To start this off, I would like to appologize for the long interlude. I am back, however, and ready to speak of facets which matter to me. In this case, I wish to speak about Social Engineering.
What is it?
Social Engineering has many definitions depending on who you ask, even though they are speaking of the same actions. The common denominator seems to be that it is the manipulation of people’s common tendency to trust to accomplish something. You might be wondering, “But what does this have to do with technology? Arn’t you supposed to tell us about how to keep our networks secure?” Well, put simply, I am.
What would you say is the most vulnerable link in your corporate network? I am sure you can easily point out about 20 technical flaws in Windows or Adobe (Dear Adobe, fix your vulnerabilities please, that is all). You might even mention Bill from accounting. That guy is such a klutz and shouldn’t have been hired in the first place. He leaves his password out and all sorts of stupid stuff right? This is all fine and dandy, and you are right that these are terrible vulnerabilities, but you are forgetting about yourself. YOU, the IT guru, the admin are also a huge vulnerability. People in general, not just the stupid ones. To this end, I am writing this as a blog for you IT guru.
I feel that I am extremely paranoid when it comes to data security. I will sit there, and triple check firewalls and router configurations to ensure it is properly set. I advocate the use of complex password requirements, and even pay attention to seperation of administrative and user permissions. However, my major flaw is trusting too much. I have been known to talk bluntly with technicians about troubleshooting issues with a server or two. I personally knew the technicians, but that doesn’t change the point. Until I thought about it on length and changed my ways, I probably would have troubleshot with a technician I had never seen before.
We as people want to trust others. For some, it doesn’t even cross their mind to not trust. This blind faith in other’s integrity has allowed hackers to mozy on into networks both unseen, and with minimal effort.
How it’s done
Social Engineering usually uses what is called pretexting in which an individual will come up with a premeditated scenario in which the victem must give them some data. This can be done multiple ways, but it usually follows a strict process of Observation, Manipulation and Attack. It should be noted that while I break the process into three phases, many treat each phase as an independent attack. I break it up for categorization of attacks, and to provide a process which can be easily understood. This is important because sometimes all a Social Engineer needs is a single piece of easily obtainable data.
This phase is rather obvious. Social Engineers thrive on information. They can gather this through a multitude of means from a variety of sources. Some of these sources might not be directly related to the victem company. Some common observation methods are listed in the following list:
- Social Networking – I for one was raised in the belief that the person we meet online is probably a middle aged predetor whose entire plan online is to catch you. While this isn’t always true, how many friends on Facebook do you actually know. I know several people, including some notable administrators, who added friends because they were hot. A good tip would be to secure your profile, and comb your friends. You probably also have your real birthday on there. I know for a fact that I have called a banking institution before, and was only asked for my birthday before gaining access to my money. I always decline birthday apps, and relationship apps (How many times were you asked what your father’s middle name was?) Needless to say, this is where many administrators are a very weak link, because if their information is compromised, then your network is likely to follow.
- Dumpster Diving – Ok, we have all probably heard of this. You just go up to a dumpster or landfill and gather documents you find lying around. It may seem like a habit that someone might call you out on, but if you just tell them that you accidentally threw away your wallet, you might even get some help in the process.
- Personal Vehicles – YOUR CAR IS NOT SAFE. Hold on, did I make that flashing? Well, it should be. I don’t know how many times I have seen people hang badges, leave records laying about or old bills and pay stubs left on the dashboard. How does this seem like a good idea? Is your car inpenetrable and impervious to the sight of immoral people? Along the same lines, bumperstickers are cute from time to time, but at what point did it become a good idea to advertise to the world exactly how many dogs, cats, children and family members live with you along with your political affiliation, your favorite color and how you hate clowns? There are some people you can almost know entirely from their car alone.
- Shoulder Surfing – I am actually combining two methods of observation in this one. The obvious is sitting there watching over a person’s shoulder, and observing what is on their computer screen. You can gain a lot of information about someone through this method. In public places such as airports, coffee shops and parks, people lose sight of their security and think they are alone in the world. Things you might notice while watching someone include their password, their technical ability, their job, their coorospondance methods. As I said I am combining to methods of observation, the second one is just sitting there and watching. I was forced to watch this silly show by my Father in-law about a tightrope walker who walked the twin towers while they were still under construction. At the time, I did not see the link to Social Engineering, but now it is clear. Because security was so tight, the walker sat there in the lobby and acted like an invalid. People ignored him entirely. Noone asked him to leave so he just sat there. He observed guards patterns, how they go in and out, he read maps and throughout it all, he just acted normal and people in their busy life never even noticed. This helped him get up to the top when he wasn’t allowed. The difference between this story, and how it is now, nothing.
- Asking – This might seem counter-intuative, but it really works. There was a study where researchers asked for passwords, and in exchange gave bars of chocolate to people. They got the passwords. It isn’t always so blunt, however. Sometimes, that tidbit of information you need is just someone’s name or when they are in the office. A quick call to ask if someone is in can gather that information easily.
Manipulation is how a Social Engineer bends information to his will. To get a good idea of how this is done, let’s look at what kind of information is being gathered. It may seem like only social security numbers, passwords and usernames are of value, but remember in the observation phase, the Social Engineer gathered anything they could. The reason that this even seemly innocent information can be combined to craft a seemingly convincing story.
While the manipulation varies depending on the type of attack planned, it typically includes the Social Engineer being placed into a position of power. Do not associate a position of power with an elevated privileged user or administrator. A position of power can be a regular employee who has normal access. The manipulation might also place the Social Engineer into a scenario which ensures that the victem will likely reveal information.
For example, the Social Engineer could place himself as a utility technician. Then the Social Engineer could say that they have a job which was placed to repair in the companies basement.
I am hoping you are correctly thinking, “Ohh, so manipulation is just lying to suit your needs using information you gathered.” This is exactly what it is.
Now for the part you have all be waiting for! The attack is the ends which justifies the means. All that digging around in garbage cans and acting like you are an invalid to gather information which you then cleverly crafted into an expert scenario all lead to the attack.
Social Engineers’ tactics are varied and ever changing. The limits to what form an attack can take are limited by the imagination of the attacker, and the technology present today.
I am sure you have all heard of phishing before. Phishing is the use of a email to trick an individual into providing you with information such as their username and password. Common Phishing emails state that they are from a bank, insurance or large social networking site. They typically use scare tactics such as stating that your accounts have been frozen due to suspected fraud, please log in to verify your information. The links provided take you to a copied site. Sites are not difficult to copy and there are methods to spoof the address bars for some browsers. Phishing is dangerous for a company, but even more so is Spear Phishing.
Think of Spear Phishing as Phishing that is not sent to random people, but is instead tailored for and sent directly to your company. These attacks are usually much better coordinated, and almost always seem to come from a trusted source. They are executed almost exactly like Phishing. The attacker could be pretending to be a member of your organization, so simply telling your employees to only trust emails from your organization wont help too much here. If your company has a single shared directory, you would do better by telling your employees that you will never send them links, and to never follow links in emails period. You could place links and the link onto the secured shared directory and just instruct members to follow links there. (This is only a random suggestion, I am sure there are many greater ones if you want to enlighten me in the comments section)
Now for the big one, Whaling. I know it sounds silly with all these fishing pun style names, but that is just how it turned out. Whaling is the targeting of a specific individual. Typically a senior executive like a CEO or Director. These high individuals do not always get the same level of training and these attacks succeed from time to time. The damage of a senior executive being hacked is exponentially greater than that of a lower employee. Now not only is your data at risk, but your company’s reputation. These attacks can also be conducted via phone or any communications medium.
Let’s move away from remote attacks and start talking about the fun attacks. By fun I mean the local attacks, in which a Social Engineer has to talk to someone. Physical access allows a Social Engineer to manipulate more than just information. The method of communication alone can present a vulnerability in a user. If a person in a new employee outfit looks lost, many people will want to help them. This tendency to help others is also manipulated by the Social Engineer.
Local attacks come in several forms, but a common one is where the Social Engineer will dress as a repairman or worker, and pretend they have an appointment or job to accomplish. Most employees wouldn’t even look twice. Remember how I trust too much? This is what made me think of that. How open are you with a Ricoh tech when they tell you that they feel your pain on how much their system sucks? Being open with fellow technicians is nothing new, but be careful what you tell to who.
How about the mail carrier? In the movie “The Losers” one of my favorite scenes in any movie happens. Jensen, played by Chris Evans, employs a plethora of Social Engineering tactics to gather data. A quick breakdown of the attacks he used is: a standard Pretext attack, where he started out dressed as a delivery man to get past the front office. Then playing on elevator etiquette, he sings Journey’s Don’t Stop Believing to ensure he is the only one in the elevator. Once in the elevator, he calls “Mr. Anderson” and informs him of an incident elsewhere in the building to get him out of his office. He changes in the elevator to look like a tech who then enters Mr. Anderson’s office area through a secure door which he opens for Mr. Anderson using a Piggyback attack. In this he waited until Mr. Anderson started to open the door, and then he finished opening it form him to look polite, but then he was able to pass through the door without a badge. Once in he informed Mr. Anderson’s secretary that he was there to install a firewall. While he only succeeded with help from some friends, this is the kind of vulnerability which your company has. These sort of attacks have been used for a long time, and the biggest difference is instead of being just a security problem, now it is a data security problem as well. Remember that local and remote attacks are limited only be imagination and available technology. You must ALWAYS be on the look out for this.
Social Engineering is nothing new. It just has a new name and a new focus. The target isn’t valuables, but now valuable data. You as an administrator have a lot to worry about already, with Trojans, Viruses, Vulnerabilities, and other attacks already poised towards you. You can never let this form of attack fall from your cognizance, or else your diligent network security practices may be in vein. You can’t protect your company, especially larger companies, from this attack directly. However, through training your employees to recognize this threat, you might be able to mitigate the risk of being the target of an attack. Again, if you have any comments, or suggestions, please leave a comment below, and I will get back to you.