I took the "Achieving Security Awareness Through Social Engineering Attacks" course at Black Hat this year!
“Achieving Security Awareness Through Social Engineering Attacks” #BHUSA Training taught by @jaysonstreet & @aprilwright will use current Red Team strategies to develop a better understanding of how attackers use SE https://t.co/yuojeClInS— Black Hat (@BlackHatEvents) June 2, 2018
It was eye-opening, tremendously interesting, and fun! It was facilitated by Jayson Street and April Wright. Jayson gets paid by companies to break into their own facilities through Social Engineering. He shared many crazy stories, like the time he gained full access to a bank in Beirut in two and a half minutes.
Here’s a summary of what we discussed in the training, along with key takeaways:
OSINT and Social Media
“Information doesn’t have to be secret to the valuable” ~ CIA
One of the key elements of Social Engineering is Open-source Intelligence (OSINT), which is insight produced from data collected from publicly available sources. If you don’t have proper privacy settings in your social media accounts, the information you put there is public.
In class, we discussed the case of a guy named Travis who put pictures of his badge, passport, plane tickets, job title, workplace and even emails on Instagram.
We analyzed how someone that overposts on social media could be targeted, and it’s not a surprise that it’s relatively simple. We also talked about tools and techniques to get and find relevant information.
There was an exercise about drafting (not sending) a spear phishing email in 1 hour targeted at someone in our organization using OSINT. Nobody used their own workplace and nobody said where they worked, but we completed the task with good results.
Takeaway #1: Review your privacy settings and don’t post private information on social media.
"Review your privacy settings and don’t post private information on social media. Open-source Intelligence tools could be used to mine your data and create phishing opportunities."
WiFi Pineapple and Bash Bunny
As part of the training, they gave us some interesting gadgets from Hak5 including a WiFi Pineapple and a Bash Bunny. They are tools meant to be used for penetration tests, and they have many pranks that can help with Security Awareness programs by showcasing their associated dangers in safe and controlled setups.
We also got a Packet Squirrel as an extra gift!
The WiFi Pineapple is a Wireless Auditing tool that can work as a Man-in-the-middle platform. Among others, it allows the owner to intercept an open WiFi connection and inspect and modify HTTP traffic, redirect the user to a malicious site, or associate with past public WiFi connections and “pretend” to be one of them.
For example, if you’re near a Pineapple while your phone has WiFi turned on and is actively looking for connections, all of the sudden you may connect to the airport network you used 6 months ago and a site may ask you to pay for the service. They mention it on the Silicon Valley TV Show.
This is the picture of a WiFi Pineapple Tower because… Black Hat.
Takeaway #2: Avoid open or public networks as much as possible, especially in crowded spaces. If you’re not in a trusted space, turn on WiFi only when you really need it.
"Avoid open or public networks as much as possible, especially in crowded spaces. If you’re not in a trusted space, turn on WiFi only when you really need it."
The Bash Bunny is a USB attack platform that can emulate trusted USB devices like Gigabit Ethernet, serial, flash storage and keyboards.
We did a couple of experiments in the class: First, we used a “prank” payload that rickrolls the target at a specific date and time. It took less than 20 seconds to deliver this payload.
Then we tested a “recon” payload and we could get the full terminal history, clipboard content, system users,
ifconfig, WAN IP, and all installed applications. This took a little bit longer, but it was still fast and the computer was in sleep mode.
Takeaway #3: Don’t plug in random USB drives and be cautious when working on public spaces.
Conclusion and Other Takeaways
We talked about other topics such as policies, security awareness programs, memes and the importance of repetition during training. These are the top 10 Takeaways of the experience:
Review your privacy settings and don’t post private information on social media.
Avoid open or public networks as much as possible, especially in crowded spaces. If you’re not in a trusted space, turn on WiFi only when you really need it.
Don’t plug in random USB drives and be cautious when working on public spaces.
Clickbait is widely used in social engineering, don’t trust it.
Before running phishing campaigns, there should be policies and formal training in place.
Although potentially controversial, hard to spot spear phishing emails create a more impactful “teachable moment” (as Jayson says).
Certain topics of Security Awareness training should be tailored by role. An organization should have a site that groups all this information and internal security-focused newsletters could be useful as well.
Controlled live demos with tools like the WiFi Pineapple and the Bash Bunny help raise security awareness.
Prizes and gamification support these efforts.
It is important to always explain the purpose of the training, demo or campaign. We don’t ever want you to fail, we want to empower you and help make you one of our strongest lines of defense:
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.