Social engineering can provide hackers with easy access to an organisation’s secrets. Pen tester Jamie Woodruff revealed all at a recent RITTech meetup.

Jamie Woodruff is a Certified Ethical Hacker and Certified Penetration Testing Engineer from London. He specialises in social engineering. At a recent gathering of RITTech members in London, he discussed hacking tools, techniques and how even seemingly secure organisations can be laid bare. His talk explored traditional social engineering attacks against people and also social exploits that rely on technology.

He pointed to CEO fraud as a common means by which hackers can dupe their way into an organisation’s infrastructure.CEO fraud sees a hacker send an official looking email in the name of a victim firm’s CEO. The email might ask for a phone list, passwords or critical operational information. Because the email purports to come from the firm’s chief, recipients are more likely to comply with the request - forgetting the security implications along the way.

Illustrating social engineering’s potency, Woodruff discussed how he gained access to a client’s server room by dressing as a pizza delivery boy. The financial organisation tasked him with pen testing its defences. Each Friday, he explained, pizzas were delivered and their custodian was permitted to walk right through the firm’s security - without the need for a pass. Woodruff got a job with the pizza company and, wearing their uniform, walked unchecked into the company’s heart.

He also discussed hackers’ seemingly endless opportunism. Hackers often use Google to search a prospective victim’s site for PDFs that might have been stored erroneously, or with the wrong permissions. Visible to Google, the documents can be a treasure trove of information. Issuing a stark warning, Woodruff said: 'Hackers can use what they find to extort and extract information. And, of course, they can use it to steal money.'

During his talk he emphasised how laypeople can find cyber security intimidating, perplexing and how they can fail to protect themselves adequately despite solutions being available. He pointed to encryption as a specific example. It is, he said, something that technicians and technically minded people understand easily. To many it is, however, perplexing and so often it goes ignored.

The event was organised by RITTech, a new standard for Professional IT Technicians offered through BCS. RITTech helps technical people stand out from the crowd and provides a mark of current competence. The event culminated in a Q&A session between Woodruff, and the audience of RITTech members.

Q: There are technical vulnerabilities and there are social ones. When you’re working as a pen tester, where do you think the balance lies?
We tend to wake up at the same time, drink our coffee, take our children to school and follow the same routine. At nine o’clock we’ll head to work, following the same route again. Then we’ll get to work and we’ll have set breaks. A pattern emerges. So, from a hacking perspective, I know where you’re going to be and when you’re going to be there. So, if I want to pick-pocket you or to steal your laptop, I know where you’ll be. From the social engineering perspective it’s all about spotting trends and patterns.

Q: What are the key steps to protecting a business?
Start off by looking at yourself. What have you got to hide? A lot of attacks are random - hackers don’t always set out to deliberately hack a certain company. They just come across some data... some passwords.

To protect yourself, watch your trends and patterns. Don’t share your passwords with co-workers. We know it's stupid. But when I go into a company, into a client... I sit down with somebody, give them some cookies, and have a chat. And the amount of information I can extract that can be used against some infrastructure (is huge).

In terms of passwords - spice things up.

And updates. I love WPScan (a WordPress vulnerability scanner). WordPress itself is wonderful... But third party venders are not good. The thing is, you’ve got 14 year old kids writing sites and online forms. But they have redundant code... code that’s not been tested or updated. And a hacker can type something into Google and find all the vulnerable sites that have this plug in. 

Over 98 per cent of ATMs run Windows 98 and XP. Imagine how many vulnerabilities have been discovered. How many banking infrastructures still use COBOL?

Q: What’s the best way to stay safe online?
A VPN - a Virtual Private Network. It’s a way to tunnel your way across the internet, but without people seeing what you’re doing. You should use one on a day-to-day basis. A lot of companies have implemented them. So - use a VPN all the time. I’ve got one. They’re good when you’re abroad and certain things are banned too!