When an outsider becomes a malicious insider

Paraphrasing what long-time penetration tester and computer security author Ira Winkler once told me, “When I do penetration tests, if I can’t get in by technical means I can always get in with social engineering.” While this may sound like advice to a fellow computer security specialist, or a warning to a network manager, it should also sound warning bells to anyone who uses a computer. By social engineering an outsider becomes a corporate insider, with all the authorities and risks.

The subject of this article started formulating about a month ago when a family member called me. Long story short, he related a story of a cold call supposedly from a major known computer software vendor telling him he was infecting the Internet and walked him through some trouble shooting. They then offered to tell him how to repair it for a few hundred dollars. Luckily he said, “I’ll just take it over to Ken, he does it for a living.” Yeah, they weren’t happy with his reply.

On Friday the 23d of May, I overheard a similar story from an older lady at my local computer repair shop. I had to step in, had to make apologies to the clerk, but I felt it my duty to help out here. Unfortunately she wasn’t as lucky and had provided them her credit card number. After telling her to contact the credit card company, I knew that this problem was becoming bigger in my area.

This is an older technical support scam. This has been flowing around Europe and Asia for close to 10 years now. Yes, when you look at your events logs, there will ALWAYS be errors there. No, you don’t need to pay someone hundreds of dollars for this. Most of these errors are harmless network issues, some may need a local repair shop to fix, but NEVER provide your card to someone on the phone for this type of service.

These were individual attempts to dupe computer users into handing over information or access. The problem of outsiders gaining access as insiders increases exponentially in cases like the recent major online auction site that reported its f corporate accounts were attacked. Their somewhat cryptic announcement provided no real technical information so I had to read between the lines. The attack could have been malware or exploit, or social engineering. But regardless of how the malicious actor got in, he or she becomes your insider and has all the permissions of that account.

As Paul Asadoorian discussed in his blog post Detecting Snowden—the insider threat, there are ways of detecting and mitigating this type of compromise. While this also takes on criminal investigation elements, if we can start with the basics--monitor what has occurred and been done--attribution can then be further refined and presented to the proper authorities. In the case of the online action site, I sure hope they were monitoring and logging account activity.

While it doesn’t seem like much, at the end of the day being aware that there are people who will lie to achieve their goals for criminal activities is the start of a good computer security awareness and life lesson. To help in visualizing and predicting likely attack paths, I encourage you to read more in the whitepaper.