Tuesday, October 31, 2006

Project : Lag and Lead Time

Project : Lag and Lead Time

In MS Project, when you establish a relationship between two tasks, you can specify a lag. Lag indicates the gap time between two tasks.

You can specify lag in the Task Information -> Predecessors tab:

Figure 1

Or in the table view:

Figure 2

There are two type of lag: delay and overlap.

Delay is indicated by a positive lag value and is called lag time in MS Project. It specifies that the successor task will start only after N days the predecessor task is completed (based on finish-start relationship). Figure 2 is an example of lag time (with positive two day lag).

Overlap is indicated by a negative lag value and is called lead time in MS Project. It specifies that the successor task will start N days before the predecessor task is completed (based on finish-start relationship). Figure 3 is an example of lead time (with negative one day lag).


Figure 3

Labels:

Saturday, October 21, 2006

Find out more about Bangkok

While looking for some information about the new Bangkok airport, I found this site which has some prety good information.

http://www.into-asia.com/bangkok

Interestingly enough, there is also a mention of social engineering plot targeted to tourist in Bangkok.

http://www.into-asia.com/bangkok/gemscam

Wednesday, October 18, 2006

IIS : Getting Physical Path for Virtual Directory in .NET

Here is a C# code sample of how to use System.DirectoryServices in .NET to get the physical path for IIS virtual directory.


class Class1
{
[STAThread]
static void Main(string[] args)
{
string serverComment = "Default Web Site";
string iisHost = "IIS://LocalHost";
string siteName = GetIISSiteName(iisHost, serverComment);


Console.WriteLine(siteName);
if(siteName.Equals(String.Empty))
{
Console.WriteLine("Site not found.");
}
else
{
// Get the physical path for http://localhost/testemail
string path = GetVirtualDirPath(iisHost, siteName, "testemail");

if(path.Equals(String.Empty))
Console.WriteLine("VD not found.");
else
Console.WriteLine(path);
}

Console.WriteLine("done");
Console.ReadLine();
}


static string GetIISSiteName(string iisHost, string serverComment)
{
string adsiPath = iisHost + "/W3SVC";
DirectoryEntry entry = new DirectoryEntry(adsiPath);
foreach (DirectoryEntry site in entry.Children)
{
if (site.SchemaClassName == "IIsWebServer" &&
site.Properties["ServerComment"].Value
.ToString().Equals(serverComment))
{
return site.Name;
}
}

return "";
}


static string GetVirtualDirPath(string iisHost,
string siteName, string vdName)
{
string adsiPath = iisHost + "/W3SVC/" + siteName + "/Root/" + vdName;

try
{
DirectoryEntry entry = new DirectoryEntry(adsiPath);
return entry.Properties["Path"].Value.ToString();
}
catch(Exception ex)
{
// If Virtual Directory is not found,
// it will throw exception.
return "";
}

return "";
}
}

Labels:

Monday, October 16, 2006

Social Engineering, Part 3

How to Identify Social Engineering Attempt


There are certain ways of how we can identify possible social engineering attempts. Although it is not fool proof, but will give us a sign of possibility of attempts.

Refusal to Give Callback Number
Social engineer will always refuse to give call back number because this will leave trace of their presence. However, this method is not always true. With today convenience, the attack can simply buy a prepaid phone card for use in his action. After he is done, he can just throw it away.

If you offer to call back the caller at a later time to provide him with the information he is asking for and he refuse to give his contact number, this act should immediately rise suspicious.

Out of Ordinary Request
The goal of social engineering attack is to reveal information which normally difficult to get. If someone is asking for personal information or question which seems to be unrelated such as user name, password, server name or IC number, you should flag a red alarm and find out why the person need those information and look for ways to validate his true identity.

Claim of Authority
The attacker claims that he is someone with authority or act on behalf of the authority. The attacker wills always emphasis on his authority and refuse to provide credential to proof his identity. He may also use the authority to threaten his target.

Threatens Negative Consequences of Non Compliance
The attacker will use negative consequences to threaten his victim if his victim attempt not to comply with his request.

For example, the attacker may threaten that if he cannot get his job done on time because you refuse to provide him with the information he need, then you will be answerable to the company CEO for your action.

Stress Urgency
The attacker will make his request sounds very urgent and stress out his victim so that his victim will panic and reveal the information without careful thinking.

Name dropping
Name dropping is a technique of using the name of someone who is close to the victim, or have authority over the victim or the victim is responsible for to gain information.

For example, the attack could call the victim and say "Mr Big need this document by 3pm! He has authorized me to request the document from you!" If Mr Big is an important customer or executive to the victim, what are the chances that the victim will ever challenge that request?


How to Combat and Prevent Social Engineering


There are certain ways if not eliminate, will certainly reduce the chance that you will be the next victim of social engineering attack.

Training is the primary defense for combating against social engineering. Organize security awareness training and campaign to educate your staffs about social engineering, how to detect and combat it. The training needs to be an on-going program. It needs to be delivered at least once every year. Sophistication of social engineering attack will evolve as social engineer learn and become smarter. Your employees need to be updated with these new technique and knowledge to maintain security effectiveness.

Prevent unauthorized access to office, mailroom, PBX room. The first defense to stop physical social engineering is to stop the attack from entering the office premise and sensitive area. Put up a policy to enforce every employee wear their badge in the office. Restrict employee access to sensitive area such as PBX room or computer data center. Empower employee to challenge anyone who show up in the restricted area without a valid badge.

Do not leave sensitive or valuable information in open area. Information which can be used for social engineering attack such as address book, business documents, and employees contact list should be kept in the drawer. Always lock your computer and drawer when you are away from your desk.

Do not release private information to stranger or someone you cannot confirm their identity. Do not trust who they claim to be unless you know them personally or you can recognize their voice on the phone. If someone is asking for a piece of information which you have access to but does not own it, do not ever give it out. Direct the requestor to the information owner. The information owner will have the discrete right to determine who has the need to know.

Handle trash and rubbish with care. Invest in a more sophisticated shredder to shred the unwanted paper or documents. Do not leave your trash in public area where anybody can access. Classified information should be separated and only be handled by authorized personnel for disposal. If you are throwing out computer hardware or equipment, make sure you physically destroy the storage media such as hard disk and CD. Sophisticated software is available in the market to recover data in hard disk even though it has been formatted or deleted.

Avoid using public computer. Public computer is most subjected to social engineering attack because anybody can have access to it. Spying software or keyboard logger can be silently installed in the public computer to monitor you keystroke and activities. Your user name, password, account number and online conversation with friends can be hijacked in such cases.

Do not simply leave your contact information with unknown party. It is quite common that in a lot of marketing campaign, you will be asked to fill up survey form with personnel information or to drop your name card to stand a chance to win great prizes. You can never be sure how that information will be used against you. If you do not feel comfortable, then don't feel hesitate to say no. Even disclosing simple contact like email can punish you with hundreds of spam mail everyday.

Friends are not always friend after all. Using internet, people can always get to know new friends through online chat room, instant messenger, and online community website or discussion group. Social engineer may have setup trap and make friend with you long before they ask for anything. Never trust anybody who you do not personally know or met. You may be a good guy, but not everyone is like you.


This article is by no mean a complete description and explanation of social engineering. I have only scratched the surface of social engineering. If you are interested in reading more about social engineering, there are two books which I strongly recommend:

The Art of Deception by Kevin Mitnick.
The Art of Intrusion by Kevin Mitnick.

These two books provide a lot of interesting stories, case study on social engineering and a comprehensive list of methods and techniques of how to protect yourself and your company.

Labels:

Wednesday, October 11, 2006

Social Engineering, Part 2

Understanding How Attackers Take Advantage of Human Nature


Authority
People have a tendency to comply when a request is made by a person in authority. A person can be convinced to comply with a request if he believes the requestor is a person in authority to make such request. In our society, we have always been told not to question someone who is in authority.

For example, if a person requesting a piece of information from you and this person claim that he is from the executive office, you will have the tendency to comply without question because you know you should never challenges your bosses.

Liking/ Deceptive Relationship
People have a tendency to comply when the requestor seems to have similar interests, belief, attitudes and backgrounds as the victim. We always implicitly trust someone who shares similarity with us. We subconsciously believe that people who have similarity with us will also think and behave in a similar way and they are always good guys.

Deceptive Relationship is sharing information or discuss about a common enemy or problem with the victim making the victim to believe that they are in the same camp.

For example, when we are talking to someone who seems to share the same interest with us, we have a tendency to let down our defense guard and go further in the conversation with them and reveal more information.

Reciprocation
We may automatically comply with a request when we have been given or promise something of value. When someone has done something for you, you feel an inclination to reciprocate. One of the most effective ways of influence people to do us a favor is by giving some gift or assistance that forms an underlying obligation.

Very often, we felt reluctant to decline request from someone who has just done us a favor or who has given us a small gift even though in our mind we are uncomfortable of doing so. In our education, we have been taught to remember those who have help us and we should always help back when needed to.


Consistency
People have the tendency to comply once they have made a public statement or commitment. Once we have promised we will do something, we don't want to appear untrustworthy and will tend to follow through in order to be consistent with our statement or commitment.

Social Validation
People have the tendency to comply when doing so appears to be inline with others are doing. The actions of others are accepted as validation that the behavior in question is correct.

When we are in doubt whether to take certain action, we always refer to the peoples surrounding us to find out whether they did the same. Most of the time we will just follow what others did without questioning the validity of our decision.

When a social engineer is asking for information from a victim, he would mention that what he is asking for is a routine questionnaire and that the victim's peers have also responded to the same set of questionnaires. The victim will then feel no reason to decline since their peers has done it, it must be the right thing to do.

Scarcity
People have the tendency to comply when it is believed that the object sought is in short supply, or is only available for a short period of time.

Peoples have natural tendency to take advantage of offers that are made to them such as a free gift if they could just respond to certain request. A social engineer may approach you and offer you a drink voucher if you could just spent five minutes to complete a questionnaire for their survey.

Strong Affect
Strong Affect plays on the victim's emotion. The attacker can create fear, panic or excitement.

For example, the attacker will make his request sounds very urgent and stress out his victim so that his victim will panic and reveal the information without careful thinking.

Another example is to create excitement and surprises by telling the victim he could stand a chance to win a big prize by registering themselves as a member of some community or club.

The surge of strong emotion will distract the victim ability to evaluate and think logically.

Diffusion of Responsibility
In this method, the attacker makes the victim to believe that he will not be responsible and liable for his action. It is much easier to get someone to carry out an action if he believes that he does not need to be responsible for his decision.

Moral Duty
Human feel great and delight when they can do something to help out the others. The social engineer play on this fact to convince his victim he needs that information to help put the others.

For example, the attacker may ask the victim for his user name and password because he needs to simulate a network login to troubleshoot network problem which has been troubling the victim's coworker.

Another example would be a social engineer may be you to ask for the phone number of your friend who he has also met before because he has a business opportunity that your friend may be interested in. Of course you would want to help your friend and how often you will think that giving out phone number is a big deal? But the fact is that it is sometimes a big deal. The social engineer can use the phone number to find out about the owner phone billing info or sell the phone number to third party for telemarketing.


Other Mean of Social Engineering Attack


So far we have seen how social engineering attack can be conducted using physiological and persuasion technique. The other mean of social engineering attack is through a physical aspect (such as presence at workplace, dumpster diving and on-line) and reverse social engineering.

Workplace
The social engineer will make a physical presence at the workplace or office of his victim or target attack. He will find ways to by pass security check at the entrance. For example, during morning when the crowds get to work, the security can be circumvented due to the vast amount of peoples who are flowing in and out of the building and the security guard may not be able to keep track of all these peoples. A professional social engineer will dress just like what other people surrounding him is dressing so that he doesn't look foreign, walking confidently and pretend to be talking to someone in the crowd while walking into the lift.

Another way will be that the social engineer pretend that he has forgot his badge, but he will say something to show that he is familiar with the place and the people around it to make the security guard to believe that he work there.

Once the social engineer gets in, he can then freely move within the building to find the information he need.

Although this looks like movie trick, but it does work in real life.


Dumpster Diving
Dumpster diving is also know as trashing. This involve the searching the company dumpster to look for useful information and this effort usually pay off. How often do we ever think of the value of the documents that we throw into the dump bin? Something that seems to have no value to us can mean something else to other people.

Social engineer can find out about contacts of person from address book, software and hardware vulnerabilities from source code print out, people with specific position and authority from the organization hierarchy chart, company policy about business operation guide. This information will give the attacker a great deal of knowledge how he should plan his next step.


On-line
Social engineer can find out vast variety of information from on-line websites. Such information may include company product and services information, executive profiles, events calendar and business partners and customers. The attacker can then use this information to gain knowledge of their victim and launch attack against them.

Other source of on-line source may include search engine, on-line chat rooms, news group and discussion room. Search engine reveal a lot of links to a particular topic of interest. In newsgroup where peoples are posting question to source for help for their problem, they may accidentally include sensitive information such as user name, password, and system configuration info in their posted question.

Reverse Social Engineering
This is when the hacker creates a problematic situation for the victim and makes himself available to help fix the problem.

Consider the following phone conversation:

Hacker : "I am Bob from IT department. Is it Joe speaking?"
Victim : "Yes. How can I help you?"
Hacker : "Hi, Joe. Other users has reported problem with their network connectivity. Are you having any problem with your network?"
Victim : "Everything seems to be fine."
Hacker : "That sounds good. But just in case you have any problem, please call me immediately so that I can fix it for you. You can call me at this number - xxxxxxx"
Victim : "Sure. Thanks. Bye"

Now, the attacker will proceed to create the problem and wait for the victim to call for help. Once he solves the problem for the victim, the victim will be thankful to him and the attacker will gain trust and confidence from the victim. Now the attacker can proceed to exploit the trust to extract valuable information from the victim.

However, reverse social engineering is more complex because it requires the hacker to gain access to the victim's network and computer ahead of time to create the problem but it is not impossible.

Labels:

Monday, October 09, 2006

Social Engineering, Part 1

What is Social Engineering


Day to day in our life, we talk to peoples whether it is face to face, on the phone, or some other form of communication. We talk to peoples whether they are people who we know or strangers. In all our interaction with peoples, we have been giving out information to third party, whether it is intended or unintended.
We as a human being has the natural tendency to be helpful, have sympathy for those unfortunate and always try to be a team player.

Social engineering played on these attributes to break through human defense. Social engineer take advantage of these human natures to get people into complies with them.

Social engineering is 'The art and science of getting people to comply with your wishes'. It makes use of human intelligence to manipulate human in giving out their secret information. It is a psychological trick. The attacker's goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. It could be a computer information system or private information of someone else.

During the course of launching a social engineering attack, the attacker may use little or no technology aids at all in accomplishing his goal. Social engineering methods depend on people skills rather than technical skills, since they exploit human nature rather than software or hardware vulnerabilities.

Common ploys include pretending to be an organization executive or member of the IT staff, a fellow worker, or a member of an outside organization, such as a company vendor, supplier or consultant.


Why Social engineering


As security technologies evolve to become more sophisticated, making it increasingly more difficult to exploit technical vulnerabilities, attackers will turn to exploiting the human element. Cracking the human firewall is often easier and involves lower risk if done carefully. For example, password encryption algorithm today is sophisticated enough that it is almost practically infeasible to crack a password using a brute force attack. Even with the fastest computer we can get today, it might take hundreds or more years to break a password. It is just much simpler for the attacker to pose as a helpdesk or IT employee and asking for it.

Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. How many times have we given out personal information such as credit card number, account number, billing information to party who claim they are from credit card company, phone company, your insurance agent and so on. How many times when you give out this information, you spend even a second to think through whether the caller is really who they claim to be, what are the value of information that you are giving out and why those people need those information. Do you ever bother to verify their identity?

Human factor is always the security's weakest link. This is due to our uneducated, ignorance and misconception of security. We have never been taught in school how to protect our self from information theft, how we should value information and how to protect privacy.

We could have installed the most sophisticated door lock in our house. But if we do not know how to use the lock properly, if we do not know how to deal with a stranger who knocks on our door, if we do not ensure our surrounding is safe when we open the door, we are still vulnerable of letting the stranger into our house. Human factor is often the most overlook element in the security chain. Social engineer understands this gap in security chain. They have always take advantage of our desire to be helpful, friendly, sympathy and ignorance to accomplish their goal. Thus, social engineering is the most difficult form of attack to defend against.

Social engineering is not just limited to computer crime. It is generally a technique used by people who are interested to gain access to information which normally they cannot get access to or what most peoples think is impossible to obtain.

For example, private investigator may use social engineering technique to obtain private information such as financial status about his target under investigation. He could pretend to be his target under investigation, call the bank, tell the bank he need a bank statement to apply for credit card and ask the bank to fax over his bank statement.

Another example is commercial spy who want to steal confidential product information from his competitor. The spy could pretend to be consultant or someone in the partner company who help in the development of the product and convince the employees in the target company to reveal important information about the competing product under development. By doing so, the commercial spy would gain a step ahead of his competition and well prepared to counter the competition.


How Social Engineering Work


It is often no surprise that even after a victim has been lulled into giving out sensitive information to the attacker, he still has no idea he had felled into a social engineering attack. A successful social engineering attack will always leave their victim unsurprised and unaware of what happen.

Social engineering attack is well organized, planned and thought through. A professional social engineer will always plan out his attack well before he launches it. He always knows his stuff well.

Here are the general cycles of a typical social engineering attacks:

1. Setting the Stage
The attacker will identify what he wants to accomplish and how he want to accomplish it.

2. Research
The attacker will start by doing his home work to find out key information such as:

  • Name of some key persons who he can use and pretend to be. It is even more useful if he can find out the name of person who has high authority in the setup.

  • Jargon or technical terms which are used in the specific industry or the company he planned to attack. Ability to use context specific term in conversation will make people to believe that the attacker does come from the same background or is part of them.

  • Company background and product information, policy and business process. Understanding the company operation and policy will help the attacker to identify the target weakness and how to exploit it. The knowledge is also useful in helping the attacker to convince their victim that he is part of that environment.

  • Victim background and habits. Understanding the victim's background will give the attacker an effective way to engage the victim in a seemly comfortable and enjoyable conversation and paving a better way to develop and gain trust.


Knowing all these information is important at a later stage to develop trust relationship with the victim. We always implicitly trust someone who can mention specific terms which we always use in our job, know about our background or mention some of the names that we know of.

3. Developing Trust
After gathering useful information, the attacker will approach the victim. The attacker will start a conversation and using the information he gathered, he will attempt to develop trust relationship with his target. The attacker could have get right into the point and ask for the relevant information that he need. However, doing so will be too suspicious and could ring the alarm bell on the victim. Instead, the attacker will start the conversation in a casual manner, pretend to be friendly and gradually progress. Along the conversation, the attacker will pick up different sign such as the victim hesitation in respond to the conversation or the victim appears to be cooperative, helpful or courteous.

It is human nature that we will implicitly trust someone who claims to be from authority, someone who seems to know a lot of us, about our environment, what we are doing and perhaps share the same interest. We also tend to trust someone who sounds to be helpful, friendly and courteous. Social engineer knows this well and his research in the previous stage is very important for his success. At this stage, his goal is to gain trust, convince his victim and make the victim feel comfortable with him.


4. Exploiting Trust
Once the trust is established, the attacker will ask questions which will gain him valuable information, or he could have asked the victim to perform an action on his behalf. Using a more advance techniques, the attacker could even setup a situation where the victim will ask him for help. This technique is call reverse social engineering.

When the attacker feels that the victim is comfortable with him and is ready to reveal information, he will proceed to ask for information he is interested in. A good social engineer knows that if he moves in too fast, he might be caught suspicious. He knows he needs a lot of patience. He continues his conversation with seemingly innocent subjects, and in between, he will ask question which will gain him the information he need. He then gauges the respond of the victim. If the victim still sounds cooperative, he will continue with other questions he has in his list. If the victim demonstrates hesitation, the attacker might divert the conversation to some other topics before coming back again with his next question, or he might gracefully stop the conversation and move on with his next victim.

A good social engineer understands that in gaining the information that he need, patience and timing is very important. If he gets in with the question too early in the conversation before the victim is ready, the victim will be hesitate to answer and his action could be suspicious. If he end the conversation right after he obtain the information, the victim will always remember what he has ask for and might also raise suspicious. A smart social engineer is always sensitive to his victim and knows when he should slot in his question in the conversation. Once he has got all the information he need, he will follow with a couple more casual topics and questions before he end the conversation. This step is important because most of the time, people only remember what happen at the start and at the end. They might not remember well what happen in between. By using this technique, the victim might not remember well what the attacker has asked him for.

The process of developing trust, exploiting trust and obtaining the information could be as simple as a few minutes of conversation with a single victim. Or it could also be a situation where the attacker has to establish contact with a few victims to extract bits and pieces of information from each of them individually. The situation is largely depends on what actually happen during the contact and how cooperative the victim is. It also depends on the type of information to be obtained.


5. Utilize Information
Once the information is obtained, the attacker will use the information he obtained to accomplish his final goal. If the information obtain is only to help to get one step closer to the final goal, the attacker will return to the earlier cycle until he reach his final goal.


In this part one of the article, we have introduce ourselves to what is social engineering, why hack choose to use such as attack approach, and what is the typical life cycle of social engineering attack.

In the next article, we will look into why social engineering attack work after all, what are the other means of social engineering attack and how to identify and combat against them.

Labels: