Hackers Targeting Social Media Sites for Social Engineering Attacks

Hackers using Social Engineering attacks are getting much better at their craft, and people are making it very easy for them. A Social Engineer will use information gathered about a person, place or business in specially crafted attacks that play on people’s thoughts, beliefs or emotions.

But how do they get personal information that they could use against someone?

Drum roll please…

Social Media sites!

“No way”, you say, “I only give friends, colleagues and people I know access to my Facebook page.” Do you really? I mean come on, let’s be honest. We have all seen them, people with 500, 1000, even 2000 people or more on their friends list. Do they really know all those people?

People are human, and humans are always into popularity contests. It reminds me of the TV commercial where the daughter is sitting in front of her computer with hundreds of friends on her social media site. And she is making fun of her parents who have like 5 on their site, but then it shows the parents out kayaking (or something like that) with friends.

Hackers are using this very weakness of the human psyche to gain pertinent and sometimes very personal information about a person. But how you ask?

How about Linked-In? Do you get friend requests from people you have never heard of that “know you” from some website, have similar likes or dislikes, or attended the same conference? Hackers are gaining full technical backgrounds, co-worker names, titles and even full resumes using this very simple tactic.

It also works on Facebook. Except here, social engineers gain personal information about you. Everything from news about your family, your interests (sports, clubs, etc), heck some even go as far as to tell you their travel plans and even food preferences. Sometimes a lucky hacker will even get the daily itinerary of a very trusting individual.

How could they leverage this information in an attack?

Simple, from Linked-In they could craft an e-mail saying they are from some company that you worked with or for. Or from Facebook, that they are from your kid’s school or from one of the many clubs that you attend and have scheduling or other important “news”. All this in an attempt to get you to click on a link that heads to a malware infested site or to get you to run a PDF file that contains a backdoor trojan.

A friend recently received an e-mail supposedly from the technical support department for a product that he actually owned. It was about an important update and the link for the update led to a site that tried several browser exploits in attempts to install remote access malware. It was very believable, luckily the broken English in the e-mail made him think twice before he visited the site.

How do you protect yourself from these types of attacks?

It is always best to actually know or have met the person that you are allowing into your social media circles. Limit the level of personal information that you place on these sites. And be very careful telling people your schedules. Do your 2000+ friends really need to know that you will be out of the country for 2 weeks and what airline you will use and what hotel you will be staying at?

Just some things to think about. Hackers are getting much better using Social Engineering attacks. A little discretion will go a long way.

Security Onion Intrusion Detection System Basic Setup Tutorial

Security Onion is one of my favorite tools. Doug Burks did an amazing job pulling many of the top open source Network Security Monitoring (NSM) and Intrusion Detection System (IDS) programs. You can run Security Onion in Live CD mode, or you can install it and run it off of your hard drive.

It’s based on Xubuntu 10.04 and contains a ton of programs including Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools. Sounds complicated right? Well, Doug has done the hard work in pulling all these tools together into an easy to use Linux distribution.

Run this on a system that has two network cards and you have a complete NSM/IDS system. One NIC connects to your network or the internet side of your traffic and records and monitors every packet that comes in or goes out of your system. The second NIC connects to your LAN side and can be used to remotely view and monitor intrusion attempts and security threats.

The exceptional basic setup video above was created by Adrian Crenshaw aka “Irongeek”. Adrian has always done an amazing job passing on information on the latest security tools and techniques. Irongeek.com has a ton of videos and security how too’s, check it out!

Hakin9 Magazine Features “Pulling Passwords from Memory Dump” Article

Hakin9 is well known in the security circles and is just a great magazine. It is known as “A magazine for IT security professionals by IT security professionals”. It covers some of the latest information on attack and defense tactics that are out there.

For those of you who are not familiar with Hakin9, the Worldwide IT Security magazine started in 2005 and is released 4 times a month:

  • Hakin9 (release date:1stof each month) – 50 pages of content dedicated to IT security, few regular columns written by specialists
  • Hakin9 Mobile (release date: 7th of each month) – 40 pages of content devoted to hacking and security of mobile devices and applications
  • Hakin9 Extra (release date: 15thof each month) – 50 pages of strictly topical content dedicated each time to different hot security topic
  • Exploiting Software (release date: 22nd of each month) – 40 pages of content dedicated to latest software exploits and security

This months Exploiting Software magazine has some interesting articles including:

Starting to Write Your Own Linux Schellcode
Buffer Overflow Exploitation A to Z
Anatomy of the Black Hole Exploit Kit
Hacking Applets: A Reverse Engineering Approach
The Gentoo Hardened Project: Or How to Minimize Exploits Risks

And, forgive me for some shameless self promotion, How to Recover Passwords from a Memory Dump.

How to Recover Passwords from a Memory Dump

Malware analysis is an amazing field. To be able to grab a memory dump from a live machine and then have the capabilities to pull useful information from it just amazes the author. Can we find pertinent system settings, and even pull information from them? Were you ever curious about what could be done with a memory dump of an active computer? This article is a short demonstration on how to acquire a memory dump from a running system, and then how to use tools to not only recover the system password hashes from the memory dump, but also how to decode them.

The Hakin9 article I wrote is based on the memory forensics topics & hash cracking posts that have been covered recently here on CyberArms. I am pretty excited about it, and hope you like it too.

Check it out!

Hacking PLC SCADA Systems Easy as Pushing a Button

Interesting news yesterday from Digital Bond and Rapid 7, PLC exploits have been added to the Metasploit security testing platform. HD Moore developer of the Metasploit project had this to say on Twitter:

According to the Rapid 7 Blog the following exploits that target General Electric’s D20 PLCs have been added to Metasploit:

  • d20pass : This module leverages a pretty major information disclosure for the device — turns out, anyone who connects to the TFTP server on the D20 can snag the complete configuration for the device, which includes plaintext usernames and passwords. This module does just that — downloads the configuration file, parses out the credentials, and stores them in Metasploit’s database for reuse.
  • d20tftpdb : This module demonstrates an asynchronous backdoor functionality in the D20 via the TFTP interface. Again, in an unauthenticated way, anyone can connect to the TFTP server, and issue command by writing to a special location on the filesystem. Also again, this is a pretty big deal. Note that this module is currently still in the unstable Metasploit branch pending a little more QA work on getting this (pretty unique) command and channel all nice and automated. As is, though, it works just fine for demonstration purposes, and if you have some of these PLCs in your environment, you are encouraged to investigate this more (and send patches!).

With the media hype of “CyberWar” and the news of hacker attacks against critical infrastructure systems, this is a shocking move by the Metasploit team. But maybe that is what they intended.

Metasploit is used for network security and penetration testing and it is very good. There are automated options that you can use with Metasploit that will try numerous exploits against a system, and give you a remote shell if one of them works. Taking this technology  and adding in PLC exploits is truly scary, or should I say, push button easy.

Just last month the FBI released the news that infrastructure systems of three US cities were hacked:

“We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into Scada systems within the city.” And, “Essentially it was an ego trip for the hacker because he had control of that city’s system and he could dump raw sewage into the lake, he could shut down the power plant at the mall – a wide array of things.”

The problem is, even though people who run PLC devices in a SCADA environment have had years of warnings, many systems are still woefully unprotected, some even using default passwords. And many of these systems can be found using simple online search tools.

Most likely the thinking behind publicly releasing a tool to automate PLC exploits is that it will force companies to lock down their SCADA systems, as Dale Peterson, founder of Digital Bond states:

We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results. These attacks have existed in theory for a while, but were difficult to demonstrate to a Plant Manager. By creating exploit modules for the most widely used exploit framework – Metasploit – we hope that security professionals in critical infrastructure companies, consultants, and penetration testers will prod vendors to add basic security measures to PLCs after decades of neglect.”

Hopefully this tactic works and the good guys are the ones using the tools.