Everyone Is A Social Engineer

Children and even dogs seem like they understand how to apply the concept of social engineering. Children make lots of noise with promise of being quiet only when they get the toy or trip they want. Dogs pine for petting and herd humans to the pet food bowl hoping to have it filled. People are also manipulated psychologically until they do what hucksters wants such as give up personal or confidential information online and offline. Like DDoS (distributed denial of service) is usually one of many components of a blueprint with goals of extortion, system or network access, bribery, bullying, identity theft, business destruction, human and drug trafficking, and other types of fraud and illegal activity. On the flip side, these social engineering and hacking combination of activities may have a goal of “remedying a perceived social inequity” or achieving scientific research.

Some say that Kevin Mitnick, once known as the world’s most wanted hacker, is the one who first coined the term “social engineering.” The phrase has a bad reputation online, but whether it is a good or bad activity is in the mind of the beholder just as DDoS, phone pranks, and other activities that may socially engineer online and offline. Every time a woman or a man does anything in the attempt to get others to do what she or he wants, that is social engineering.

Again, social engineering is the act of duping an individual into revealing information that should be confidential or into doing something he or she would not normally do. The victims of such are not necessarily gullible or ignorant. Maybe it is just that they trust practically everyone. They enjoy helping others. On the other hand, the perpetrators of social engineering are appealing to universal, time-resistant human desires and emotions: lust, friendship, power, luck, money, greed, revenge, charity, accomplishment, fame, and being a part of a bigger cause. Perpetrators can easily trick people into giving up information that they have no idea is destined to compromise a server, computer, business, family, network, or other online or offline person, place, thing, idea or organization.

Hacking is the act of entering a computer system via a security breach; whereas, social engineering is as an invasion of the mind. Have you heard of emotional intelligence? People with keen emotional intelligence make great social engineers and can make unbelievable things happen just as computer system hackers can. Combine the two and discover potentially unstoppable collaborations that can wreak painful havoc, insane genius, unbelievable change-making or huge accomplishment for organizations and individuals online and offline. Sounds bad, doesn’t it? However, the two are combined throughout history for good and evil, depending upon your point of view.

Think of a few: Google’s Sergey Brin and Larry Page; Facebook’s Mark Zuckerberg, Dustin Moskovitz, Eduardo Saverin; Yahoo’s Jerry Yang and David Filo; Dream Dinners’ Stephanie Allen and Tina Kuna; PTL Club’s Jim and Tammy Bakker; Super Technologies, DIDX and Virtual Phone Line’s Ahmed and Bowen; EventBrite’s Julia and Kevin Hartz; and CouchSurfing’s Casey Fenton, Daniel Hoffer, Leonardo Bassani da Silveira, and Sebastian Le Tuan. They changed the way people think, do business, web search, find a date, act like they are somewhere that they are not, market, meet people, plan events, make phone calls, start new businesses, and establish identity.

Social engineering can convert people to a religion or bring them out. It can coerce people to obey or disobey government. It builds and destroys gang, social and civic, charitable, and educational institutions. Advertising and marketing techniques use social engineering.

The methods are just as varied as the kinds of people who execute the methods. Social engineers shoulder surf (watch and copy passwords and PINs by looking over the shoulder) and tailgate (literally follow someone into a high security area). They pretend to be a respected person or company over the phone, email, chat, forums, Twitter and other social networks and even in person. They tell you that they can reveal how you stack up against people in your industry, city, or social networks. They tell you they can let you know who leaves your social networks and maybe why. They tell you they need help and appeal to the type of person you are. How do they know the right things to say and do? They are often a part of ring of people who observe public information shared over the Internet. Believe it or not, it is a business.

Social Engineering and the Unseen Enemy

Security is only ever as strong as its weakest link, and the majority of the time, an organisation’s users become the weakest point. No matter how much money is invested in security, installing firewalls, intrusion prevention systems, complex remote access systems, security guards, physical access passes or a myriad of other solutions that combine to form strong layered security, if users are not educated in the basic principles of security, it is all pointless.

One of the greatest risks to an organisation is the possibility that one of it’s users could be manipulated or deceived into performing some action or disclosing confidential information to someone outside the business. Information Security terminology defines this manipulation as “social engineering”. While the term social engineering is a fairly new term, this type of attack is as old as the human race itself. Two of the most famous social engineering attacks are those of the story of the wooden horse of Troy from Homer’s “The Odyssey”, and dating even further back to the start of the Bible with Adam and Eve and the Devil’s manipulation of Eve to persuade her to take a bite from the apple in the Garden of Eden.

In the story of the wooden horse of Troy, after the Greeks had failed to overthrow Troy, they built a giant wooden horse which they left outside the city. Leaving one soldier behind, the Greeks left the outskirts of Troy to return home. When captured, the soldier told the people of Troy the Greeks had left the wooden horse as an offering to the Gods to ensure safe travel. He also disclosed they had created the horse too large for it to be moved within Troy as bad luck would befall the Greeks if this came to pass. Little did the people of Troy know that hidden inside the horse were a number of Greek soldiers. Of course the people of Troy could not resist moving the horse inside the gates to inflict ill-luck on the Greeks. In this text book example of social engineering, the soldier had manipulated the people of Troy into performing the action of moving the horse, with the Greeks inside, inside the city walls, something the Greeks had not been able to do themselves. That night the Greeks slipped out of the horse, killed the guards and opened the city gates to allow the rest of the Greek army in to defeat Troy.

While not IT related, the story of Troy is a perfect example of strong security defeated via the weakest link, something people do not necessarily even see as security related. Troy had withstood the attacks of the Greeks for over a decade. They had guards and soldiers, strong impenetrable walls and food to sustain them for countless years. It was only via the weakest link in their security model, their residents, that the Greeks were able to succeed.

In the present day, IT and physical related social engineering attacks are aimed at users in an attempt to reach a number of specific outcomes. The most common objectives are:

o Gaining access to restricted data;
o Gaining access to restricted areas;
o Monetary gain and profit; and
o Identity theft

The first two in the list, gaining access to restricted data and areas, are most commonly aimed at gaining unauthorised access to an organisation. Identity theft is generally aimed at individuals, whereas monetary gain targets both areas. While initiation and execution of these attacks follow different methods and paths, they all follow the same principle: manipulate the user without them knowing.

While an organisation may have implemented strong layered security, in a lot of environments, all that is required to access the network from anywhere in the world is knowing how to connect to the organisation’s remote access system, along with a valid username and password. In the past, this required the phone number of the organisation’s remote access modem, but with the common place use of sophisticated Virtual Private Network (VPN) devices in most organisations, all that is required is an IP address or a URL. There are countless methods for acquiring organisational information such as modem numbers, VPN access information or usernames and possible passwords. Wardialing, the act of dialing consecutive numbers in an area looking for modems, was common place when modems were the chief method of remote access. Trashing is the act of going through an individuals or organisation’s trash looking for information such as account details for users and sometimes finding corresponding passwords. Google hacking is the act of using the Google search engine to extract as much usable information about a user or organisation as possible. And finally, the organisation’s Help Desk. If an attacker has the names of legitimate users within the organisation, including other information that may help to establish credibility, it is not difficult to impersonate a user and request an action such as a password reset or request information such as the VPN access details or modem number. A successful attack such as this would enable an attacker to access the organisation’s network from anywhere in the world. Depending on the access rights of the user they are impersonating, this could lead to vast compromises of critical systems.

Access to IT systems and the data contained within these system is not the only goal of social engineers. Most medium to large organisations have now implemented some form of physical access token to allow access to buildings, offices and restricted areas. These come in various forms, be they magnetic swipe cards, HID, RFID or just simple identification badges validated by other users or security guards. Social engineers have dozens of methods for bypassing these systems without the need to even touch the technology. By targeting the users of these systems, there is no need. Social engineering is a low tech solution for a high tech problem. All that is required is that the attacker fits in to the environment, that he or she looks like she belongs in the organisation or is there performing a valid task. Tailgating, the act of following close behind an individual, is a common method to bypass physical access controls. This method allows the attacker to follow another person through a restricted door after they have provided the required authentication. Impersonation, the act of pretending to be someone else, is extremely effective. How often have you seen tradesmen, cleaners or other individuals within your organisation? How often have you actually looked at their pass or asked to verify who they are? Have you ever held a door open for them while they wheeled in their trolley, tools or carried a cumbersome box? These are all common methods of the skilled social engineer.

Organisations are not the only prey of the social engineer. The vast amounts of SPAM and Phishing attacks everyone receives in their email is just another form of social engineering. Phishing attacks, the act of attempting to gain sensitive information by masquerading as a trusted individual, is a perfect example. The only differences between the attacks described above and Phishing are the targets and the methods. Phishing tends to aim at individuals on a personal level, rather than aimed at an individual in an attempt to compromise an organisation. Also, while the above methods are manual attacks, Phishing is generally automated and aimed at hundreds, thousands or even millions of users. This method provides the attacker with a much higher success rate and correspondingly, considerably more profit.

The only defence against social engineering is education. Organisations should implement a security awareness program that becomes a requirement when new staff begin, including annual refresher courses for established staff. Security awareness is an integral part of an organisation’s overall security implementation, and as such, is a mandatory requirement in the Payment Card Industry Data Security Standards (PCI:DSS), section 12.6. Security awareness and training is also specified in section 5.2.2 of the ISO 27001 security standards. While security awareness training should include such areas as password policies and acceptable use, the following areas specific to social engineering should be discussed:

1. Always wear identification badges.

Identification badges should be worn and visible at all times by all staff, contractors and visitors. These should be easily identifiable and to all staff. Visitor IDs should be returned at the end of their visit and disposed of properly.

2. Question unknown people

If staff see someone within their area that they do not recognise, or someone trying to tailgate, question them. Ask to see their ID or who they are visiting and escort them to that staff member.

3. Remove or turn around identification badges when outside the office

Staff who wear identification in full view when outside the office are providing more than enough information for an attacker to start a social engineering attack. While some passes only display a photo, most have valuable information to a social engineer. Common information displayed on corporate ID passes include their full name, company and even the department the user belongs to within that company. When leaving the premises, remove the badge and place it in your pocket or handbag, or at the very least, turn the badge around so no information is visible.

4. Never write down passwords

Passwords should never be written down, period. Choose passwords that can be easily remembered without the need to write it down. Users commonly write down passwords and stick them to monitors, under keyboards, on their cubicle walls or place them in their desk drawer. A social engineer, contractor, visitor, cleaner or even other staff can easily see these when walking by a desk or by taking a few seconds to look for them. Paper, especially post-it notes that easily stick to other items, are commonly thrown out in the trash accidentally. This allows easy access for social engineers performing trashing attacks.

5. Help Desk staff should always validate users fully before disclosing any information

When talking to users on the telephone, any request to disclose or modify information should require Help Desk to fully validate the user on the other end. Validation questions should always include some form of “non-wallet question”. A non-wallet question is something about a user that cannot be discovered from reading the contents of their wallet. If questions like, DOB, address or drivers license number are used, a social engineer that has stolen a wallet or been through a user’s trash will have easily obtained this information. Non-wallet questions should be something that the user knows and is not easily found out via trashing, Googling or simple social engineering of the user to obtain the information.

6. Shred all documents

All documents with any form of sensitive information should be shredded or placed in secure disposal bins that are shredded by a trusted third-party company. No documents with any confidential data should ever be thrown in the trash or recycling bins.

7. Do not open email attachments or visit URLs from unknown people or from suspicious looking emails.

Users should be educated in basic phishing attacks and how they can identify a phishing attack versus a real email from a valid source.

A few examples include:

o Banks and other financial institutions will never send emails asking for your credentials or to log in to your account by using a link in the email.
o If a suspicious looking email is sent requesting you to visit a URL to a company you know, do not click on the link. Instead, open your web browser and manually type the known URL for the company and visit the site that way.
o Never open an attachment sent by someone you do not know.
o Be wary of executable type attachments, for example, .exe, .com, .scr, sent by friends unless you are expecting this type of document. They may not realise that they are sending you a malicious file.

If a security awareness program is developed and implemented, the chances of successful social engineering attacks become far less likely. If an organisation’s users are no longer the weakest link, attacks against the company become a lot harder. Not only does security awareness help protect an organisation, it also helps defend users in their personal lives. Understanding common attacks and how to recognise and defend against them will help users protect themselves against attacks such as phishing, aimed at stealing their bank account or other personal details.

Social Engineering: You Have Been A Victim

Monday morning, 6am; the electric rooster is telling you
it’s time to start a new work week. A shower, some coffee,
and you’re in the car and off. On the way to work you’re
thinking of all you need to accomplished this week. Then,
on top of that there’s the recent merger between your
company and a competitor. One of your associates told you,
you better be on your toes because rumors of layoffs are
floating around.

You arrive at the office and stop by the restroom to make
sure you look your best. You straighten your tie, and turn
to head to your cube when you notice, sitting on the back of
the sink, is a CD-ROM. Someone must have left this behind by
accident. You pick it up and notice there is a label on it.
The label reads “2005 Financials & Layoff’s”. You get a
sinking feeling in your stomach and hurry to your desk. It
looks like your associate has good reasons for concern, and
you’re about to find out for your self.

And The “Social Engineering” Game Is In Play:

People Are The Easiest Target

——————————————–

You make it to your desk and insert the CD-ROM. You find
several files on the CD, including a spreadsheet which you
quickly open. The spreadsheet contains a list of employee
names, start dates, salaries, and a note field that says
“Release” or “Retain”. You quickly search for your name but
cannot find it. In fact, many of the names don’t seem
familiar. Why would they, this is pretty large company, you
don’t know everyone. Since your name is not on the list you
feel a bit of relief. It’s time to turn this over to your
boss. Your boss thanks you and you head back to your desk.
You have just become a victim of social engineering.

When Did I Become a Victim of Social Engineering?

——————————————–

Ok, let’s take a step back in time. The CD you found in the
restroom, it was not left there by accident. It was
strategically placed there by me, or one of my employees.
You see, my firm has been hired to perform a Network
Security Assessment on your company. In reality, we’ve been
contracted to hack into your company from the Internet and
have been authorized to utilize social engineering
techniques.

The spreadsheet you opened was not the only thing executing
on your computer. The moment you open that file you caused a
script to execute which installed a few files on your
computer. Those files were designed to call home and make a
connection to one of our servers on the Internet. Once the
connection was made the software on our servers responded by
pushing (or downloading) several software tools to your
computer. Tools designed to give us complete control of
your computer. Now we have a platform, inside your
company’s network, where we can continue to hack the
network. And, we can do it from inside without even being
there.

This is what we call a 180 degree attack. Meaning, we did
not have to defeat the security measures of your company’s
firewall from the Internet. You took care of that for us.
Many organizations give their employees unfettered access
(or impose limited control) to the Internet. Given this
fact, we devised a method for attacking the network from
within with the explicit purpose of gaining control of a
computer on the private network. All we had to do is get
someone inside to do it for us – Social Engineering!
What would you have done if you found a CD with this type of
information on it?

What Does It Mean to Be “Human”

——————————————–

As human beings we are pretty bad at evaluating risk. Self
preservation, whether it be from physical danger or any
other event that could cause harm, like the loss of a job or
income, is a pretty strong human trait. The odd thing is,
we tend to worry about things that are not likely to happen.
Many people think nothing of climbing a 12 foot ladder to
replace an old ceiling fan (sometimes doing so with the
electricity still on), but fear getting on a plane. You have
a better chance severely inuring yourself climbing a ladder
than you do taking a plane ride.

This knowledge gives the social engineer the tools needed to
entice another person to take a certain course of action.
Because of human weaknesses, inability to properly assess
certain risk, and need to believe most people are good, we
are an easy target.

In fact, chances are you have been a victim of social
engineering many times during the course of your life. For
instance, it is my opinion that peer pressure is a form of
social engineering. Some of the best sales people I’ve
known are very effective social engineers. Direct marketing
can be considered a form of social engineering. How many
times have you purchased something only to find out you
really did not need it? Why did you purchase it? Because
you were lead to believe you must.

Conclusion

——————————————–

Defining The Term “Social Engineering”: In the world of
computers and technology, social engineering is a technique
used to obtain or attempt to obtain secure information by
tricking an individual into revealing the information.
Social engineering is normally quite successful because most
targets (or victims) want to trust people and provide as
much help as possible. Victims of social engineering
typically have no idea they have been conned out of useful
information or have been tricked into performing a
particular task.

The main thing to remember is to rely on common sense. If
some one calls you asking for your login and password
information and states they are from the technical
department, do not give them the information. Even if the
number on your phone display seems to be from within your
company. I can’t tell you how many times we have
successfully used that technique. A good way of reducing
your risk of becoming a victim of social engineering is to
ask questions. Most hackers don’t have time for this and
will not consider someone who asks questions an easy
target.