Social engineering

From Computing and Software Wiki

Revision as of 23:34, 3 December 2007 by Shahinrs (Talk)
Jump to: navigation, search

Social Engineering is a term used in computer science that referees to a non-technical type of security attack. This attack relies on the human element in any security system and is made vulnerable by exploiting a person's trust in the attacker to divulge sensitive or insensitive information. This is often accomplished by misleading or tricking the person getting attacked. In many cases, the attacked never know that they have been attacked.


Kevin David Mitnick
Born October 6, 1963
Convicted of computer related crimes using social engineering.

Contents

What is Social Engineering?

Social Engineering is the manipulation of people to further a person's motives using various methods. “The art and science of getting people to comply to your wishes” - Bernz. This "compliance" is generally associated with the acquisition of electronic information. However, Social Engineering can also apply to a border definition which encompasses any kind personal manipulation in an attempt to gain something dishonestly. The manipulation is performed by "tricking" the mark (the unsuspecting victim) into a false sense of trust which is them abused to obtain the sought objective.

Aspects of Social Engineering

A social engineering attack can be thought of as process with two key components; human and the system. The human component requires the social engineer to gain the trust of whom ever has access to the system.

Human

The human element in social engineering attacks is the method in which the objectives are carried out. Human beings are generally the weakest part of any security system because they can be tricked or corrupted. By attacking the people who have access to what a social engineer wants, the objectives of a social engineer can be reach more easily. People like system administrator, maintenance people, or employees can all potential jeopardized a secure system by giving out information that to someone who they consider to be trustworthy.

System

The system refers to any potentially closed system which contains something a social engineer wants. A social engineering attack is only successful if the social engineer has knowledge about the inner workings of the system. Knowledge like protocols, terminology, names of people, important dates, etc., provide a social engineer ammunition to construct a persona which is then used to manipulate the people who have access to the system.

Methods of Social Engineering

By Phone

This is the most common method of social engineering attacks. An attacker will call the mark, using a persona, and gain the mark's trust. Then the attacker will request information which then might be used to perform another social engineering attack. Help desks are prone to this kind of attack since they are trained to be friendly and give out information. They are also minimally educated in areas of security. An example of this type of attack might be the following scenario. An attacker calls a help desk and asks to speak to the supervisor. When the supervisor answer, the attacker explains that he is the system administrator and that there is a problem with the system. Then the attacker asks the supervisor to login to the system. The attacker then states that he is unable to see the login on his end and that this is a problem. Then the attacker asks the supervisor to give him the login information so that he can try. Once the supervisor has done this, the attacker tells the supervisor that everything seems to be ok and the supervisor is none the wiser.

Another example of a phone attack is when the attacker calls a person in the middle of the night posing as someone from a bank. The attacker asks if they have just made a suspicious purchase (a very large amount or in another country). When the mark says no, the attacker asks for the credit card number for verification, then says the charges will be removed from the account.

Social Engineering can take on many forms on the phone and can have many different objectives. The most notable social engineer in 1990's was Kevin Mitnick. He was arrest in 1995 and convicted of illegally gaining access to computer networks and stealing intellectual property. Mitnick's methods relied on the use of phone calls to the companies which he attacked. Mitnick served 5 years in prison and now runs a security consulting company which gives security advice to companies.

Online

Online social engineering attacks are similar to phone attacks, in that they pose as a legitimate entity which the mark will trust. Many online attacks are spread through phishing. This type of social engineering assumes that most users use the same login and password for many internet sites, so by getting the user to sign up for a new site, they will be giving up their login information. These sites might be in the form of new sites which the use might be interested in, or they might pose as sites which the user already has an account for and ask the user to try and login again. The latter example can take for in the following. The mark receives an email informing him that he needs to update his PayPal password by clicking the provided link and logging in. Failure to do so will result in the termination of the account after a specified period. Once the mark clicks on the link, and enters his login information, a message is displayed which confirms the change. The link the mark has clicked on however, was a link to the attacker's site which simply records the login information.

Persuasion

Persuasion is the core of social engineering attacks. This method is used in all social engineering attacks and relies on the attacker's grasp of the human psyche. The attacker's ability to persuade is determined by two things. Firstly the attacker must be able to gain trust. This can be accomplished using various techniques. The most common of which are creating a persona by impersonation or imitation. An attacker can pose as either an existing employee or pose as a generic employee. For example, an attacker calling an office can say that his name is Bob Anderson with employee number 123456 (where Bob Anderson is an existing employ who works at a different branch with that employee number), or he can say he's Dale Johnson, a new system administrator brought in to fix the recent system failures (where Dale Johnson is a made up name). The use of these persona provides the social engineer with a the appearance of authenticity which is used to build the mark's trust. Once this authenticity is established, the attacker must then complete the persuasion by implementing the second step, manipulation. This is accomplished by providing a convincing reason to the mark to give the attacker what he wants. This can be a colorful background story, a tempting offer, or even guiling the mark into compliance. The point is to make the mark believe that the persona that is being used is legitimate and that the requests being made are genuine. If a social engineer can master these two elements then he will be very persuasive.

Dumpster Diving

Dumpster Diving, also known as trashing, is the "snooping" through trash to collect information. It is a very effective method of obtaining many different types of information. The premis is that many companies and individuals don't apply a high level of security in their garbage because they feel as though what they throw out is no longer relevant. However, much of the trash being discarded can collectively provide the social engineer with the tools needed to create personas and learn about the inner workings of the system. Trash like old user and password lists, company directories, event calenders, printouts of source code and even obsolete hardware can contain information that is relevant to the current state of the system. In particular the social engineer can learn about the companies protocals, termonology and many emplyee's names and other personal information.

Reverse Social Engineering

  • Pretend to be someone in a position of authority
    • employees will ask him for information
  • Most difficult method to pull off
    • requires lots of preparation
    • but can yield the most successful results


Protection

  • Security policies dealing with both physical and psychological elements
    • Standard physical security mechanisms
      • networks protection
      • good password protection
      • secure disposal of trash
      • standard security measures we’ve discussed in class
    • Education and training of employees
      • Making employees aware of Social Engineering
      • better recognize an attack
      • Authentication
        • Making sure the person they are speaking with is that person
    • Availability of ANY information
      • only give out information that’s need-to-know
      • Don’t give out confidential information

Conclusion

  • Social Engineering attacks are very difficult to protect against.
  • A system’s security is only as strong as the people who maintain it.
  • With proper training, a social Engineering attack can be made extremely difficult.
  • However, it can never been fully projected against.

References

Bernz: “The complete Social Engineering FAQ!” http://www.morehouse.org/hin/blckcrwl/hack/soceng.txt

Sarah Granger : “Social Engineering Fundamentals”, SecurityFocus, December 18, 2001 http://www.securityfocus.com/infocus/1527

“Social engineering (security)”, Wikipedia, November 19, 2007 http://en.wikipedia.org/wiki/Social_engineering_(computer_security)

“social engineering”, SearchSecurity, October 10, 2006 http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html

Mitnick, Kevin: “My first RSA Conference,” SecurityFocus, April 30, 2001 http://www.securityfocus.com/news/199

Leslie Hawthorn: “Social Engineering”, O’Reilly Network, March 10, 2006 http://www.oreilly.com/pub/a/womenintech/2007/09/04/social-engineering.html

“Social Engineering”, McGuill Network Communications Services, September 7, 2007 http://www.mcgill.ca/ncs/products/security/threatsdangers/socialeng/


--Shahinrs 07:36, 7 November 2007 (EST)

Personal tools