attacking the cloud with social engineering

Attacking the cloudwith social engineering

Peter WoodChief Executive Officer

First•Base Technologies

An Ethical Hacker’s View

© First Base Technologies 2013

Who is Peter Wood?

Worked in computers & electronics since 1969

Founded First Base in 1989 (one of the first ethical hacking firms)

CEO First Base Technologies LLPSocial engineer & penetration testerConference speaker and security ‘expert’

Member of ISACA Security Advisory GroupVice Chair of BCS Information Risk Management and Audit GroupUK Chair, Corporate Executive Programme

FBCS, CITP, CISSP, MIEEE, M.Inst.ISPRegistered BCS Security ConsultantMember of ACM, ISACA, ISSA, Mensa


Cloud models


Cloud computing definition

Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them

http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf


The ‘SPI’ Model

Software (SaaS) – cloud provider owns application, operating

system and infrastructure

Platform (PaaS) - cloud provider owns operating system and

infrastructure, client owns application

Infrastructure (IaaS) cloud provider owns infrastructure, client

owns application and operating system


SPI in context

• Software as a Service– Just run it for me!

– Examples: Google Apps, Salesforce.com

• Platform as a Service– Give me a nice API and you take care of the rest

– Examples: Google App Engine, Microsoft Azure

• Infrastructure as a Service– Why buy machines when you can rent cycles?

– Examples: Amazon EC2, Rackspace Cloud


Cloud Benefits


What's different in cloud

IaaSInfrastructure as a

Service

PaaSPlatform as a Service

SaaSSoftware as a Service

Security ~ YOU

Security ~ THEM

Security Ownership


What does it mean for attackers?

• Login from anywhere

• Browser access

• Simple credentials

• No intruder detection

• No physical security

• Trick a user and it’s game over!


Why social engineering?

• Staff can be tricked at home, in a

coffee shop, at an airport …

• No corporate desktop controls

• Easy to impersonate your IT staff

or help desk

• Using email, phone, chat …


Just a little brainstorm


Why should you care?

Exposure of

• Customer data (industrial espionage, reputation)

• Credit card data (PCI DSS, reputation, direct costs)

• Personal information (data protection, reputation)

• Sensitive information (contractual penalties, reputation)

• Business plans (industrial espionage, reputation)

• Staff data (data protection, spam, social engineering, reputation)

• and identity theft: personal and business


Even cloud email has value …


Why APT works

THIS WORKS FOR CLOUD TOO !


Attack Techniques


Classic phishing email


Spear phishing email


Spear phishing

• Emails that look as if they are from your employer or

from a colleague

• The email sender information has been faked

• Malicious attachment or link to drive-by web site

• The payload can steal credentials or install a Trojan

• Or even simple form filling to capture user details


Telephone social engineering

• Not every hacker is

sitting alone with a

computer, hacking into a

corporate VPN

• Sometimes all they have

to do is phone!


The remote worker

1. Call the target firm’s switchboard and ask for IT staff names and phone numbers

2. Overcome their security question: Are you a recruiter?

3. Call each number until voicemail tells you they are out

4. Call the help desk claiming to be working from home

5. Say you have forgotten your password and need it reset now, as you are going to pick up your kids from school

6. Receive the username and password as a text to your mobile

7. Game over!


Phones are very flexible

Previous calls gave access to:

• CEO’s email and calendar

• IT manager’s desktop

• Remote access to a network

• … and cloud services!


Telephone SE

• Impersonation of IT staff to obtain user’s credentials

• Impersonation of user to obtain new password

• Impersonation of provider to obtain user’s credentials

• Impersonation of client admin to provider

• Impersonation of provider to client admin

• … and so on … Game Over


People love USB sticks!

I found it in the car park …

… just wanted to see what was on it …


USB sticks

• Autorun infection of user’s computer

• Manual click to infect user’s computer

• Contains link to drive-by web site

• The payload can steal credentials or install a Trojan

• Or even simple form filling to capture details

• … and so on … Game Over


Defence


Human firewall

• Train your staff to recognise social engineering attacks

• Invest in continual awareness campaigns


Technical controls

• Implement two-factor authentication (if you can)

• Use ‘least privilege’ principles for access to services


Procedural controls

• Ensure joiners, movers and leavers are handled

thoroughly and quickly!

• Divide responsibilities between your administrators and

the service provider's administrators, so no one has free

access across all security layers


Peter WoodChief Executive Officer

First Base Technologies LLP

[email protected]

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Twitter: peterwoodx

Need more information?

attacking the cloud with social engineering

Technology

cloud email

rackspace cloud

cloud services

cloud models

cloud benefits

email sender information

ceos email

classic phishing email