Aug 21 2006

An Introduction to Social Engineering

“You could spend a fortune purchasing technology and services … and your network infrastructure could still remain vulnerable to old fashioned manipulation. … If your goal is to protect your network, you can not rely on technology alone.”

Kevin Mitnick, “My First RSA Conference”

A common perception of a hacker is that of an individual who spends countless hours trying to break into computer systems by guessing passwords or having unsuspecting users install software which will give them a back door into their computer systems. Modern technology may prevent most of these types of attacks, but even the most advanced technology will not prevent a fellow co-worker from unknowingly giving out a password to a hacker over the phone. This is known as social engineering.

Briefly, social engineering is a psychological attack. Its purpose is to obtain confidential information by manipulating legitimate users. The goal of a hacker is to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or disrupt these systems. Various techniques are used to extract sensitive information from staff members. People have a natural tendency to trust others and feel good about being helpful, which are traits that social engineers exploit to their advantage.

The most common medium for social engineering are telephones. A hacker will impersonate someone of authority or importance to retrieve information. They may even pretend to be a network administrator when requesting a password. In his interview with the BBC News Online, Kevin Mitnick explains, “how armed with a little knowledge, a hacker can sound like an employee of a firm and get other workers to inadvertently supply them with enormously useful information”.

When a call is received and information is requested, find out who is calling and what company they are with. Unless the individual is recognized and they have authorization, take their name and phone number and tell them they will be contacted shortly. Inform management. Passwords and user names should never be given over the phone.

Hackers can also retrieve useful information by going through garbage. The LAN Times listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.”

To prevent security problems, all sensitive data should be shredded when thrown away. Magnetic media such as hard disk and floppy disks should be low-level formatted before disposal. If you are not sure how to dispose of these things, send them to your IT department.

Care needs to be made with e-mail as well. E-mail attachments can contain viruses, worms, and Trojan horses. A good example of this was an AOL hack, documented by VIGILANTe: “In that case, the hacker called AOL’s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment “with a picture of the car”. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.”

Below is an excerpt from a hacker web site instructing how to break into a system. This is useful because it gives an insight in what a hacker tries to do retrieve information.

• Be Professional: You don’t want someone to not buy what you’re doing. You’re trying to create an illusion. You’re trying to be believable.

• Be Calm: Make them believe you belong there.

• Know your mark: Know your enemy. Know exactly how they will react before they do.

• Do not fool a superior scammer: trying to out scam an observant or smarter person will end in disaster.

• Plan your escape from your scam: Don’t burn your bridges. Save the source.

• Be a Woman. It is proven that women are more trusted than men over the phone. Use that to an advantage.

• Watermarks: Learn to make them. They are invaluable in a mail scam.

• Business cards and fake names: Use them for professional things.

• Manipulate the less fortunate.

• Use a team if you have to: Don’t be arrogant and overly proud. If you need help, get it.

Individuals may try to get sensitive information by entering a facility and wandering around. People tend to leave user accounts and passwords around their work area because they don’t want to make the trouble of remembering them. The best places to look for passwords are areas beside the monitor (or stuck on it) or taped under a keyboard. If passwords need to be stored somewhere, create a password protected file on your computer and give it a name that is meaningful only to you, or store the password on a Java enabled cell phone (there is free software for this).

Unknown people should not be permitted to walk around unescorted. The identities of repairmen should be verified before they are granted access in a building. Also, server rooms wiring closets should be securely locked at all times.

If at any time you are not sure about someone who is on the phone or is on the premises, contact management. It is better to take a few moments to verify a legitimate individual user than permit a security breach.

By Johan • Security • 0