held in June could be included into competitive intelligence anthologies. John Carruthers who chose to attack a Target store chain was first of the competitors to claim leadership. During the time allowed, he has interacted with several IT officers from the stores all over the country, posing as a systems administrator for a Target data center in Minnesota and asking why they hadn’t deployed an important patch to the company’s supplier software. While getting ready for the contest, John Carruthers noticed that in building its website, Target has unwittingly made public important corporate information – internal store IDs. They ended up included in the URL of the respective pages of all stores within the chain. And if the Target employees expressed any doubts whether they were actually talking to the systems administrator of their company, he would just quote their respective store ID and that was enough to make the ‘friend-or-foe’ system work to his advantage and make the further process go like clock-work. Engineers posing as analysts carrying out marketing research and journalists found the task to be more difficult. SOCIAL ENGINEERING IT’S AN AGE-OLD PHENOMENON, BUT ITS ‘HEROES’ USUALLY CHOOSE TO STAY IN THE SHADE. COMPETITORS OF THE SOCIAL ENGINEERING CONTEST ARE EXCEPTIONS. IN FACT, MOST OF THEM ARE PROFESSIONAL SECURITY SYSTEMS ‘AUDITORS’ WORKING FOR LARGE CORPORATIONS The championship of the contest has, for the second time, been claimed by Shane MacDougall who had impressively pulled to pieces the security system of the Wal-Mart store located in a Canadian town. Shane called the store manager and posed as a logistics executive from the Wal-Mart headquarter. He said that he was going to visit the town soon as he was selecting ‘pilot’ stores for a program that would be implementing a large government contract that was about to be awarded to Wal-Mart – but he wanted to clarify certain operating details on the phone. Falling for the legend, the store manager has started giving up the flags one by one, lightly and without a shadow of doubt, even blundering out many of the things he was not asked about: shift schedule, the OS and antivirus software installed in his office PC, name of the cleaning services provider, personnel compensation scheme, etc. Finally, MacDougall asked him to go to an external website and fill in a questionnaire there (“To help me get ready for the trip”, MacDougall said). The store manager was willing to do that as well; the only reason he couldn’t do it was because the corporate IT system has blocked the website recommended by the hacker. Following the successful hack, MacDougall told the CNNMoney reporters that his favorite target are sales employees: “As soon as they think there's money, common sense goes out the window”. The winning hacker went on to voice another important idea: “I see all these CIO that spend all this money on firewalls and stuff, and they spend zero dollars on awareness.” Social engineering is a very old phenomenon, but its ‘heroes’ usually choose to stay in the shade. Competitors of this social engineering contest are exceptions. In fact, most of them are professional security systems ‘auditors’ working for large corporations and are therefore interested in demonstrating their skills to the public. If I were to name a famous social engineer of America’s past who did not shy away from using the morally ambiguous methods to their advantage, the only name to come to mind would be the legendary editor of Chicago’s American Harry Romanoff. He managed to source almost all of his sensations via the phone, posing as the chief of police, or the governor, or the chief of a fire department. (History tells of a ‘Romanoff’s mistake’ he made when he called a house that was a crime scene where an investigation team was working. “This is Coroner O'Bannion. How many dead ones you got?” Harry asked. After a pause, the voice replies, “No, this is Coroner O'Bannion. Who the hell are you?”) The business community must realize that the work of social engineers of today is much easier: it’s easier to target an employee, to collect a dossier, to understand the professional and personal relations within a corporations, the hierarchy of its business divisions and its corporate culture. They have access to social networks where the majority of employees – from juniors to seniors – will have personal accounts. There they can take their time to interact with their target and learn their professional language to be able to talk the same language to the target. Other social engineers choose to not go the obvious way and do not try to obtain confidential information from the most obvious source in the company that possesses such information. It’s not necessary to target an IT officer to learn about IT security, or the accountant – to learn about the company’s finances. Classical example of business intelligence is to use a cleaning lady who removes waste paper from the waste basket in the CEO office. Such waste paper can be a source of commercially important information. Phone calls are an extremely convenient tool for a social engineer. As long as the information obtained is not used to the detriment of any particular person or the company, the social engineer bears no criminal responsibility: it’s not illegal to talk to someone. In this case, the other party of the discussion must be mindful of their responsibility. For example, if an accountant discloses, even if unwittingly, any data on the phone that then ends up in the possession of the company’s competitors, such an act can result in criminal prosecution under the Federal Law “On Trade Secrets”. IT IS THE COMPANY’S OWN EMPLOYEES THAT OFTEN WORK AS THE WEAK LINK IN THE CORPORATE SECURITY SYSTEM. THAT IS WHY IT IS CRUCIAL TO REMEMBER EVEN IN THIS IT-DRIVEN EPOCH THAT YOU COMPETITORS CAN USE HUMAN INTELLIGENCE TO GET TO YOU A rather typical situation: an accountant receives a call from a man claiming to be an official within a statistical agency and requests that the accountant replies to the inquiry sent out to the corporate mail. The document raises no suspicions as it is executed in accordance with all standards. There are different scenarios of what happens next. One accountant will probably reply to the inquiry and unwittingly send it to the company’s competitors. Another accountant will demand an original copy, call the agency to find out why they send their inquiries vie e-mail… Guess which scenario is the right one. It’s important to understand that technology-based security will not guarantee protection on its own. Apart from the expensive and complex IT systems, people working in a company should be responsible for the protection of its data. That is administrative security, which requires continuous awareness development. Any company must have written regulations on management of confidential information, and every new employee must sign a non-disclosure agreement when hired. There must be corporate trainings or seminars at least once a year. Company management must clearly state what constitutes confidential information and how it should be protected. Education is the way to prevent data leaks. Social networks have long become the place where black hackers carry out their ‘human research’. There have been instances when they made an account posing as a director general of a company and started actively networking with the employees, extracting the information they needed. Certainly this kind of hack will mostly work with the companies where the management is somewhat distanced from its employees, either it terms of geography or management hierarchy. In this case there’s no risk that the director will learn about his interaction with the employees online. Prudent management makes sure that its staff ignores the fake account by making the confirmed account of the director general known to it. And it works. But a hacker can just as easily create an account of the manager’s wife and to interact with everyone related to the company, thus gradually finding out more and more. So how can a company protect itself? The solution is to maintain the highest level of awareness within a company, ensuring that the staff has the general idea of who to hold correspondence with and what topics to discuss. Source: www.business-magazine.ru/trends/darkside/pub346254 Published in Business Magazine Online, September 10, 2012.
Tuesday, February 12, 2013
Tuesday, March 15, 2011
Russian Amateur 'Web Detective' Interviewed on Successes in Finding Criminals
Russian Amateur 'Web Detective' Interviewed on Successes in FindingCriminals Material in the World News Connection is generally copyrighted by the source cited. Permission for use must be obtained from the copyright holder. Inquiries regarding use may be directed to NTIS, US Dept. of Commerce. In the United States everybody knows about people once they have broken the law. If a gently smiling neighbor has served a sentence for rape, people are immediately warned: Bear this in mind, be careful. In Russia there might be drug dealers living in the next-door apartment -- the entire apartment block will know about it, but the neighborhood policeman will not have a clue. Our agencies are not coping with hunting down criminals, and so officials from the central Interpol bureau requested assistance from World Wide Web usersbecause "in our time it is possibly much simpler in some cases to find a criminal on the Internet than in real life." The success of Roman Romachev, who found eight individuals in four hours, exceeded all expectations. The Web detective talked to Moskovskiy Komsomolets reporters about his know-how. [Goncharova] Roman, why did you respond to the appeal from the international police force? [Romachev] I decided that it was interesting and that I could be useful because I have been professionally involved in business intelligence on the Net for seven years now. In four hours on a popular social network I found eight individuals on the international wanted list being hunted not only by Interpol but also by the Republic of Kazakhstan Financial Police and the Republic of Belarus State Control Committee. [Goncharova] But it is possible to "encrypt" yourself, to post a fake photo... [Romachev] I found not fakes -- that is, people who register under assumed names -- but real people on the wanted list. There were very good-quality photographs of them on the social networking site -- unlike the ones posted on the Interpol website and other law-enforcement agencies' sites. They openly identify their friends and constantly visit the site without fear of the law-enforcement agencies. I made screenshots from which it was clear that, for example, they were either "visiting" the social networking site at that moment or had been there the previous day. That means, it is not difficult to find these people. [Goncharova] What did you do with this dossier? [Romachev] I decided to send it on to the proper destination -- to the Russian National Central Interpol Bureau. Thanks to my long-standing FSB [Federal Security Service] connections and personal acquaintanceship with some high-ranking Interpol officers I made direct contact with the leader of the department that handles people on the international wanted list and talked about the situation. Particularly about the people that I had found. To begin with his response shocked me: He said that they had no such criminals on their database. We agreed to meet, and the following day I went to the National Central Interpol Bureau. I telephoned downstairs. He confirmed that, yes, such people were on the database. [Goncharova] What kind of people are we talking about? [Romachev] There are two criminals who are being hunted by Costa Rica for committing a murder. There is Mariya Kortina, who is being pursued by Interpol for the illegal acquisition, storage, and manufacture of narcotic substances and at the same time is relaxing on a beach in Spain with her family. And Konstantin Perepyatenko, who is being sought by Interpol on suspicion of crimes against the person's life and health, is currently living in Germany. [Goncharova] Have they been arrested? [Romachev] No. The site indicates that Mariya is living in Spain; as she has Russian citizenship, the criminal should be extradited to our country. But this is not happening for some totally unconvincing reason. Perepyatenko, however, has dual citizenship, and in accordance with the law Germany is not obliged to extradite him; plus he has now been sentenced to one year there for causing grievous bodily harm. There is a complex system of interactions between countries. In Russia the question of extraditing individuals who have committed a crime is generally under the jurisdiction of the General Prosecutor's Office. All of this is clear and obvious, but I was struck by something else. That Interpol had absolutely no interest in the information that I had collected. They were not interested in the high-quality photographs. And the officials' tone was condescending: Leave us in peace, they said, this is of no interest to us [Goncharova] But are you not afraid? These are serious people, the international police are not pursuing them just for the fun of it. [Romachev] There are definite fears. So I am not identifying the pages of the two citizens who are being pursued for murder. [Goncharova] If you found eight individuals in only four hours, so why can police officers not cope with this task? [Romachev] Our agencies are still very badly equipped. Many people simply do not know how to utilize modern technologies. I fussed like an old hen over the dossiers that I had collected. In this connection all civil initiatives in Russia encounter bureaucratic obstacles and passivity on the part of representatives of the law-enforcement agencies. [Goncharova] Did you look only on one social networking site? [Romachev] Yes. On it the owners of pages indicate their age -- this is convenient: Birth dates are indicated in police files. Although I do not rule out the possibility that quite a few other people are to be found on other social networks that are more popular, incidentally. [Goncharova] You said that, in addition to the criminals that you found for Interpol, there were also criminals from Kazakhstan and Belarus. Are these states' law-enforcement agencies interested in their whereabouts? [Romachev] In Belarus futile attempts were made to get through on the phone and convey the information. I asked a journalist acquaintance to obtain an official comment -- she was directed to the press service, where the telephones remained silent. But in terms of Kazakhstan things worked out very productively, you might say. The people there were very interested in my information. They started to telephone regularly and consult about how to put together a request to the social networking site and how to track down lawbreakers through their IP address. The representative of the Republic of Kazakhstan Financial Police begged me not to name the criminals because detective measures are currently in place, and he also promised that in the future he will approach me for assistance in tracking down other violators. [Goncharova] Are volunteer assistants' efforts rewarded in some way? [Romachev] Not in Russia. But in the United States the FBI pays a bounty for hunting down a criminal. If you remember the old westerns in which a substantial sum is offered for a criminal's head and a posse hunts him down, the situation nowadays has virtually not changed -- it is a lucrative business. There is a list on the FBI website of who is on the wanted list and how much will be paid for finding him. The FSB announced a reward for information about the suicide terrorists who blew up the Moscow metro, but this was a one-off action and, to the best my knowledge, this money has not been paid to anybody. [Goncharova] Roman, do you intend to continue your "headhunting" in the future? [Romachev] Yes, this process has engrossed me very strongly. As the saying goes, "there is no such thing as a former [silovik]," and so, even on ceasing to serve in FSB agencies, I am continuing to stand guard over the economic security of the state, trying to protect entrepreneurs from relationships with fraudsters. In the West this business is very profitable because it is actively supported by the state. Some 70% of intelligence bureaus work for the state on an outsourcing basis.
Friday, March 4, 2011
Blabber is a godsend for Facebook
- I’ve been fired! – My friend Helen is crying on the phone. – For nothing!
- Is it really for nothing?
- The boss said that I’m wasting too much time in Facebook.
For not advanced users I’ll explain: Facebook is a social network, reminding a diary where you may take notes of everything that happens to you: some events, your impression… Your notes may be seen only by your friends – people whom you allow access to your notes.
I open Helen’s page and what do I see? Every hour and even more often,
the girl messages about everything that happens to her. She’s given a task to prepare a report – instead if doing that she is jotting in the Internet: “I was asked to write a report! Long and boring”. So, that not very hard for competitors to find out what is Helen’s department doing, the work schedule and, the most interesting thing, to learn staff characteristics first-hand.
Yet, Helen hit upon the idea of adding her immediate superior to a friend list! So she was pounding the keys of a typewriter and snitched on herself.
As revealed, not only Helen…
Excessive social activity in the World Wide Web may play a bad joke even with a successful career. Every third Russian firm has dealt with the information leak through the Internet (source: HeadHunter). Even though three of four companies have strict rules about confidential information. But how to refrain if Facebook and Twitter are “freezing” without news? (It is said that there is a Social Network addiction disorder – a person can’t take a step without informing the Internet about that momentous event!)
Besides losing the confidential information, superiors don’t like that employees are too busy with personal problems during the working hours, i.e., they are getting sloppy!
In 32% of organizations it is being watched intensely everything that goes out by e-mail or spread in social networks. Monitoring the employees’ blogs is provided in 24% of the organizations.
Theoretically, to leak information using work computer (or take it out on some other carrier) is not so easy. But when a person gets home, he or she may share thoughts in blog or a social network – and then the chances that the act will come unnoticed by his boss are increasing. Companies are becoming more and more afraid of putting some of their employees’ foot in their mouth.
- Social networks are good place for preliminary information gathering during business intelligence, - Roman Romachev, an expert, told “KP”. – There are no any graveyards, but it often becomes clear which side gets close. There are all conditions: more than a half of users are ready to write something about their job on the internet. For example, that a boss is not very good person. 30% of the respondents made a clear breast of making without any malice online notes containing inside information about their work. And women are more talkative – 37% of unauthorized information is spread by them.
And about 31% of workers are ready to snitch on their colleagues who lost their inhibitions.
The companies’ counterintelligence still lies behind in efficiency. Only 10% of organizations are applying educational measures to its too talkative employees.
But this is until the time comes… Dismissals of to talkative workers have already begun. Yet little by little – that’s not easy to find a corresponding article in a labor code. Further there will be more fun.
COMPETENTLY
“You can’t hide in the Internet”, - says Yuri Virovets, HeadHunter’s President.
- Social Networks made the idea of a private life very smashing. People often reveal some information about themselves which state and financial organizations are trying to conceal. And that’s the problem – many people feel the difference between their private and professional life with difficulty. When person’s thoughts, ideas, actions become well known to everybody, and to the company where he works as well, the consequences may vary a lot: it may be both an immediate career rise and a quick firing.
There is no any recipe how to make peace between career and being open in social networks. The main thing is to remember that in Internet information doesn’t disappear. And you can’t hide behind a tricky nickname – it is very easy to reveal the real author. Internet is a public place and it is necessary to behave there according to your status in real life.
BY THE WAY
Nude prevents career
- Social networks reveal a lot of information about private live of employees of an organization, - says Timur Iosebashvili, director of joblist.ru, a site for jobseekers. – One big financial company didn’t hire a department director because HR department had found in the Internet his beach photos. It should seem, what is the problem? But these photos may be seen by everybody. And it means that they may be seen by partners or clients and it will impact on the company’s image.
To lesser mortals the requirements aren’t so strict. It is unlikely that someone will fire an accountant because of his or her photo in a swimsuit or even without it in the Net.
There is a statistics in the USA – 70% of commercial secrets may be charmed out. Frequently with the help of the Internet. Employers block the access to such internet-messengers as ICQ, G-Talk, Jabber, Yahoo IM, social networks (VKontakte, Odnoklassniki, and Facebook) and blogs to protect themselves somehow. Expense to that it makes a success in reducing the amount of leakage. But it is usual for people to communicate with each other and job – is one of the most popular themes for a conversation. Whether it is in-personal meeting or Internet communication, any information or opinion that an individual has, may be revealed voluntarily or involuntarily. Information doesn’t dissolve in Net, but accumulates, so sooner or later it may come to competititves’ hands.
GOT CAUGHT
If you have a blog – close it!
Last summer, Marketing and Advertising Director of Don Plaza congress-hotel Ekaterina Serebryakova lost her job. PR specialist and a journalist from Rostov thinks that the cause of the firing was a criticism of company and directors expressed in her blog. Notably, it is not only a hotel that suffered because of her severe remarks but also a company working on improving the image of whole Rostov region.
And in UK at the end of January Katie Furlong, Royal Bank of Scotland’s ex-consultant on debts, lost 6 thousand pounds (approximately 300 thousand rubles) because of her excessive sociability. She fell under the planned job cut and was going to receive solid redundancy payment. And she didn’t delay to write about it in Facebook. When the Bank governance found out about that, Katie was fired for another reason – for violations of the secrecy declaration. And no relief was paid.
