Social Engineering

Document Sample
Social Engineering Powered By Docstoc
					Social Engineering

                   Ronald Alva
                 CMPT 320-01
               Professor Robila
                   May 3, 2007
                           Social Engineering

      Social engineering is the manipulation of individuals into giving out vital

information by use of a collection of techniques. Social engineering is compared

nowadays to a very confident trick or a simple fraud which tricks people for

gathering information or computer system access. In most cases, the attackers

never come face to face with their victims because it is done by anonymous

actions. Actions such as through email, phone, impersonations, Rogue Interactive

voice response systems, and physical medias.       Social engineers will do just

anything to receive valuable information and rely on people’s inability to keep up

with a culture that relies heavily on information technology. Social engineers will

go through dumpsters looking for valuable information; they would look over

one’s shoulder to get and memorize the access codes, or they would take

advantage of people who choose meaningful passwords but can be easily guessed.

Many users tend to use the same password on every account making it easier for

the social engineers to obtain quick access to all the accounts that the user has.

Most techniques could be difficult but it takes a lot of research and careful

planning to make the execution successful.

      Techniques used for social engineering can be very manipulative. It

depends which technique to use can be easily chosen only if they know from

which group of people they are willing trick. They are numerous amounts of

techniques done for manipulation.      Here are some techniques that are most

commonly used by social engineers today:

   1. Pretexting – this is the act if creating or inventing some sort of scene

      manipulating the target to release information over the phone. This trick is

      often used to manipulate businesses into handing out customer information

      such as date of birth, social security number, or last bill amount. This

      technique can be also performed as an impersonation of a co-worker at the

      business. As an impersonator, they ask a series of questions to other co-

      workers of the target and are prepared with answers if they are questioned

      back. One usual sub-technique with pretexting is the voice over IP

      programs which gives the user feel safer and comfortable knowing that they

      are not using traceable number and the lesser chance of getting caught.

   2. Phishing - this technique involves emails sent to legitimate businesses and

      companies requesting verification of information. Also sent with it is a

      warning that if the information is not verified, they will consequences to

      consider. The letter of course will contain a link that will take the user to a

      website that looks legit because of the logos and content. This website will

      also contain a form requesting for some even more valuable information

      such as a home address or an ATM’s card PIN.

3. IVR phone phishing - this technique is very manipulative if performed

   right. It’s basically an exact duplicate of a business’s or a company’s IVR

   system. Of course the social engineer is behind the copy of the IVR system.

   What social engineers do with this is send an email (phishing) to the victim

   prompting them to call a toll free number to verify information. The system

   will continuously continue to reject the logins ensuring that the user enters

   their information multiple times. If the system transfers the user to a

   customer representative, the attacker will likely play the role for further

   questioning and answers.

4. Trojan horse/gimmes – Gimmes is a type of malware that brings curiosity

   and greed to users. Gimmes are most sent through email attachment

   containing something interesting that would catch the eye of the user.

   Things like free ringers or screensavers, a free system upgrade, or a free

   trial of a new antivirus would definitely receive attention from the user.

5. Road Apple – one of the slickest techniques out there. The attacker leaves a

   malware infected media, such as floppy disk or CD-Rom, and leaves in a

   location where it is surely to be found. Afterwards, the attacker waits for

   the business or company to use it. Of course, the media will have a type of

   official logo on it so that the victim can think that it belongs to them.

   6. Quick pro quo – This is like basically saying: Something for something. An

       attacker calls random numbers of certain companies acting as a technical

       support representative. Somehow, they will grab someone that is in need of

       assistance. At this point, the attacker will “help” the victim and in so doing

       so will manipulate the victim into typing in commands that will give the

       attacker full access to the system.

       What can be done to prevent these types of attacks? I would have to say

that there are chances to protect a business or company from being attacked or

robbed. The best combat strategy is user awareness that these attacks do happen.

By doing the top business practices, there might be a lesser risk of not getting hit

with these trick techniques. Such practices are to train the employees never to give

out passwords or vital information over the phone. Businesses can update their

security policy to address social engineer attacks and their incident-handling

procedures to include social engineering attacks. When typing in a password,

make sure that no one else is looking. Passwords are the most important part of

logging in. They should require that all guest to be escorted because once they are

inside, they have full access. They look around and see where the information is

kept and what users use to enter the system. They should keep all the trash secured

and in monitored areas. Once they are done with important and sensitive data, they

should consider shredding them so that no one can read or obtain it. Finally, they

should conduct periodic security awareness training programs to keep everyone in

the business or company alert.

       In businesses and companies today, many people are hired. Employers tend

to hire people that they feel they can trust and confide in. But in most cases, once

the individual has the respectability in the business, others do not automatically

view their activities with suspicion. Every honest person assumes that the others

are similarly well intentioned. The intruder also takes advantage of the natural

tendency to relax one’s guard when things appear to be secure. Most companies

spend tons of money to improve the hardware and software in order to block

attacks. It’s up to the end users to follow good security practices. Kevin Mitnick

once said: “The biggest threat to the security of a company is not a computer virus,

an unpatched hole in a key program or a badly installed firewall. In fact, the

biggest threat could be you.” This, in fact, could be true if one intends to betray

the business in the near future.

       Behaviors could be one weakness to the businesses out there. Behaviors are

very vulnerable to social engineer attacks. One must know if another can be

trusted. I mean if they have the direct approach and are a technical expert, than

they don’t belong there in the first place. Another behavior would be to have the

desire to be “helpful.” If they have the direct approach, act like a technical expert,

and have the voice of authority, then something is wrong there. They are there for

something else. If they wish to get something for nothing, they are up to

something. An example of this would be a Trojan horse-chain email. Curiosity is

another behavior that workers tend to characterize often. If one convinces another

to open lets say a Trojan horse that has an open email attachment from unknown

senders, that’s not an authorized employee at the business.       Ignorance is a

behavior of social engineering as well. Dumpster diving and a direct approach are

signals of this behavior.   Last but not least, carelessness. Signs of this are

dumpster diving, spying, and eavesdropping on others people’s privacy. All the

Social Engineering methods of attack target some very natural human attributes. In

order to prevent this, just watch how everyone acts around you and learn their

routine of everyday work.

   There are many social engineers all around the world. Some have made

headlines and some have made controversy all around the globe. In the United

States, a hacker by the name of Kevin David Mitnick practically popularized the

social engineer term. He was convicted of illegally gaining access to computer

systems and obtaining intellectual property in the late 90s. Some consider him a

criminal while others think he was made a scapegoat for the crime. After the court

appearances, he decided to head a different way and is now working as a computer

security consultant. Another social engineer would be a white hat hacker by the

name of Archangel who is nicknamed the “greatest social engineer of all time”.

This hacker had some many amusing techniques. This hacker has demonstrated

such techniques that would gain everything from passwords to pizza to

automobiles to airline tickets. Other hackers in this category would be Frank

Abagnale, David Bannon, Peter Foster, Steven Jay Russell, and possibly Pappy


       Social engineering has been used in all sorts of popular culture. For

example, in the film Hackers, the protagonist uses a technique from social

engineering in which one character gains access to a TV network’s control system

by posing as an executive and asking for a modem number from one of the guards.

This method that was shown in the movie showed how powerful social

engineering can be. In the internet gaming community, there are rumors that

involves befriending a user to have access to the account passwords and game

serial numbers that so that previous banned cheaters can have access to online

play. A video podcast named The Broken was released in 2002 showing how one

is able to receive free pizza for life by a simple social engineering trick. The host

explained his technique steps and demonstrated it one by one. All the host had to

do was wait for a customer to make an order. When the customer entered the

pizzeria, the host entered with him/her. The customer ordered his pizza while the

host of the show recorded down his/her name, phone number, and the pizza order.

Later, he called the pizzeria claiming to be the customer who ordered before and

complained that the pizza was terribly bad. The host ordered another pizza for not

filing a complaint against the pizzeria and order another pizza in which he picked

up later. This technique used was the impersonation trick also known as

pretexting. This gets to show us that social engineering is done in both the real

world and in the movie world as well.

      Currently, there are training programs for this sort of category. One of the

training program is currently being operated by Kevin Mitnick who I mentioned

earlier is one of the highly controversial social engineer of the 90s. This program

is to become a Certified Social Engineering Prevention Specialist (CSEPC) which

is referring to both an individual Mitnick Security Consulting certification and a

broader professional certification program. Of course, to attain the certification,

the candidate must attend the training courses and pass the exam, which was

created by Kevin Mitnick, prior to completing the course. This course’s main

objective is all primarily focused on how Social Engineering works throughout

multiple case histories. It more specifically focuses on how attackers use Social

Engineering to obtain accesses to computer systems by manipulating the targets

and what could be done to minimize this problem. The entire program costs

$2,300 per person which the course will only take two days to complete. It’s a

great start for any business or company employees in case this occurs during work.

It might be a bit expensive since the course only takes two days to complete but

the outcome will result in less attacks and harsh entrances to the system of your


       Social engineering has its goods and its bads. Social engineering is harsh

when one tries it on employed workers at companies they would like to harm.

Sometimes it can be ok like with the pizza example that I explained earlier. See, in

that example, nobody’s system is getting infected. The pizzeria did lose some

money but it didn’t lose any information nor will it be closing down soon because

of that incident. Though the host did get away with free pizza, he only used it as

an example to show people that social engineer is not only done with the computer

but in the outside world as well. It’s not his fault either for getting free pizza using

social engineering. Any employee or manager should keep alert for people trying

to bring them down. In this case, it was a free pizza. So in closing, keeping an eye

out for people who are suspicious at your business could result in safe

environmental work place.










Shared By: