Sales Call or Social Engineering?

[Palemoon]

We all hear about social Engineering and as a Admin I get my share of sales calls, most are screened and dumped to the voice mail and no message is left the few that do get through have what I consider some rather social engineered questions. Here is my own true story about a year old I want to share.

I run an active firewall with a nice GUI interface where I can see color coded lines of all network traffic out going and from the outside arriving in. I sat one morning and all of the sudden noticed my red alert lines from a company attempting to access a port scan first from view the log and then very speciific known exploits, when all of the sudden the reception desk rings me and says so and so from the very company I was watching at the firewall calling me. So rather then have it dumped to my voice mail I took the call, cause I just wanted to see what all of this was about. Mind you very nice sounding woman on the other end and from memory here is what was said.

Caller: Hello Mr. (myname) I understand you are the contact person for your Networking needs. We provide IT consulting services to company's such as yours. May I ask if you run a firewall?

Me: Yes we do. (I want to play a game now).

Caller: What firewall software and hardware do you use?

Me: I do not answer questions about our network to people that call me. (Firewall activity from said company is still pecking away at the ports)

Caller: Ok let me ask you this how many servers and workstations do you have and what OS are you using?

Me: I'm sorry but like I said I do not answer these questions unless I am calling someone.

Caller: Please sir I am doing my job and I have to account for who I contact and the answers I have a blank call sheet. Can't you at least tell me how many servers you have.

Me: I'm sorry (her name) I do not like the direction of this conversation and you are providing me with just your company name. Thank You and I hung up.

My only questions are were:
1. Was this a penetration test by a potiential IT consultant to sell their services?
2. I did not ask for such testing, and had I provided any answers would they have broken something so they could fix it?
3. Any sales call should not have to depend upon my answer facts about my network.

My conclusion from this as it was a large IT company is that perhaps their system was not secure the sales call bogus and bogus users wanted to gain access to my network. Or maybe it was just the company with an incorrect sales pitch. What do you think?

[Remote_Access_]

"IT consulting service" Haha.. It was an attempt to discover data about your company's netwerk. Plain as day. If it were just a sales call, they would be promoting their product and trying to convince you to purchase something instead of disclose information.

[huntx7]

Well if you didn't ask for that ask if anyone working there did. I wouldn't take answers until you get some specific information. Yeah, this is really common though. Don't trust them until you have full proof. But I think its a load of BS, this is daily life in a company/network. Just incase take your crowbar....hehe :P

Thanks for your time~

[jdenny]

I don't think it was a sales call, it was pure social engineering. Why would she suddenly call you right after the
failed attempt to scan your network? No reputable company that offers security consulting AFAIK do that.

Security is about trust. If you don't trust the company, don't give them a chance to sell you anything. I support
your decision not to answer her questions.

<jdenny>

[droby10]

i would have fed them faulty information and looked to see if known exploits against 'said' devices were subsequently picked up by the firewall.

[Palemoon]

dropy10 am a real busy person at work what point would there be to doing that? I had enough info already to make my choice how much pecking at the firewall should I log? Not out to prove them wrong they were clearly and any sales call of this nature should not be these questions even if their are Not Any hits on the firewall And now one in any company should give out such info least not to a sales person. (greenies are welcome I'm faulted on grammer and spelling)...just a brain damaged crash test dummy

[droby10]

dropy10 am a real busy person at work what point would there be to doing that?

depending on the capability of the attacker you might learn a thing or two that could ultimately protect you from the next wave of advisories. while i agree that no legitimate company should act in such a manner. i've seen first hand where pocketed exploits are developed and used on-site in consumer audits as poc, later used as fool-proof means of entry
for big bucks, and finally disclosed some 3 or 4 months later for publicity. it's a proven method - and capturing the information on the wire might just give you the signature you need to prevent being exposed to attacks when they take the exploit(s) out of their pocket and lay them on the table for everyone else to see. just my 2 cents on reverse information.

[jezter6]

I always feel a bit nervous about answering those questions from people who call me conducting a "survey of IT managers."

I try to be as bogus as possible, but I'm half afraid of them calling M$ and them coming out and auditing me based upon my fake answers.

[DjM]

This is kinda related so I thought I would share it here. The following is an e-mail that was received at my company yesterday from a "Security Vendor".

Subject: Your Apache Web Server is NOT Safe!

Dear Client:

While browsing your web site, I noticed that you are running Apache
version 1.3.20. A major vulnerability has been discovered in the
Apache web server software. It's been all over the news the past few
days, including CNN. Worms exploiting this issue have been
discovered. Your server requires immediate attention to avoid the
problems Microsoft IIS shops faced with the Nimda and Code Red worms.

I am writing to you today to help protect your network investment.
I'd like to tell you about XXXXXXXX, which detects these security
vulnerabilities. Licensed XXXXXXX customers receive automatic product
updates as soon as vulnerabilities go public. Combined with its
flexible scheduling and alerting features, it allows our customers to
stay on top of their networks. To learn how XXXXXXXX can keep you ahead
of the hackers, download an evaluation copy:

http://www.XXXXXXXX.com/Product-Download.html

For more information on this vulnerability, as well
as links to download the latest Apache software, please see the CERT
advisory noted below:

http://www.cert.org/advisories/CA-2002-17.html

To determine if any attempts have been made to hack your web site, check
the Apache server's error log. The message should be similar to the
following:

[Mon Jun 17 17:12:18 2002] [notice] child pid 26140 exit signal
Segmentation fault (11)

For more immediate attention, please give me or one of my colleagues a
call at one of the numbers below.

North America: XXXXXXXXXXXXXX
Europe: XXXXXXXXXXXX
E-mail: sales@XXXXXXX.com
support@XXXXXXX.com

Regards,
Mr. Sales Guy

Now, my problem here is:
1) We are not now nor have we ever been a 'Client' of this vendor, so I have to assume this clown is scanning the net (likely with some kind of Bot) looking for Web Site's running Apache.

2) After finding out we have an Apache Web Server, this clown looks for a e-mail address to send his 'sales-pitch' to. Of course, the one he sends it to, is a person (fairly high up in the company) which knows nothing about what this clown is talking about but assumes the sky is falling and contacts me.

3) Now, we are running an Apache Web server but we are running it on a Solaris OS (not Windows) and, while the vulnerability exist, the exploits in the wild are targeted at Windows.

And finally and most important, we already patched our system, but this clown assumes that he knows more about our systems that we do.

In short, this is just down right rude and I made sure that Mr. Sales Guy knew I was less than pleased with his company's marketing tactics.

Cheers:

[Ratman2]

Originally posted here by Palemoon
We all hear about social Engineering and as a Admin I get my share of sales calls, most are screened and dumped to the voice mail and no message is left the few that do get through have what I consider some rather social engineered questions. Here is my own true story about a year old I want to share.

I run an active firewall with a nice GUI interface where I can see color coded lines of all network traffic out going and from the outside arriving in. I sat one morning and all of the sudden noticed my red alert lines from a company attempting to access a port scan first from view the log and then very speciific known exploits, when all of the sudden the reception desk rings me and says so and so from the very company I was watching at the firewall calling me. So rather then have it dumped to my voice mail I took the call, cause I just wanted to see what all of this was about. Mind you very nice sounding woman on the other end and from memory here is what was said.

Caller: Hello Mr. (myname) I understand you are the contact person for your Networking needs. We provide IT consulting services to company's such as yours. May I ask if you run a firewall?

Me: Yes we do. (I want to play a game now).

Caller: What firewall software and hardware do you use?

Me: I do not answer questions about our network to people that call me. (Firewall activity from said company is still pecking away at the ports)

Caller: Ok let me ask you this how many servers and workstations do you have and what OS are you using?

Me: I'm sorry but like I said I do not answer these questions unless I am calling someone.

Caller: Please sir I am doing my job and I have to account for who I contact and the answers I have a blank call sheet. Can't you at least tell me how many servers you have.

Me: I'm sorry (her name) I do not like the direction of this conversation and you are providing me with just your company name. Thank You and I hung up.

My only questions are were:
1. Was this a penetration test by a potiential IT consultant to sell their services?
2. I did not ask for such testing, and had I provided any answers would they have broken something so they could fix it?
3. Any sales call should not have to depend upon my answer facts about my network.

My conclusion from this as it was a large IT company is that perhaps their system was not secure the sales call bogus and bogus users wanted to gain access to my network. Or maybe it was just the company with an incorrect sales pitch. What do you think?

Definate Social Engineer, you did the right thing. Screw the idiot caller