• No results found

Social Engineering: People Hacking

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Social Engineering: People Hacking"

Copied!
7
0
0

Loading.... (view fulltext now)

Download now ( 7 Page )

Full text

(1)

Social Engineering: People Hacking

Historically speaking, humans have always been great social engineers. You’d have to agree that it probably started out around the time when the first caveman husband told his wife that she wasn’t fat and, in fact, looked fitter than her wedding day in that latest dinosaur-skin dress of hers. While this is, debatably, less malicious, history has witnessed more spiteful incidents of social engineering.

As far back as the 1600s, George Psalmanazar falsely claimed to be the first Formosan to visit Europe and even wrote a success-ful book on Formosa. Jefferson Smith, better known as Soapy Smith, sold bars of soap to onlookers duping them into believing that some of the “lucky” bars had money strung to them. Victor Lustig is best known as “the man who sold the Eiffel Tower twice.” More recently, Frank Abagnale, whose exploits were immortalized in books and movies, committed forgery in 26 countries and assumed multiple identities, all before he was 21 years of age.

Manipulation of words or actions to build up a false sense of trust and confidence and ultimately evoke a desirable response is known as social engineering. This, however, has taken a sinister turn in the modern world where we depend on technology and lightning-fast communications. The rules are still the same, but the consequences are more severe.

People Hacking People Hacking People Hacking People Hacking

Social engineering aims to exploit the weakest link in information security – people. Just as in historical examples in which people were manipulated into meeting one’s ends, social engineering is grounded in the same principle. Yet social engineering does not necessarily need the use of technical methods. By nature, people tend to be helpful and polite. Social engineering techniques take advantage of this intrinsic nature to manipulate people into divulging sensitive information. In fact, many people who divulge information do not really think they are even giving away anything too critical. The social engineer’s goal then is to put pieces of information, gathered from various sources, together.

In ancient times, assassins used extremely subtle information gathering techniques and spent several months in preparation for the final assassination attempt. Pieces of seemingly innocuous information were assembled in this pursuit and ultimately led to fatal consequences for a number of kings and men of power. Social engineers in the modern day use a very similar modus op-erandi.

(2)

Old Dog, New Tricks Old Dog, New Tricks Old Dog, New Tricks Old Dog, New Tricks

To combat social engineering, it is important to understand the tricks that social engineers use. One needs to know the way a social engineer thinks and operates to protect against the threat of social engineering. Let us take a look at some of the common methods employed by social engineers:

• PretextingPretextingPretextingPretexting

Social engineers often create a believable pretext to dupe their target into divulging precious sensitive information. The creation of such a pretext is often the result of serious planning and homework. The main objective for the social engi-neer is to be able to establish a sense of legitimacy in the mind of the target victim.

Human emotions like fear, guilt, sympathy, confusion, intimidation, flattery, and friendship are a social engineer’s best friends when pretexting. For instance, nobody would want to mess with an enraged vice president, especially one that you’ve never even seen before. A fire marshal coming in to “inspect” your workplace would obviously be an intimidat-ing uniform-clad authority to challenge. It could sometimes be as simple as a social engineer puttintimidat-ing up a pitiable face asking for your help, without which he/she “would be completely lost.”

A typical example of pretexting is a social engineer pretending to call from your cellular telephone provider informing you that you need to pay for $5000 worth of international calls that it claims you made. Since you are completely taken aback at the accusation, your thoughts are in disarray. The caller then steps up to provide the much-needed support by telling you that he/she will waive the amount you owe and place a hold on your account to prevent further calls of the kind. However, he/she tells you that you need to confirm your credit card details for “identification purposes.” You then quickly provide your card details, and the social engineer’s job is done.

Social engineering techniques in pretexting are highly evolved today. Social engineers use acronyms and company jar-gons to target organizations, lending great credibility and believability. One technique involves social engineers re-cording the target organization’s on-hold music. The social engineer then calls someone at the organization posing to be a co-worker at the same organization. He/she then tells the person to hold the line because there is “another call on line two.” The on-hold music is then played to the listener who then is inclined to believe that the caller works for the same organization. The use of Voice over IP (VoIP) technology today even allows a caller to spoof the caller ID to show up as a number from within the target organization. Such meticulous arrangements could fool even the well-prepared.

• Phishing and Spear PhishingPhishing and Spear PhishingPhishing and Spear PhishingPhishing and Spear Phishing

Phishing techniques have become all too common. It is likely that anyone who owns an e-mail account has received at least one ‘phishy’ e-mail. These e-mails look highly legitimate and solicit personal information. Often, these e-mails will appear to come from commonly used services and websites like eBay and PayPal. The e-mail may have a link that takes the unsuspecting target who clicks on it to a webpage that looks strikingly similar to the original. The webpage would contain a form that asks for all levels of personal and account details.

(3)

Again, human emotions play a critical role in phishing. Social engineers often add presumed credibility on their e-mails by asking the target to “validate” his/her account, failing which it will be “blocked permanently.” Alternatively, the e-mail could state that the account has already been blocked and that the recipient needs to “click this link” to go to the activation page.

The Nigerian scam, also called the 419 scam, has been a menace in the history of social engineering. The scam uses an e-mail to persuade the target into divulging advance sums of money with the lure of an “unclaimed will” or “lottery money” amounting to millions of dollars. This scam has utilized a wide array of variations over the years, to great suc-cess.

Spear Phishing techniques are very similar to phishing, except that these are more targeted and often directed at organi-zations. Legitimacy, in this case, is established with the help of information gathering. For instance, a social engineer could find out that an organization uses ADP services for payroll. The social engineer would then craft his/her spear phishing e-mail as if it was being sent by ADP to employees within the target organization who are on payroll via ADP. The e-mail would state that the employee’s payroll was not processed and that this situation could be “sorted” by “clicking this link” and logging in. Few individuals would want to mess around with their payroll.

• VishingVishingVishingVishing

A relatively new development in social engineering that is fast gaining ground is vishing. Vishing uses interactive voice response (IVR) systems to dupe a target into divulging personal information such as card details, Personal Identification Numbers (PINs), and Social Security numbers.

Typically, legitimate IVR messages and commands are recorded by social engineers and then played back over a toll free number that targets are enticed to call using an advertisement/notification of some sort. Alternatively, social engineers could design an automated calling system wherein a string of telephone numbers are fed into the system and the system sequentially calls the numbers in an automated manner. The system plays a recorded message which asks a target to “renew” or “validate” his/her services with a popular bank/credit union/service. The IVR commands are then played to make the target enter the much-valued personal information.

• Malicious CodeMalicious CodeMalicious CodeMalicious Code

Social engineers at times also send out e-mails that have attachments enticing the target to open them. The pretext could be a “failed UPS package delivery”, an “important work-related file,” “free Britney Spears wallpaper,” a “critical anti-virus upgrade” from your “tech support team,” or even an “I love you” letter. The target that succumbs to the mes-sage opens the attachment which contains malicious code like a keylogger, Trojan, backdoor, virus, or worm.

Malicious code has evolved to become highly intelligent these days. Such code is designed to detect and respond to a target’s suspicions and relevant actions.

(4)

• Dumpster DivingDumpster DivingDumpster DivingDumpster Diving

A great supplement to technical methods of social engineering is dumpster diving. The technique involves literally rummaging through the target’s garbage for confidential information. While this technique may sound dirty, it is a highly rewarding one. One possible reason for the widespread use of this technique is its non-technical nature.

Social engineers may even use pretexts to support their dumpster diving initiatives. These include posing as a salesper-son, a law enforcement officer, pest control, a repairman, or a technician. Posing as a cleaner could prove to be one of the best pretexts a social engineer can adopt. A cleaner usually comes in after work hours when there are no suspicious eyes scanning the workplace.

A social engineer usually looks for targeted information using dumpster diving. This includes confidential reports, sales forecasts, salary data, network diagrams, source code, configurations, internal communications, post-it notes, and dis-carded applications. Something as simple as a full departmental telephone list is often a social engineer’s dream.

• Shoulder Surfing and PiggybackingShoulder Surfing and PiggybackingShoulder Surfing and PiggybackingShoulder Surfing and Piggybacking

As the name suggests, shoulder surfing involves stealthily observing the target to obtain or deduce confidential informa-tion. This is usually done to observe password keystrokes on a keyboard or a PIN entered into an ATM machine. Expert social engineers have even been known to observe and memorize signatures.

A social engineer does not necessarily need to have a full view of a keyboard or an ATM keypad. This would actually be undesirable, considering that social engineers try to be inconspicuous. Positional awareness of keys can be a helpful tool for social engineers.

A technique that follows similar principles is called piggybacking. Social engineers use piggybacking to get physical ac-cess to premises. Preying on common politeness, this is generally accomplished by stealthily slipping into the premises along with another authorized individual, when the authorized individual is kind enough to hold the door open for the social engineer.

• Quid Pro QuoQuid Pro QuoQuid Pro QuoQuid Pro Quo

The quid pro quo technique involves giving something to get something in return. A survey1 once found that more than 70% of people would reveal their computer password in exchange for a bar of chocolate. Even more surprising, 34% of the respondents of the survey volunteered their password without even needing to be bribed.

As an example of this technique, a social engineer would call a target posing as a technical support agent. The social en-gineer finds a harassed soul who is grateful that someone is calling back from his/her service provider. The social engi-neer then directs the target to type some commands that gives him/her full access to the target’s computer or even has malicious code installed onto it.

(5)

• BaitingBaitingBaitingBaiting

Imagine that you’re finishing up with lunch in the break room and you notice a CD lying on a table. The CD has your company’s logo on it and has “Layoffs 2009 – Private and Confidential” printed on it. You’re all alone in the room and decide to take the CD to your office. You open the CD and you find that it’s exactly what you thought it was. The CD contains an excel file that has a list of employees, perhaps the ones you think are to be laid off. The names of the excel file are not familiar, but you work for a big organization so you assume they are all legitimate. You are thrilled to see that your name is not on the list.

This is a perfect baiting scenario. A script installed a keylogger on your computer when you opened the excel file. All your keystrokes are now being logged and sent via lightweight text e-mails to a social engineer sitting in a remote loca-tion.

Baiting is a highly potent weapon in a social engineer’s arsenal and can have devastating effects for a target.

Con Repellent Con Repellent Con Repellent Con Repellent

While social engineering is a very real and ominous threat to organizations, employing the right countermeasures in the right way can fortify an organization very effectively against social engineering threats:

• Policies and ProceduresPolicies and ProceduresPolicies and ProceduresPolicies and Procedures

Policies and procedures provide a solid foundation to counter the threat of social engineering. Having specific policies and procedures that are clear, concise, and well-documented is the first step. The critical second step is consistently en-forcing these policies and procedures. Organizations should make it well-known internally that non-compliance will be dealt with strictly. Further, policies and procedures need to be highly comprehensive and all-inclusive. These need to have a long-term vision and factor in the future of the organization, including a growth in size.

• Training and AwarenessTraining and AwarenessTraining and AwarenessTraining and Awareness

An organization’s employees are the very first line of defense against social engineering and yet are, more often than not, the weakest link. Training your employees is the best possible investment you could make to combat the threat of social engineering. An employee with an awareness of social engineering techniques will be able to proactively identify the traps and pitfalls commonly used.

Employee training and awareness programs should be tailored to meet audiences of varying technical levels. The “human firewall” can be strengthened by making employees fully aware of the organization’s policies and procedures. Targeted and focused programs are the most effective long-term tool against social engineering.

(6)

• Social Engineering EngagementsSocial Engineering EngagementsSocial Engineering EngagementsSocial Engineering Engagements

The best way to beat a social engineer at his/her game is to be one. Social engineering engagements performed by ex-perts are highly effective in exposing your organization’s vulnerability to social engineering attacks. These engagements use the same techniques used by social engineers to test an organization’s level of preparedness.

Any awareness and training program employed by an organization needs to have a focused direction. Social engineering engagements provide this direction. These engagements give an organization a clear picture of exactly where it is vul-nerable. Awareness and training programs can then be directed to address these specific areas and ultimately lead to a well-prepared organization.

• Awareness ToolsAwareness ToolsAwareness ToolsAwareness Tools

When using awareness and training programs, awareness tools should be employed to make the entire learning process more interesting and engaging. Articles and newsletters about security are one way of spreading awareness in an or-ganization. Webcasts and podcasts are other tools that could be made available on the organization’s intranet.

Humorous posters are another means of communicating messages about social engineering. Periodic quizzes, seminars, presentations, and live demos are other successful methods of spreading awareness. An organization could also hire a team of professional social engineers to perform tests and present their results to the employees. Such interactive ses-sions are often entertaining, eye-opening, and highly educational.

Overall, awareness tools should instill an environment of security in the organization to encourage everyone to accept security as a personal responsibility.

Hack Hack Hack

Hack----Proof Your PeopleProof Your PeopleProof Your PeopleProof Your People

Social engineering has proven to be the wake-up call for all those who believed that technology alone could solve the problem of information security. In fact, users of all security measures will always be the weakest link. While investing in your organiza-tion’s information security infrastructure, do not forget to hack-proof your employees.

Amateurs hack systems, professionals hack people.

- Bruce Schneier References References References References http://news.bbc.co.uk/2/hi/technology/3639679.stm

(7)

Enterprise Risk Management:

At a Glance

ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk manage-ment issues of today, as well as the broader and ever-increasing security challenges of the future.

ERM wants to hear from YOU….

With this edition of our newsletter, we’re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter? Your feedback is welcome and encouraged. Please send your comments to [email protected].

For more information, visit For more information, visit For more information, visit

For more information, visit www.emrisk.com

E-mail: [email protected] Phone: 305-447-6750

Services

Services

Services

Services

IT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation

Certifications

Certifications

Certifications

Certifications

Certified Public Accountant (CPA)

Certified Information Systems Security

Professional (CISSP)

Certified Information Systems Auditor (CISA)

Certified Information Systems Manager (CISM)

Certified Information Technology

Professional (CITP)

GIAC Security Essentials Certification GIAC Systems and Network Auditor

Qualified Security Assessor (QSA)

Approved Scanning Vendor (ASV)

Some of our Clients

Some of our Clients

Some of our Clients

Some of our Clients

ABN-AMRO Private Banking Bacardi-Martini, Inc.

Bancafe International

Banco Industrial de Venezuela Banco ITAU

Bank United Caja Madrid Bank

Carnival Cruise Lines, LLC CitiBank

Coconut Grove Bank Commerce Bank E-data Financial

Florida International University Florida Power & Light Company Heico Aerospace

Helm Bank Knight Ridder

Nova Southeastern University Rinker Materials

Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc.

The International Bank of Miami TransAtlantic Bank

References

Download now ( PDF - 7 Page - 440.42 KB )

Related documents

CCPM: A Scalable and Noise-Resistant Closed Contiguous Sequential Patterns Mining Algorithm

In this paper, we proposed a novel algorithm for mining frequent closed contigu- ous sequential patterns: CCPM. CCPM can rely on usable wildcards to fit noisy data while preserving

Interactive Voice Response (IVR) systems

It allows the Unified ICM to route calls to targets on an IVR and collect data from an IVR for use in call routing, real-time monitoring, and historical reporting.. The IVR interface

Bulletin AER Administration Fees (Industry Levy)

The Canadian Association of Petroleum Producers (CAPP) and the Explorers and Producers Association of Canada (EPAC) have jointly requested that the AER’s administration fee process

Responses of boreal fire regimes to climatic and land-cover changes: perspectives from multiple spatiotemporal scales

Land-cover influence on the climatic controls of biomass burning is also evidenced by the significant correlation between the amount of open water within 5 km of each study

Extending a Single Residue Switch for Abbreviating Catalysis in Plant ent-Kaurene Synthases

In addition, attribution of the dramatic effect of this single residue “switch” on product outcome to electrostatic stabilization of the ent-pimarenyl carbocation intermediate

iMSL: Malay sign language for the deaf and hearing-impaired

Video record from deaf people as model Malaysian Federation of the Deaf (Persekutuan Orang Pekak Malaysia) CD-ROM containing Guidelines to Sign Language (CD-ROM by

A Privacy and Data Security Checklist for All

While these laws apply (in most situations) to only a limited range of personal information (such as Social Security numbers and credit card numbers), these are pieces of

Central Travel Account (CTA) Manual

o Limits can be temporarily or permanently increased, contact Travel Accounting Authorized and approved transportation related travel purchases should be for Eastern employees