Social Engineering

Social Engineering

Ronald Alva

CMPT 320-01

Professor Robila

May 3, 2007

Social Engineering

Social engineering is the manipulation of individuals into giving out vital information by use of a collection of techniques. Social engineering is compared nowadays to a very confident trick or a simple fraud which tricks people for gathering information or computer system access. In most cases, the attackers never come face to face with their victims because it is done by anonymous actions. Actions such as through email, phone, impersonations, Rogue Interactive voice response systems, and physical medias. Social engineers will do just anything to receive valuable information and rely on people’s inability to keep up with a culture that relies heavily on information technology. Social engineers will go through dumpsters looking for valuable information; they would look over one’s shoulder to get and memorize the access codes, or they would take advantage of people who choose meaningful passwords but can be easily guessed. Many users tend to use the same password on every account making it easier for the social engineers to obtain quick access to all the accounts that the user has. Most techniques could be difficult but it takes a lot of research and careful planning to make the execution successful.

Techniques used for social engineering can be very manipulative. It depends which technique to use can be easily chosen only if they know from which group of people they are willing trick. They are numerous amounts of techniques done for manipulation. Here are some techniques that are most commonly used by social engineers today:

1. Pretexting – this is the act if creating or inventing some sort of scene manipulating the target to release information over the phone. This trick is often used to manipulate businesses into handing out customer information such as date of birth, social security number, or last bill amount. This technique can be also performed as an impersonation of a co-worker at the business. As an impersonator, they ask a series of questions to other co-workers of the target and are prepared with answers if they are questioned back. One usual sub-technique with pretexting is the voice over IP programs which gives the user feel safer and comfortable knowing that they are not using traceable number and the lesser chance of getting caught.

2. Phishing - this technique involves emails sent to legitimate businesses and companies requesting verification of information. Also sent with it is a warning that if the information is not verified, they will consequences to consider. The letter of course will contain a link that will take the user to a website that looks legit because of the logos and content. This website will also contain a form requesting for some even more valuable information such as a home address or an ATM’s card PIN.

3. IVR phone phishing - this technique is very manipulative if performed right. It’s basically an exact duplicate of a business’s or a company’s IVR system. Of course the social engineer is behind the copy of the IVR system. What social engineers do with this is send an email (phishing) to the victim prompting them to call a toll free number to verify information. The system will continuously continue to reject the logins ensuring that the user enters their information multiple times. If the system transfers the user to a customer representative, the attacker will likely play the role for further questioning and answers.

4. Trojan horse/gimmes – Gimmes is a type of malware that brings curiosity and greed to users. Gimmes are most sent through email attachment containing something interesting that would catch the eye of the user. Things like free ringers or screensavers, a free system upgrade, or a free trial of a new antivirus would definitely receive attention from the user.

5. Road Apple – one of the slickest techniques out there. The attacker leaves a malware infected media, such as floppy disk or CD-Rom, and leaves in a location where it is surely to be found. Afterwards, the attacker waits for the business or company to use it. Of course, the media will have a type of official logo on it so that the victim can think that it belongs to them.

6. Quick pro quo – This is like basically saying: Something for something. An attacker calls random numbers of certain companies acting as a technical support representative. Somehow, they will grab someone that is in need of assistance. At this point, the attacker will “help” the victim and in so doing so will manipulate the victim into typing in commands that will give the attacker full access to the system.

What can be done to prevent these types of attacks? I would have to say that there are chances to protect a business or company from being attacked or robbed. The best combat strategy is user awareness that these attacks do happen. By doing the top business practices, there might be a lesser risk of not getting hit with these trick techniques. Such practices are to train the employees never to give out passwords or vital information over the phone. Businesses can update their security policy to address social engineer attacks and their incident-handling procedures to include social engineering attacks. When typing in a password, make sure that no one else is looking. Passwords are the most important part of logging in. They should require that all guest to be escorted because once they are inside, they have full access. They look around and see where the information is kept and what users use to enter the system. They should keep all the trash secured and in monitored areas. Once they are done with important and sensitive data, they should consider shredding them so that no one can read or obtain it. Finally, they should conduct periodic security awareness training programs to keep everyone in the business or company alert.

In businesses and companies today, many people are hired. Employers tend to hire people that they feel they can trust and confide in. But in most cases, once the individual has the respectability in the business, others do not automatically view their activities with suspicion. Every honest person assumes that the others are similarly well intentioned. The intruder also takes advantage of the natural tendency to relax one’s guard when things appear to be secure. Most companies spend tons of money to improve the hardware and software in order to block attacks. It’s up to the end users to follow good security practices. Kevin Mitnick once said: “The biggest threat to the security of a company is not a computer virus, an unpatched hole in a key program or a badly installed firewall. In fact, the biggest threat could be you.” This, in fact, could be true if one intends to betray the business in the near future.

Behaviors could be one weakness to the businesses out there. Behaviors are very vulnerable to social engineer attacks. One must know if another can be trusted. I mean if they have the direct approach and are a technical expert, than they don’t belong there in the first place. Another behavior would be to have the desire to be “helpful.” If they have the direct approach, act like a technical expert, and have the voice of authority, then something is wrong there. They are there for something else. If they wish to get something for nothing, they are up to something. An example of this would be a Trojan horse-chain email. Curiosity is another behavior that workers tend to characterize often. If one convinces another to open lets say a Trojan horse that has an open email attachment from unknown senders, that’s not an authorized employee at the business. Ignorance is a behavior of social engineering as well. Dumpster diving and a direct approach are signals of this behavior. Last but not least, carelessness. Signs of this are dumpster diving, spying, and eavesdropping on others people’s privacy. All the Social Engineering methods of attack target some very natural human attributes. In order to prevent this, just watch how everyone acts around you and learn their routine of everyday work.

There are many social engineers all around the world. Some have made headlines and some have made controversy all around the globe. In the United States, a hacker by the name of Kevin David Mitnick practically popularized the social engineer term. He was convicted of illegally gaining access to computer systems and obtaining intellectual property in the late 90s. Some consider him a criminal while others think he was made a scapegoat for the crime. After the court appearances, he decided to head a different way and is now working as a computer security consultant. Another social engineer would be a white hat hacker by the name of Archangel who is nicknamed the “greatest social engineer of all time”. This hacker had some many amusing techniques. This hacker has demonstrated such techniques that would gain everything from passwords to pizza to automobiles to airline tickets. Other hackers in this category would be Frank Abagnale, David Bannon, Peter Foster, Steven Jay Russell, and possibly Pappy Boyington.

Social engineering has been used in all sorts of popular culture. For example, in the film Hackers, the protagonist uses a technique from social engineering in which one character gains access to a TV network’s control system by posing as an executive and asking for a modem number from one of the guards. This method that was shown in the movie showed how powerful social engineering can be. In the internet gaming community, there are rumors that involves befriending a user to have access to the account passwords and game serial numbers that so that previous banned cheaters can have access to online play. A video podcast named The Broken was released in 2002 showing how one is able to receive free pizza for life by a simple social engineering trick. The host explained his technique steps and demonstrated it one by one. All the host had to do was wait for a customer to make an order. When the customer entered the pizzeria, the host entered with him/her. The customer ordered his pizza while the host of the show recorded down his/her name, phone number, and the pizza order. Later, he called the pizzeria claiming to be the customer who ordered before and complained that the pizza was terribly bad. The host ordered another pizza for not filing a complaint against the pizzeria and order another pizza in which he picked up later. This technique used was the impersonation trick also known as pretexting. This gets to show us that social engineering is done in both the real world and in the movie world as well.

Currently, there are training programs for this sort of category. One of the training program is currently being operated by Kevin Mitnick who I mentioned earlier is one of the highly controversial social engineer of the 90s. This program is to become a Certified Social Engineering Prevention Specialist (CSEPC) which is referring to both an individual Mitnick Security Consulting certification and a broader professional certification program. Of course, to attain the certification, the candidate must attend the training courses and pass the exam, which was created by Kevin Mitnick, prior to completing the course. This course’s main objective is all primarily focused on how Social Engineering works throughout multiple case histories. It more specifically focuses on how attackers use Social Engineering to obtain accesses to computer systems by manipulating the targets and what could be done to minimize this problem. The entire program costs $2,300 per person which the course will only take two days to complete. It’s a great start for any business or company employees in case this occurs during work. It might be a bit expensive since the course only takes two days to complete but the outcome will result in less attacks and harsh entrances to the system of your company.

Social engineering has its goods and its bads. Social engineering is harsh when one tries it on employed workers at companies they would like to harm. Sometimes it can be ok like with the pizza example that I explained earlier. See, in that example, nobody’s system is getting infected. The pizzeria did lose some money but it didn’t lose any information nor will it be closing down soon because of that incident. Though the host did get away with free pizza, he only used it as an example to show people that social engineer is not only done with the computer but in the outside world as well. It’s not his fault either for getting free pizza using social engineering. Any employee or manager should keep alert for people trying to bring them down. In this case, it was a free pizza. So in closing, keeping an eye out for people who are suspicious at your business could result in safe environmental work place.

References

1. http://en.wikipedia.org/wiki/Main_Page

2. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci865450,00.html

3. http://www.securityfocus.com/infocus/1527

4. http://www.webopedia.com/TERM/S/social_engineering.html

5. http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html

6. http://www.securityfocus.com/infocus/1860

7.

2