SOCIAL ENGINEERING

By

Jennifer Barksdale

May 3, 2002

 

 

 

 

 

 

 

 

 

 

 

 

      As computers are accessed everyday, the threat of unauthorized accesses continually grows.  Organizations have implemented security measures to protect their information from hackers or crackers, but only on a technical level.  Hackers have found ways to bypass technical systems using less ethical methods called social engineering.  There are many methods of social engineering that make it difficult to detect, but with security awareness and training, organizations can reduce potential loss.

      The knowledge of information has been of value and importance to many throughout history.  With the emergence of personal computers, information was no longer limited to the government or huge corporations, but also to the people.  It altered the face of businesses and the control corporate and government entities had over information.  Businesses began to create their own “warehouses” of information which became a major asset, not only to them, but to their competitors as well.  Employees within businesses received unlimited access to information and its systems, thus held accountable for valuable information and trusted to safeguard that information.  More households began to own personal computers as well, making it difficult to protect an organization’s asset from hackers or hired hackers.  Security measures, such as complex programs, upgrades, or encryption, were employed to counteract hacking attacks that occurred within the computer systems, but it did not guarantee to keep outsiders out.  As technical systems became more complex, hackers developed methods around these security measures to obtain information through the organization’s users; a method known as social engineering (SE). 

      Social engineering has many definitions.  It is “an outside hacker’s use of psychological tricks on legitimate users of a computer system in order to gain the information he needs to gain access to the system” (Palumbo).  It is “the art and science of getting people to comply [with one’s] wishes” (Bernz).  It is “the process of gathering information from people by use of deception and obfuscation” (Pipkin).  It is “people hacking” (VIGILANTe).  This is nothing more than a simple con game that has been around since the beginning of man.  In fact, Bernz explains the story of a social engineer in our very own Bible.  In the book of Genesis, Jacob wants the birthright from his father who has decided to give it to Jacob’s brother.  So, Jacob disguises himself as his brother in order to fool his father into giving the birthright to him.  When Jacob disguises himself as his brother, he was social engineering his father (employee) to obtain the birthright (information).

      The reason why social engineering works, Granger explains, is because the attacker “[manipulates] the human tendency to trust”, like the help desk employees who are there to help people.  Attackers use the “new user” technique to fool users to give information while providing little or no information to the user.  It is much easier and takes less time to social engineer an individual than to spend hours at the computer trying to figure out a password that can be obtained in minutes.  Social engineering also works because it is easy to take advantage of people who want to help other people, want to be liked, or want to be helpful.  An example of this is the Love Bug virus where many people believed someone was sending a love message to them (the need to be loved).  Except the message of love was actually a message of destruction!  Employees who do not feel responsible for the requested information, who feel helping someone can benefit them in the future, or who feels guilty, are also known to give information freely.  Additionally, SE can be used on any system despite the hardware or software being used.  Whatever the reasons may be, taking advantage of human emotions has exposed what is quickly becoming the loophole in information security.

      There are many methods of social engineering.  According to Wendy Arthurs, the methods comprise two main categories:  human-based attacks and computer-based attacks.  A computer-based attack is when an attacker uses computer interaction with users to trick them into giving out information.  For example, “a pop-up window may be used, telling the user that his network connection was lost and that he needs to re-enter his username and password to reconnect…the information is [then] emailed back to a remote site by a program that the intruder had already installed” (Arthurs).  Human-based attacks such as dumpster diving, impersonation, or eavesdropping in conversations, compose the rest of social engineering methods.  Dumpster diving is the act of looking for information through trash bins.  Although some may say this is stealing, it isn’t.  In 1988, the Supreme Court ruled that any item left for trash is not expected to have ownership, thus not illegal.  But most organizations still consider dumpster diving as a physical intrusion because confidential information has been gathered about them.  In fact, Donald Pipkin lists in his book that dumpster diving as a physical intrusion.  Contrary to popular belief, an abundance of information can be obtained through the trash. But many people tend to believe what is not useful to them isn’t useful to others.  As the old adage says, “One man’s trash is another man’s treasure”.  Organizations have been known to throw away security manuals with notes inside, printouts of source codes, calendars of meetings, outdated hardware, organizational charts, or company phone books to name a few.  These are just some of the items organizations consider trash without thinking about the consequences first.  Hackers can use organizational charts to find who to target and then use the company phone book to find their number.  Manuals can display the level of security a company has. Printer ribbons can be unwound and read.  Calendars can show who’s where and when.  Sometimes organizations forget to consider when an employee quits or transfers.  Their belongings are often thrown in the trash without thought to peruse what is or isn’t “useful” information.

      A common SE method of human-based attacks is conducted by phone.  After an attacker has obtained information for example, through dumpster diving, he/she can obtain further information by contacting users.  Attackers often impersonate someone such as a security manager, repairman or fellow employee; generally, someone of trust.  A target in particular prone to this method is the help desk or customer service.  Since their job is to help people, they are more susceptible to phone attacks. Help desks are trained “to be friendly and give out information”, says Granger.  They’re not trained to suspect every call as an attacker searching for information.  Granger gives a good example of a live demonstration of a phone impersonation performed by a Computer Security Institute:

 

It’s just that simple.  Hackers also use a different kind of phone attack, called shoulder surfing which involves hanging around phone booths and ATM machines (particularly in airports) and looking over people’s shoulder to obtain calling card or PIN numbers.  On the same level, wireless communications offer another way of phone attacking that involves intercepting communications to eavesdrop in conversations.

      According to Granger, SE methods can also be classified into: physical and psychological.  Psychological methods of SE relate to persuasion, intimidation, friendliness, etc. that are used in all methods to convince victims to disclose information. The attack methods described earlier are considered physical.  Other physical attacks involves impersonation (in reference to physical intrusion), on-line attacks such as e-mail or chat rooms, and office snooping.  Impersonation involves a hacker disguising himself/herself as a person of trust such as a manager, repairman, or a trusted third party.  Usually when this method is employed, the attacker has already gained enough information through other methods to plan his/her charade, thus more time is spent on the planning itself rather than the actual impersonation.  Sometimes companies will resort to corporate espionage by hiring hackers to gather information about other companies this way.  An example in particular by an anonymous author writes:

 

 

 

Imagine how many people this attacker came in contact with and how long he was there, and no one suspected him.  This attacker controlled the employee’s basic emotions many times using flattery and friendliness.  It is evident that it doesn’t take much to fool an employee to trust an attacker.

      Another physical SE method concerns on-line attacks that normally involve e-mail.  Since many people interact with e-mail everyday, opportunities to lure an individual is easy.  It also limits, if not eliminate, one-to-one communication.  In other words, the hacker sets up a trap, and then just waits to see who fell in.  One method involves hackers sending messages to Instant Messenger or Internet Relay Chat customers concerning new software or music or pornographic downloads.  Customers are unaware that when they execute the software, hackers can take control of their PC’s, possibly attacking web servers, known as denial of service attacks.  Recently, Stars and Stripes newspaper reported in April 2002, that a sixteen-year old boy obtained e-mail addresses of people who used America Online chat rooms through an “underground program”.  He used the program to send messages to customers telling them their billing information had been deleted and asking them to provide credit card information, then directing them to another site to obtain passwords and social security numbers.  It was reported the boy set up several sites to collect this information while he slept.  The information was later sent to his e-mail account.  E-mail attacks such as this often utilize fear of losing a service of some type to get the customers to respond.  Other messages include sending messages notifying customers that their PC’s have been infected with a virus and advising them to download another site to clean the virus.

      Office snooping is an attacker who snoops around for open offices, unlocked cabinets, or information left out in the open or thrown away.  This type of attack doesn’t necessarily pertain to outsiders such as hackers, unless they find a way in, but usually “insiders”.  A reference reported that the magazine 2600: The Hackers’ Quarterly published an article “on how to obtain a job as a janitor in a targeted organization” (Winkler).  Some attackers have been known to obtain jobs as janitors, security guards, secretaries, programmers, accountants, etc. to obtain inside information.  When this method is used, it is not normally noticed right away, if at all, since often times the victim figures the information is just lost and thinks no more about it.  

      After a hacker has used all avenues of SE, he can acquire further information by using an advanced method of SE, called reverse social engineering (RSE).  Instead of the attacker having to ask questions from the victim to obtain information as in SE, RSE causes the victim to ask questions from the attacker.  This is normally accomplished after the hacker has obtained information about the target through normal social engineering.  The hacker can then disguise himself/herself as a person of authority.  Rick Nelson describes RSE as consisting of three parts:  sabotage, advertise, and assist.  Sabotage involves the hacker sabotaging a system creating a problem of some sort, and then advertising that he/she can correct the problem.  Examples of advertising are business cards or error messages directing who to contact for problems.  Advertising can happen before or after the sabotage.  The last part of RSE is assisting, where the attacker has been contacted to “fix” the problem.  Unknown to the victims, the attacker acquires bits of information while the problem is being fixed.  Many times no one ever knows that an RSE attack has occurred because the problem gets fixed.

      When an SE attack occurs, it is commonly found that it is detected too late.  Oftentimes victims do not want to admit they’ve been duped for something that, afterwards, seems so obvious.  Social engineering may not ever be foolproof as long as human emotions are involved, but recognizing warning signs of SE can prevent at least some of the attacks.  Recognizable signs include: refusal to give contact information, rushing, name-dropping, intimidation, small mistakes, or requesting forbidden information (Anonymous).  Other signs include requesting transfers, asking odd questions, or asking for information just before quitting time.  For example, some attackers prefer to ask for information just before some one leaves from work because he/she is ready to leave and is liable to give up the information.  Rushing is usually coupled with intimidation such as “You need to hurry because my boss is waiting!”  Paying attention to details is important because sometimes attackers make small mistakes that may be overlooked, such as asking for a name that is not normally used.

      There are many preventative measures to reduce the chances of an SE attack.  But there are three basic measures that organizations should follow: training, policies, and awareness.  The best way to defend against SE attacks is training.  Users need to be educated in order to be aware and recognize attacks.  They must understand the importance of protecting information and the disastrous effects that could happen if it is not protected.  This can be accomplished through orientation and classes.  Orientation can offer scenarios to help users relate to possible situations that could occur, including the warning signs of an attack.  Classes can provide more details that may be only briefed in orientation, such as notifying targeted groups during attempts, instructing employees to avoid answering phones at night, especially janitors, shred any confidential information, including printer ribbon, lock doors and cabinets at all times, avoid returning calls that are not familiar, know who to call in case of a problem, avoid sharing passwords, be aware of surroundings for anything suspicious, or ask questions to verify identification.  These are only a few suggestions, but some others include securing access in buildings by checking and verifying security badges and requiring guests to be escorted.  Monitoring calls is another restriction for social engineers because they are not sure if someone may be listening.

      While policies should reflect the target audience, it should also be updated frequently and written clearly as not to confuse the user when a security issue is involved.  Such policies should address access and approval controls, password changes, new accounts, etc.  Granger (2) states that “one of the advantages of policies is that they remove the responsibility of employees to make judgment calls regarding a hacker’s requests.  If the requested action is prohibited by policy, the employee has no choice but to deny the hacker’s request.”  Policies should also address the proper handling of sensitive information, such as what to dispose and how and what information can or cannot be given to whom.

      Awareness is the last step in helping to prevent SE attacks.  Organizations should have on-going awareness programs to stress the importance of security.  Orientation and classes alone will not help if users are not constantly reminded that attacks can occur at any time.  Users must be aware around the clock, for attackers favor those caught off guard.   Some security awareness “refreshers” include: newsletters, signs, posters, screensavers, banners, t-shirts, pens, and brochures to name a few.

      As celebrity hacker, Kevin Mitnick says, “You could spend a fortune purchasing technology…and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” (Granger, 2)  In other words, it defeats the purpose of having the best technical security measures if policies aren’t enforced and employees aren’t trained to be aware of social intrusions.  An organization is only as good as its security.  As social engineering becomes more prevalent, organizations must realize the importance to implement training and awareness to its information security protection plans.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

WORKS CITED

 

Anonymous: “Social engineering: examples and countermeasures from the real world,” Computer Security Institute.  http://www.gocsi,com/soceng.htm

 

Arthurs, Wendy: “A Proactive Defence to Social Engineering,” SANS Institute, August 2, 2001.  http://rr.sans.org/social/defence.php

 

Bernz: “Bernz’s Social Engineering Intro and stuff,” http://packetsotrm.deceptions.org/docs/social-engineering/socintro.html

 

Broersma, Matthew: “IM users hit by widespread ‘social hack’,” ZDNET UK News.  http://news.zdnet.co.uk/cgi-bin/uk/printer_friendly-cgi?id=2106955

 

CERT Coordination Center “Social Engineering Attacks via IRC and Instant Messaging,” March 19, 2002.  http://www.cert.org/incident_notes/IN-2002-03.html

 

Granger, Sarah: “Social Engineering Fundamentals, Part I: Hacker Tactics,” Security Focus Online, December 18, 2000: 1.  http://online.securityfocus.com/infocus1527

 

Granger, Sarah: “Social Engineering Fundamentals, Part II: Combat Strategies,” Security Focus Online, January 9, 200: 2.  http://online.securityfocus.com/infocus1533

 

Nelson, Rick: “Methods of Hacking: Social Engineering,” the Institute for Systems Research, University of Maryland.  http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html

 

Miller, Toby: “Social Engineering: Techniques that can bypass Intrusion Detection Systems,” Security Focus Online, June 19, 2000.  http://online.securityfocus.com/infocus/1229

 

Palumbo, John: “Social Engineering: what is it, why is so little said about it and what can be done?” SANS Institute, July 26, 2000.  http://rr.sans.org/social/social.php

 

Pipkin, Donald L.  Information Security: Protecting the Global Enterprise.  New Jersey: Prentice Hall PTR, 2000.

 

“Teen hacking charge” Stars and Stripes, April 7, 2002: 20.

 

VIGILANTe “Social Engineering” 2001.  http://www.vigilante.com/inetsecurity/socialengineering.htm

 

Winkler, Ira S.: “Who Are The Hackers?”  http://www.infowar.com/hacker/whohacks.html-ssi

SOCIAL ENGINEERING

     The threat of unauthorized access continually escalates as computers are accessed everyday.  Technical security measures are used to counteract these threats, but hackers have discovered unethical methods to bypass them.  This is called social engineering (SE).  SE is the process of manipulating someone (psychologically) to obtain desired information, such as passwords.  SE methods are classified into human-based and computer-based attacks.  There are many methods of SE including impersonation (by phone or physically), dumpster diving, online, and office snooping to name a few.  Dumpster diving simply involves searching through dumpsters for any useful information.  Surprisingly, sensitive information such as outdated hardware, organizational charts, company phone books, printer ribbons, security manuals, etc. are known to have been thrown away.  A common and well-known method is social engineering by phone.  A common technique used is impersonating a new user.  Help desks are often targeted this way since they are trained to help people.  Sometimes users are attacked online.  Attackers will send messages to users offering new software, that when executed, may take control of a user’s PC.  Lastly, office snooping gives an attacker opportunity to search open offices for information.  This attack method generally relates to insiders who have basic access (i.e. disgruntled employees).  An advanced SE method is called reverse social engineering (RSE).  Instead of the attacker asking questions from the users to obtain information, the users are asking the attacker questions.  RSE normally involves: sabotage, advertising, and assisting.  The attacker advertises he/she can correct a problem (i.e. with business cards), then later sabotages the system.  The users may contact the attacker to assist them in fixing the problem; all the while the attacker is collecting bits of information.  There are three basic measures that can be used to minimize chances of social engineering attacks: training, policies, and awareness.  Training can provide orientation and classes to acquaint users about the various methods of SE and how to respond.  Policies should clearly address procedures in regards to judgment calls or the proper handling (disposal) of sensitive information.  On-going awareness programs such as pens, posters, screensavers, or newsletters can be used to constantly remind users to be aware at all times.  An organization is only as good as its security.  It defeats the purpose of having the best technical security measure if policies aren’t enforced or users aren’t trained to recognize social engineering attacks.

 

 

QUESTIONS:

1.  Social engineering comprises of what two main categories?

A.  Human-based attacks and computer-based attacks

 

2. Who is more susceptible to phone attacks?

A.  Help desk

 

3.  When the victim unknowingly asks the attacker for help is called reverse social engineering.

 

4.  Name three phases of reverse social engineering.

A.  Sabotage, advertise, and assist

 

5.  Name three measures to defend against social engineering attacks.

A.  Training, policies, and awareness