Social & Physical Security

Social Engineering, and Physical Security

W. Owen Redwood, Ph.D.

Offensive Computer Security 2.0
http://hackallthethings.com/
Outline

PART I: Social Engineering

● Basics of Social Engineering in Pentesting

● Fundamentals of Intelligence
● Intro to Evolutionary Triggers
● Harvard Compliance Study
● 6 (Widely-Exploited) Social Quirks of Human Brains
● Defense Discussion

PART II: Physical Security

● Locks
● Lockpicking
● Lockpicking mitigations / defenses

PART III: About Physical Access

● Below the OS layers & Inside the Mobo bus

● Ethernet over Powerlines & Bypassing security systems
● BacNET systems
Ethical Disclaimer

1. This lecture is part of the Offensive Computer Security 2.0 course. You must
watch lecture #1 for discussion on ethics if you are new.
2. The primary difference between legal hacking and illegal hacking is:

○ PERMISSION
i. If you do not have permission to do whatever you have in mind to the target, it is likely
illegal. Therefore you SHOULD NOT do it whatsoever.
1. This applies for both cyber techniques, as well as social and physical techniques.
3. The topics and techniques discussed in this lecture are for professional
penetration testing, and personal / organizational security.
○ Vast majority of cyber attacks involve social engineering components
i. It is imperative that we discuss how to prevent being a victim.
PART I:
Social Engineering
W. Owen Redwood, Ph.D.
Offensive Computer Security 2.0
http://hackallthethings.com/
Social Engineering

Social Engineering:
● Any act where you try to manipulate a person to accomplish a goal, and that
goal may or may not be in the target's interests
○ Various types:
■ Phishing email
■ Phone calls
■ In-person social engineering
○ often goes hand-in-hand with OSINT reconnaissance
Reconnaissance

Reconnaissance:

● Exploration/probing to discover vital information about enemy

forces/resources, enemy terrain for later analysis and/or dissemination

OSINT - Open Source intelligence

SIGINT - Signals Intelligence

HUMINT - Human Intelligence

Pen Tester Cycle

Social engineering can enhance any stage

Recon

Post Exploitation
Scanning / vulnerability
(cover tracks &/or pivot)
assessment

Privilege Escalation &

Gaining Access /
maintaining access
Exploitation
Reconnaissance

● OSINT - Open Source intelligence

○ Internet searches
■ company website
■ social media
■ public records
■ DNS Records
○ Internet archive searches
■ the way-back machine
● http://archive.org/web/web.php
○ Company News & partners
■ upcoming mergers, department outsourcing, …
○ Patents
■ Great for hardware RE
Reconnaissance

● SIGINT - Signals Intelligence

○ Wifi scanning, looking for access points
○ SMS Eavesdropping
○ GPS tracking
■ smart phones can easily be tracked
■ BYOD = terrible for organization security

● HUMINT - Human Intelligence

○ Social Engineering
Intelligence Gathering

Observables:

● Direct Observations
● Indirect Observations
● Inferential Observations
Variables:

● Knowns
● Known unknowns
● Unknown Unknowns

What matters:

● Actionable intelligence
Evolutionary Triggers
Evolutionary Triggers

● Our brains are not optimized for modern society

○ optimized for small tribal groups
■ endemic to the african plains
■ maybe meet 4-5 strangers your entire life
■ would know 40-50 people at most in your life
Evolutionary Behavior

● Crocodile & Plover

○ Plover bird cleans Crocodile’s teeth
○ Evolved (symbiotic) trust relationship
■ Crocodile does not eat Plovers
● No Quiescence dance. Scientists not sure of trigger.
● Instead crocs wait with mouth open as open invitation
Evolutionary Behavior

● Grouper & Cleaner fish

○ Quiescence dance (the trigger)
○ evolved instinctual behavior on both sides
■ evolved trust relationship
Evolutionary Trigger Exploitation: Mimicry

● Mimicry
○ Batesian mimicry
■ prey vs predator
○ Müllerian mimicry
■ poisonous prey vs predator
○ Aggressive
■ predator vs predator

● Sabretooth Blenny
○ Aggressive Mimicry
■ Sabretooth Blenny learned the Quiescence dance
● Feeds off grouper
Evolutionary Trigger Exploitation: Mimicry

“Look like you fit in”

● Fitting in w/ normal day to day
○ “Your boss called me to provide tech support”
○ Delivering flowers, packages, pizza
● Fitting in w/ scheduled or expected events
○ Regular delivery from vendor or other regular activity.
○ “Surprise” inspection (e.g. fire marshall, PCI compliance audit, etc)
● Fitting in w/ crisis response
○ Extraordinary circumstances may cause you to drop your guard.
■ Visitor fakes heart attack
Persuasion: Exploiting
evolutionary triggers
The Harvard 70's compliance study
● Goal is to study Compliance
○ what is the minimum we need to do/say to get someone to do us a favor?
● Experiment:
○ Subjects: Students
○ Time: Week of or before Midterms / Finals
○ Setting: Library
○ Approach: Grad students would approach people in the library who are ALREADY using the
copier machine,
■ Experimental group: "Can I use the copier because XYZ?"
■ Control group: "Can I use the copier?"
Persuasion: Exploiting
evolutionary triggers
Initial experiments:
● Control group "I have 5 pages, can I use the copier."
○ ~ 64 % compliance
○ no reason given
● Trial 1: "I have 5 pages, can I use the copier because I am in a hurry"
○ ~ 94 % compliance
○ pretty good reason given
Persuasion: Exploiting
evolutionary triggers
Research Opportunity:
● Can we vary the lameness of our reason and explore how it affects that
60%-94% compliance rate range?
○ explored more and more less-compelling reasons
■ results still yielded relatively-high compliance, until ultimately..
Persuasion: Exploiting
evolutionary triggers
● "Hi I have 5 pages, can I use the copier because I need to make copies"
○ 93 % compliance
○ effectively no reason provided
■ logically equivalent to "Hi I have 5 pages, can I use the copier"
Persuasion: Exploiting
evolutionary triggers
Findings:
● Magic word is "because"
○ Exploits an evolutionary trigger
■ like the sabretooth blenny
● Our brains are not optimized for the modern world
○ Small tribal life had few liars
■ liars would get exiled
or shamed
6 (Exploitable) Quirks of the Human Brain

1. Reciprocity
2. Consistency
3. Social Proof
4. Liking
5. Authority
6. Scarcity

These quirks are widely exploited by marketing / sales / businesses.

Reciprocity

● Reciprocity Quirk: We tend to return favors, regardless of the original favor

○ even if we didn't want the original favor
○ Exploited commonly by charities
■ hand you flowers, a drink, snacks, or souvenirs before asking for donations
● exploits the temptation to give back
■ Doesn't work against Nigerian scammers!
● Exploiting Reciprocity during Negotiation
○ Make a concession, and ask for one in return
■ concession might even be irrelevant
○ Exploited commonly in bartering
■ Offer outrageous first price, then concede
down to a reasonable price
■ Even when people get ripped off, if a concession is made
they end up feeling happier about it
● Exploiting Reciprocity for initiating tricky conversations
○ "Hey I fixed the printer for you... Say, is this a good
time to talk about my performance evaluation?"
Consistency

● Consistency Quirk: We try to be consistent with prior actions, even if the

reasons for the original actions have changed

● Charities exploit this

○ Survey then call 2 weeks later

● Salesmen exploit this

○ get you to start filling out a form before asking you to commit
■ surprising how much info they can get just by asking before asking you to decide
● name, address, DOB, SSN...
■ Brain unconsciously makes a commitment to that, and tries to stay consistent
● even if the terms change
Social Proof

● Social Proof Quirk: We try to do and think what

other people who seem like us do and think.
● Laugh tracks
○ even work when people know they are in place and know about this trick
● Crowd Theory
○ People behave like the majority of the group
■ This is how riots start.
● On their own, individuals usually do not:
○ go about protesting on their own
○ burning cop cars by themselves
○ looting, vandalizing, etc
■ Don't have a heart attack in a group
● people collectively freeze, waiting for someone else to take charge
Social Proof

● Social Proof Quirk: We try to do and think what

other people who seem like us do and think.
● Group Subversion
○ Manipulating groups by steering the notions of acceptability by spoofing social proof.
■ Very easy with botnets. Captcha only slows it down.
○ Your competition can maliciously exploit this:
■ Malicious/Fake Reviews
● Famous faked Tesla car reviews
● Sometimes part of ransom attacks / scams on small businesses
○ ALERT! X number of bad reviews about your company! Pay our service to
help fix them!
■ Scammers actually targeted you beforehand with the planted reviews
● Customers turned away from products by bad reviews from
others that seem or sound like them.
■ Concern Trolling, Shilling, Astroturf services, etc
■ Demoralization
Liking

● Liking Quirk: We tend to cooperate with someone who seems to like us

○ Good cop, Bad cop
○ Salesmen: "Your friend suggested I call you"
○ Studies show that inaccurate/bad flattery works just as well as accurate flattery
■ even absurd flattery
● "That's a nice tail you have!"
■ The brain interprets the very attempt at flattery as flattering
Authority

● Authority Quirk: We'll cooperate with someone who seems to be in charge.

○ "I'm not a doctor, but I play one on TV"
■ Maxwell House coffee
○ Sometimes follow orders too closely, too literally
○ labcoats
○ badges
○ security / staff shirts
Scarcity

● Scarcity Quirk: We tend to over-value apparently scarce resources

● Holiday (Xmas) toy/gift crazes, limited time offers
● Cookie jar experiments
● Censorship = information scarcity
○ backfires commonly
○ “The Jury will ignore that statement / evidence”
■ Often backfires when juries are asked to ignore invalid/dismissed evidence
● Share partial details then end with:
○ “I’m sorry I can’t say more”
○ “But between you and me, we never had this conversation”
○ “Sorry, I have said too much”
○ “Sorry. Nevermind. I should have never told you that much”
■ Now you really have their attention
Scarcity

● Scarcity Quirk: We tend to over-value apparently scarce resources

● Exploiting scarcity to gain access:
○ "I'm only here until noon, so if you don't authorize me to fix your problem, you'll have to wait till
next month for me to return... Good luck explaining that to your boss."
● Exploiting scarcity to get a raise:
○ "You know, Microsoft has been asking me to interview with them..."
In reality

● These are tricks that only statistically increase

the odds of compliance
○ Requires:
■ Finesse
■ Charisma
■ Social Skills
■ Improv Skills
■ Timing
● Won't always work
○ "I need to fix stuff, so let me in the server room
because I need to fix stuff."
○ "Remember how you gave me a raise last week? Well
its about that time again..."
Reality

● Social engineering is usually the easiest way into a system

● Given a large enough company (# of employees): social engineering tricks
are pretty much guaranteed to have some success.
○ But if done on large scale will be detected quickly
■ Smash and grab style phishing...
● Companies need to especially beware of:
○ Targeted post exploitation spear phishing
○ Surprise visitors or inspections
■ Fire alarms
○ Visitors having “accidents”
○ Random gifts, or packages in the mail
■ Keyboards with implants
Defending yourself

It is really hard!
● Raise awareness of these principles
● Practice by resisting advertisements
○ Try to identify the exact quirks an ad is targeting
● Practice by manipulating your friends
Recap

6 Widely-Exploited Quirks of Human Brain: Magic Word: “Because”

1. Reciprocity Reiterating your need as your reason may

2. Consistency (circular logic) may have higher compliance
3. Social Proof frequency.
4. Liking
5. Authority
6. Scarcity
These quirks are widely exploited by marketing /
sales / businesses.

Exploiting combinations of these may increase

chances of success.
However, overdoing it will be obvious red flag
Resources

Recommended Reading:
Robert Cialdini's book, Influence: The Psychology of Persuasion
Scott Adams Persuasion reading list:
http://blog.dilbert.com/post/129784168866/the-persuasion-reading-list

Recommended Videos on Social Engineering:

● Dr. W. Philip Kegelmeyer's 2007 presentation about the above book: [link]
● Defcon 21 - Social Engineering: The Gentleman Thief
https://www.youtube.com/watch?v=1kkOKvPrdZ4
● DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker)
https://www.youtube.com/watch?v=JsVtHqICeKE
● TV Shows: Leverage (TNT 2008-2012)
● For a deep rabbit hole adventure see Yuri Bezmenov’s university lectures on subversion and
psychological warfare… https://www.youtube.com/watch?v=5gnpCqsXE8g

Recommended Technical Resources:

● http://www.social-engineer.org/
● The Social Engineer Village @ DEFCON
Part II:
Physical Security:
How attackers gain physical access
and what they can do in meatspace
W. Owen Redwood, Ph.D.
Offensive Computer Security 2.0
http://hackallthethings.com/
Why Is Physical Security Important?

● People do crazy things:

http://www.dailymail.co.uk/news/article-2083556/Meet-girl-blogger-sneaked-
inside-Russian-missile-factory--security.html
Credits

Many of these fantastic diagrams / animations are from The Open Organization Of
Lockpickers (check them out!):

● http://toool.us/
Bolt + Lock (respectively)
How locks work

http://i.imgur.com/ETTfE.gif

The
Shell

The
Plug

Key hole
How locks work

Without a key, the

lock wont turn

● it will "BIND"
How locks work
Lock terminology

Note:
Drivers are usually also just called
Pins

Cylinders are usually also called

Plugs
How locks work

The sheer line:

● The area/separation between the plug and the shell

If the pin and drivers aren't

separated AT the sheer line, The
the lock wont turn Shell
● The lock will "BIND"

The
Plug
How Lockpicking Works

http://toool.us/deviant/02-picking/2.09-picking_by_individual_lifting.gif
Why does lockpicking work?

1. Manufacturing Defects / Imperfections

2. Cheap Materials
3. People buy cheap locks
Plug Imperfections

b
Intro to lockpicking

Imagine a one pin lock:

Past One-Pin Locks: How To Count Pins
How Lockpicking Works

http://toool.us/deviant/02-picking/2.09-picking_by_individual_lifting.gif
Lockpicking

Two common mistakes:

1. TOO MUCH TENSION
a. be gentle!
b. Proceeding when
it is actually still binding
2. Turning plug wrong way

Three Ways to “Cheat”

1. Raking
2. Bump Keys
3. Snap Guns
Raking
Bumping
Snapping guns
http://toool.us/deviant/04-bumping/4.01-snapping_gun.gif
Defenses against Lockpicking

● Buy better locks

○ More $$$ != better
● Lockpicking Mitigations
○ “Security pins” or “Security drivers”
○ Spool pins
○ Mushroom pin
○ Hybrid pins
○ Multi-dimensional Plugs/Cylinders
○
Lockpicking mitigations

Spool pins/driver
Spool pins/driver

How a spool pin affects lockpicking

Defeating a spool pin

Takes finesse
Lockpicking mitigations

Mushroom pin
Lockpicking mitigations

Hybrid pin
Multidimensional Plug/Cylinder + Security pins
Other types of locks

Wafer Locks

Very easy to rake.

Wafer Lock
Resources

Reliable source for lockpicking starter kits:

g3k@disillusion.us

Great online resource:

http://toool.us/
 About
Physical
Access
With Physical Access, attackers can....

● Spy
○ Place keyloggers and other devices
● Sabotage
○ Destroy, Damage, or Degrade
● Steal (papers, hard drives, laptops, phones)

Related talk:
Steal Everything, Kill Everyone, Cause Total Financial Ruin:
https://www.youtube.com/watch?v=JsVtHqICeKE
Below the Operating System

Much of the OS layer security is moot, if an attacker has physical access

● Can reset:
○ BIOS password
○ OS passwords
● Can physically take:
○ Hard Drives
○ External Storage
● Can install
○ keyloggers
○ ethernet eavesdroppers
○ other malicious hardware/chips...
The Bus

The motherboard bus is the medium by

which the CPU, RAM, HD, and other
devices communicate.
● peripherals
● USB
● ...
IT IS A NETWORK!
● Broadcast network
The Bus

What can access this network?

"custom" USB devices

http://www.youtube.com/watch?feature=player_embedded&v=Tbh1qrchyUo

http://www.pjrc.com/teensy/
Commercial Hardware attacks ($30-100)

● USB Rubber Ducky (USB Keystroke injection)

● KeyLlama (USB Keylogger)
● KeyKatcher (PS2 Keylogger)
● Throwing Star LAN Tap (Passive LAN monitoring)
● LAN Turtle (USB LAN RAT/MiTM)
● Facedancer (USB Fuzzer)
● VideoGhost (Display surveillance)
● USB Kill (Renders the host inoperable)

As you can see, there are a lot of tools readily available for anyone who wants to
buy one. Anyone can present a threat with physical access to your machine.
Hacking over Powerlines

DEFCON 19: Hacking Your Victims Over Power Lines (w speaker)

https://www.youtube.com/watch?v=XjBJHy1hD_A

Rob Simon Josh Kelly . Pentesting over Powerlines. Derbycon 2011

https://www.youtube.com/watch?v=H_xTKZKPEmk

^ jammers / sniffers for home security systems

● Can even send commands to the security system.

If IPMI can be abused, and the datacenter has Power Over Ethernet (POE) + Wake
On Lan enabled in unprovisioned server bioses, an attacker may leverage IPMI to
wake the entire unprovisioned farm into a PXE boot for a full botnet takeover of
the unprovisioned segment of the affected datacenter.
Hacking Buildings

Shmoocon 2013 - How to Own a Building BacNET Attack Framework

https://www.youtube.com/watch?v=c4LMrKEO_t0
BacNET

Found in all areas of building automation:

● Power / Water / HVAC / Metering
○ (distribution, sensory, control ...)
● Fire Suppression
● Smart Lights
● Smart Elevators :D
Found in:
● Factories, Plants
● Office Buildings
● (new) Residential
BacNET
BacNET
Common Issues:

● Vendors often require gateways for their systems to do

maintenance or patching.
● Operators are not aware of these access points.
BacNET

BacNET has minimal session

protection / security

BacNET packets are easy to

spoof, no encryption, easy to
intercept

https://wiki.wireshark.org/Proto
cols/bacnet
RedPoint (by DigitalBond)

Discover & Enumerate BACnet Devices

● https://github.com/digitalbond/Redpoint
BacNET Resources

Recommended Open Source BacNET tools & Packet Generation tools:

http://bacnet.sourceforge.net/

● Immense collection of tools / applications

Getting Started with BacNET:

http://www.bacnet.org/Tutorial/index.html

Sample Packet Captures at:

https://wiki.wireshark.org/Protocols/bacnet
And Beyond!

Software Defined Radio! SDR Hardware

● http://gnuradio.org/ ● Reviews:
● https://redhawksdr.github.io/Documentati http://www.rtl-sdr.com/roundup-software-
on/ defined-radios/
● http://sdr-radio.com/
Resources
Hardware Hacking / Commercial Implants
● USB Rubber Ducky (USB Keystroke injection)
● KeyLlama (USB Keylogger)
● KeyKatcher (PS2 Keylogger)
● Throwing Star LAN Tap (Passive LAN monitoring)
● LAN Turtle (USB LAN RAT/MiTM)
● Facedancer (USB Fuzzer)
● VideoGhost (Display surveillance)
● USB Kill (Renders the host inoperable)
Hacking over Power Lines
DEFCON 19: Hacking Your Victims Over Power Lines (w
speaker)
https://www.youtube.com/watch?v=XjBJHy1hD_A
Rob Simon Josh Kelly . Pentesting over
PowerlinesDerbycon 2011
https://www.youtube.com/watch?v=H_xTKZKPEmk
Building Automation Controls
Shmoocon 2013 - How to Own a Building BacNET Attack
Framework
https://www.youtube.com/watch?v=c4LMrKEO_t0
Recommended Open Source BacNET tools & Packet
Generation tools:
http://bacnet.sourceforge.net/
● Immense collection of tools / applications
Software Defined Radio!
● http://gnuradio.org/
● https://redhawksdr.github.io/Documentation/
● http://sdr-radio.com/
SDR Hardware
● Reviews:
http://www.rtl-sdr.com/roundup-software-defined
-radios/