Dangling Tiger… Hidden SE
May 2014 Edition
**DISCLAIMER: Social-Engineer does not condone or support the action that Greenpeace took in this case. They broke the law and we use stories like this to learn.**
On March 4th 2014, nine protesters with Greenpeace waltzed right into Procter & Gamble headquarters in Cincinnati, Ohio. It appears that most, if not all, of them were dressed in business attire and pulling rolling suitcases full of maintenance suits, rappelling gear, pliers, a banner, and … a tiger suit. They proceeded to the 12th floor where the protesters, now dressed like maintenance workers, broke the locks on the windows, climbed out on a balcony, and braced the windows so they could not be opened from the inside. They then hooked up their zip lines and other gear to stanchions used by window washers and unfurled a rather large banner across the building, complete with someone hanging from the line in … you guessed it, a tiger suit.
News accounts are conflicting but everyone agrees that this was a very well-planned and well-orchestrated protest. It doesn’t appear this group had any inside help or that they used fake identification cards or badges but they certainly did their research. While it only took the appropriate outfit and “I have an appointment,” to get them past the front desk, it took a great deal of research to pull this entire stunt off. Social engineering attacks can be made or broken in the quality of research that goes into them, and this crew obviously gets an A+ for putting in the legwork needed for such a smooth delivery.
Given that the protesters aren’t giving up any secrets, there has been some speculation as to how they got in the building. One theory the police looked into was that they entered through a third party’s door in a building two blocks from the final place they “hung out” in. Two blocks away? What good did that do them? Well, the building they entered was owned by P&G but leased space out to other businesses. Those other businesses apparently had more lax security, but still why two blocks away? Skywalk. Once these nine protesters were in P&G space they took the skywalk down to the building they really wanted and simply walked right in with the excuse that one of them had an appointment.
It doesn’t take a trip to the City Planning commission to get schematics or general information on a building’s construction anymore. Now information is just a click of the keyboard away. Malicious social engineers and hackers are just as careful in planning their entry into a company too. A simple trip to the auditor’s website for Hamilton County can get you some interesting information on the P&G building; not to mention the surrounding properties, who owns them and who leases them. When walking in the front door isn’t a good option (physically or digitally), always check for those who have trusted access to the target you want. Vendors and tenants are an excellent place to start.
Getting back to the protesters, they also knew where to find the stanchions to hook their rappelling gear. Finding this information could have been as easy as taking a photo with a zoom lens. But it would probably be smart to do some digging into how much weight those things can take before swinging yourself out on one, especially in a tiger suit.
This crew did their homework. They also knew the main tenet of any good scam: walk in like you belong and people will assume you do. Pentesters use this trick all the time to get past the front lines; whether it’s tail-gating workers, dressing as a delivery person, or walking in while pretending to be on the phone. If you show no fear of being stopped then people assume they have no reason to stop you. While it’s not Fort Knox, P&G’s offices are supposedly very secure. Yet the right door at the right time in the right clothes with the right line, and nine people walked in with enough equipment to end up filling the back of a police pick-up truck. Social engineers call this having a good pretext.
Greenpeace didn’t try to splash their message all over P&G’s site (or if they have, they haven’t been successful) they choose to hack its people to post their message on the front of the physical building. Malicious social engineers frequently combine hacking people with hacking computer systems for a successful attack.
This crew was interested in hanging a banner to show the world that Greenpeace had a beef with P&G. Rather than defacing P&G’s website they posted their own pictures over social media. They wanted the world to see them and what they were doing even if they waited until barricading themselves out on a ledge to do it. While rappelling down the side of P&G tower the protesters came up with a hashtag (#fearless4forests) and began to tweet their adventure at @greenpeace USA.
Notice they didn’t tweet any pictures of the inside of the building! Social media can be used to share your message with the world, but it can also be used to gather information about you.
Not surprisingly, media coverage died out quickly on this event. It is doubtful P&G would want details of their security lapse to stay on the front page. But it is exactly this type of understandable silence that keeps other businesses and industry experts in security from knowing how often social engineering is used in physical and online attacks. This year’s DBIR from Verizon was lacking in its previous breakdown of social tactics as part of successful data breaches, as are many industry-leading reports. It would be interesting to see how much social tactics improve the success of a data breach compared to attack vectors aimed only at digital perimeters.
Social-Engineer is interested in ways to make this kind of research a possibility because we believe that education is a crucial piece of any security program. Incidents like these need to be looked at from the perspective, “What can I learn that will make my organization more secure?”
You may not want to rappel down the side of a city skyscraper… dressed like a tiger, but social engineering happens every day in everyone’s life. You just have to keep your eyes open, and it couldn’t hurt to glance up at the sky every once in a while too.
#fearless4forests upon making bail.
Written by Tamara Kaufman