The last category of exploits that we are going to look at is deception or lying. Most people fail to realize that most successful attacks have some element of deception involved. Some networks are wide open but, in most cases, you have to use a technique called social engineering to acquire additional information. Social engineering is basically when you convince people to give you information they normally would not give, and you do this by pretending to be someone else. The following paragraphs give some examples of social engineering.
An attacker looks at the web site for a startup company and notices that it is expanding into many different regions across the country. He goes to the jobs section and notices that the company is hiring a lot of people in the Colorado office. The site also lists the name of the hiring manager. The attacker correctly assumes that, because this region is hiring a lot of people, this hiring manager is probably very busy. The attacker now has enough information to launch the attack. He calls the operator and gets the general number for the company. He calls asks to be connected to the help desk. After the help desk answers, the attacker says, “I am a new employee working for Pat (the hiring manager in Colorado). She just gave me a bunch of tight deadlines and I need an account to get started. Pat told me that normally I’d have to fill out some paperwork, but based on the business demands, she said that you should set me up with an account so that I can get started.” The attacker then apologizes for putting the help desk in an awkward position, but explains that he has a job to do. In a moment, the help desk is creating an account for the attacker. The attacker now asks the help desk for one more favor, “Because I am going to have to put in long hours and work from home, can you also give me the numbers for dial-up access?” Ten minutes of research and a five-minute call just gave an attacker full access to the network. It might sound simple, but trust me it works.
This next example requires a little dressing up. The attacker puts on a hardhat and shirt that say “ABC Electrical and Cooling.” (You would be amazed at what you can find at a second-hand store or in a dumpster.) Then, either early in the morning or late at night, he finds someone working and bangs on the door. Eventually, someone answers and the attacker says there have been alarms that the cooling unit is not working properly in the server room. The employee says things like, “I do not know,” and “You will have to come back later.” The attacker says, “Fine, but when the systems burn up and the whole network goes down, I am going to put on my service sheet that you refused to let me in and you will have to deal with it. Also, your company will be billed because I had to come out.” Ninety-eight percent of the time this gets an attacker into the building. Even if the employee escorts the attacker to the server room, there is always enough time for him to slip some tapes in his bag. Or, if he is taking a while, the employee will probably leave him alone to access whatever servers he wants.
Now let’s take a look at a more informal social engineering attack—a social setting. At a party, an attacker targets and strikes up a
conversation with someone who works in IT. He then plays the role that he is thinking of applying for a job at that company but is interested in exactly what this company does. You would be amazed at what people will tell you if they think you’re interested in them. After a 30-minute
known people to tell about security vulnerabilities and ways attackers could get into the system. Why wouldn’t they tell, he is a future employee of the company, isn’t he?
The key to remember with social engineering is that there is a fine line between trusting everyone and trusting no one. On the one hand, if someone calls up and asks for an account, giving it to them is probably too risky. On the other hand, if someone asks for an account and you say, “No way, forget it,” you could lose your job. I have found that being
creative works very well. For example, if someone calls for a new account, offer to call back with the information. You can either ask for his number and verify that it is a company extension or look him up in the company directory and use that number. If the attacker or employee says is that he is working from home and got locked out of his account, offer to leave the information on his company voice mail. He can call back in 15 minutes to retrieve the information. Because social engineering is an example of spoofing, it is covered in more detail in Chapter 4, “Spoofing.”