Overview of Remote Access Server
10.1 Social Engineering
10.1.2 Attack on the psychological level
These categories of attacks -- ego, sympathy, and intimidation -- are all on the psychological level of social engineering. This means that the intruder appeals to the employee through the use of emotion.
Let's examine each of these attacks. 10.1.2.1 Ego attacks
An ego attack is perhaps one of the favorite types of social engineering attacks simply because you know that as network administrators, we all have big egos. The attacker appeals to the vanity, or ego of the victim. The victim wants to prove how smart or knowledgeable he is and unthinkingly provides sensitive information. We're all anxious to show how much more we know than the next person or how much better our equipment is than theirs. The perfect scenario for this type of engineering is a user group meeting held after work. You know of several groups that meet once a month or so after work in some of the local clubs. Mix egos and guess what happens?
It's amazing what employees will reveal without a whole lot of coaxing. How many of the employees are unwitting revealing information in social settings without realizing who they are talking to?
This can happen in any type of social setting. For example, suppose you attend a birthday party for a friend. Some of the other attendees are also in the field and the topic of conversation turns to servers. Everyone is comparing equipment. You'll know what
operating systems are running, what kind of equipment is running on each, and what issues each one is having.
Talking about our jobs and comparing problems are simply part of human nature, and ego attack victims never realize what has happened, but the information extracted can be extremely dangerous in the wrong hands.
Ego attackers also target those they sense are frustrated with their current job position. Unhappy employees are very likely to reveal information with little prodding because they feel mistreated.
Attackers also have been known to pretend to be law enforcement officials, and their victims feel obliged and sometimes even honored to help them by providing information. 10.1.2.2 Sympathy or intimidation attacks
The following are all examples social engineering that either use intimidation or prey on sympathy:
• You receive a call from someone saying he's a General Manager. He states that he's in real trouble. He's attempting to do a presentation for Microsoft and has forgotten his password; therefore he can't log into the Web site to do the presentation. He just changed it yesterday and can't remember what it is. He needs to have it right away because he has a room full of clients waiting and he's starting to look incompetent. This is an extremely important client that could mean millions of dollars in revenue for the office.
• Someone you have never seen before approaches you as you're entering a secured building. She has her hands full carrying coffee and doughnuts. She smiles sweetly and says she has her ID badge in her pocket, but just doesn't seem to have an extra hand to swipe the card and still carry all she has. She asks that you please hold the door for her.
• You receive a call from the corporate office saying that a new mail server is being put into place and there's an immediate need to verify current user accounts and passwords. You are told that it's not safe to send this information via e-mail, and are asked to please print it off and fax it directly to a number given to you. You're told that the number is a direct line for the person putting the new server into place.
These attacks are very successful because our business needs change daily and we live in a fast-paced world. This type of attack plays on the empathy and sympathy of the victim, and an attacker can shop around until he finds someone who will help.
Here are some social-engineering approaches an intruder can use to get information:
• Pretends to be a fellow employee or a new hire, contractor, or a vendor.
• Insists there's some urgency to complete some task or obtain some information.
• Pretends to be someone influential, an authority figure, or, in some cases, a law enforcement official, and uses that authority to coerce the victim into cooperation.
• If met with resistance, uses intimidation and threats such as job sanctions or criminal charges.
• If pretending to be law enforcement officer, claims the investigation is hush-hush and not to be discussed with anyone else.
WARNING
Employees can exploit social engineering just as well as outsiders. Keep in mind that more damage is done to a network by disgruntled employees than by outsiders.
You'll learn how to recognize a social engineering situation shortly. Here's a scenario that actually happened:
A user came to a network administrator with his laptop and requested that it be joined to the domain. The administrator logged the user off the laptop, logged in as himself, and joined the laptop to the domain. So, what's wrong with that? The user had keystroke logging software installed on the laptop. He proceeded to go back to his work area, read the log file, log in as the administrator, browse to the main server, and copy the SAM (Security Accounts Manager) to a file. (For those of you unfamiliar with the SAM, it holds user account information that includes usernames and passwords.) He took the file home and that evening ran L0phtCrack, which is password-cracking software, on the file. The next day, he had the logins and passwords for every user in the office. He periodically logged in as other users and accessed information he should not have. As time went by, he got bolder, logging in as the administrator and shutting down services, causing problems on the network. Eventually, his bragging got him into a bind and he was dismissed for his actions. The best way to avoid this type of situation is to never join a machine to the domain from a user's machine. The account should be created at the server console instead.