Inside View to Social Engineering

Inside View to Social Engineering

By Rahul Tyagi

Abstract
Social engineering (SE) or perception management is a way for an attacker to trick a
legitimate computer user into providing useful information that helps the attacker gain
unauthorized access to their computer system (1). It is also used in identity fraud or
theft cases as well as in corporate or industrial espionage. The attacker usually poses
as someone to be trusted so that the victim will feel at ease sharing information. There
are many different ways to carry out an SE attack such as over the phone, forged e-
mail, and even in person. Some examples of SE attacks will be discussed in this paper.
Also to be examined are ways of preventing becoming a victim of such an attack.

Methods
Methods used in SE attacks, because they use human behavior, are limited only by the
attacker's creativity. SE attacks work because human beings have many psychological
characteristics that can be taken advantage of (2). Following are some examples of the
methods used in SE attacks.

On the Phone

An easy way to gain valuable information is over the phone. For example, an attacker
could call a secretary at a company and say that he is a temp worker who is having
some trouble gaining access to the company's system. The secretary might simply
give a password, or even better, may go on and on giving detailed instructions in an
effort to be helpful to the new employee (2).

The phone method was used in one case where hackers called an executive's secretary
and were given the executive's employee number. A second call exploited the
knowledge of the executive's employee number in order to obtain the executive's cost
center number, which was then used to receive overnight courier service delivery of
the company's internal phone directory. The hackers then called the office in charge of
new employees and were able to obtain a list of new employees. Posing as
information systems employees, they then called new employees saying that they
wanted to go over security awareness over the phone. Through these discussions they
obtained information such as type of systems used in the company, employee
computer ID's and passwords. Combined with this information, the hackers called the
company's help desk and got the numbers for the company's modems. In the end, they
gained access to the company's computer system by calling the modems and using the
ID's and passwords (1).

Snail Mail

Source of Image

Self-proclaimed hacker "bernz" gives a very detailed account of how to go about

gaining information through the mail. Mail is cheap and it's not tapped. All you really
need to get started is envelopes, stamps, your computer and possibly a PO box. His
tried and tested method goes as follows: Using a program such as PageMaker to make
documents that look official and believable. A good document to create is one that
looks something like a sweepstakes entry form. There should only be a few lines of
information that the "mark" has to fill in, but the information requested should be of
value such as a social security number, a phone number, etc. Also suggested is
requesting a password in case phone contact is ever needed. "bernz" says that many
times when a person submits a password, it is likely that it will be the password they
use on the Internet. After receiving replies to the "sweepstakes", it is very easy to
either use what information has been provided or to follow up with a phone call to
gain even more information (3).
Impersonation

Big companies spy on each other constantly. So much so that there is actually a
professional association of corporate spies that can be hired - the Society for
Competitive Intelligence Professionals (SCIP) (4). This type of organization supplies
"plausible deniability" to corporations who are spying on other corporations. In the
event that the spying is discovered and criminal charges are brought, the corporation
can deny knowledge of any illegal activity since the "intelligence professional" signs
documents saying that he/she would abide by all ethical rules and if a crime was
committed, the corporation knows nothing about any illegal activity (4).

In the winter of 1997, Barry (a corporate spy for hire) was called upon by SCIP to run
an operation against Kraft Foods on behalf of Schwan's Sales Enterprises. Barry posed
as a reporter for the Wall Street Journal, as an environmentalist and as a graduate
student and was able to collect all the necessary information in just two days.

Other ways of using impersonation are:

-Simply walking through a large office dressed in business attire. Most other
employees will think that he is a new employee and he is allowed free reign to snoop
around through cubicles, look at computer screens, etc. Sometimes office workers will
write their usernames and passwords on a post-it note and stick it to their computer
monitor (5).

-In the same office, an attacker could stand in front of a computer and shout out "Hey,
I forgot the password, anyone know it?" Chances are very good that more than one
person will provide the password (5).

-Posing as a systems maintenance technician to run tests. Many times, especially in a

large office situation, the user will provide key information and then get up and leave
to allow the "tech" to do his work (6).

Online

The most typical SE attack online is through email. The e-mail is completely false, of
course, but looks as though it came from someone with the Internet Service Provider
(ISP). The e-mail could say something like:

Dear AOL User:

Recently we switched to Windows NT and in the process we lost the folder that
contained your account information. So that we may provide you with uninterrupted
service to the Internet, please send us your account name and password. Thank you
for your time and patience in this matter.

Sincerely,

Bill Jones from AOL (7)

Another way attackers obtain passwords online is to pose as a systems operator in an

IRC (Internet Relay Chat) and ask for information that way. Because many people use
credit cards to pay for their online service, credit card numbers and expiration dates
can be obtained in much the same way as passwords (i.e. "We've lost your credit card
information and to ensure proper billing, please resubmit at this time"). This
information can then be used to make purchases on the unsuspecting person's credit
card and taken a little further can lead to outright identity theft.

Reverse Social Engineering

Reverse Social Engineering (RSE) can be described as "a legitimate user of a system
asking the hacker questions for information" (2). According to Rick Nelson (2), RSE
consists of three major parts: sabotage, advertising and assisting. For example, an
attacker can sabotage a workstation, and then advertise that he can be called upon to
help solve the problem. An employee sees the "malfunction":

**ERROR 03 - Restricted Access Denied** - File access not allowed by user. Consult
with Mr. Downs at (310) 555-1414 for file permission information. (2)

The employee then calls Mr. Downs for help on solving the problem. Since "Mr.
Downs" created the problem in the first place, he has no trouble helping the employee
solve it, thus fostering a sense of trust. While he is helping solve the problem, the
attacker can easily obtain vast amounts of information from this employee.

Prevention
It should go without saying that with just a little common sense, most SE attacks can
be avoided. Sensitive information such as social security numbers, credit card
numbers, addresses, etc. should never be given unless you have made the call
yourself. One of the easiest ways for attackers to gain this sort of information is
through posing as telemarketers, and unfortunately, many people fall for this SE
attack. Online, it should be kept in mind that network administrators never need to
know your password and if you are requested to disclose it, it is always an SE attack
(8).

At the office, education is one of the best ways to avoid becoming a victim. A
knowledgeable user of a system can be told to never give out account information
without permission of a supervisor (2) and be taught how to spot a SE attack. The
Computer Emergency Response Team/Coordination Center (CERT/CC) received
several incident reports concerning users receiving requests to take an action that
resulted in the capturing of their password (9). The messages appeared to be from a
site administrator or root, but an individual at a remote site who was trying to gain
access to the local machine via the user's account may have sent them. A message
received looked like this:

OmniCore is experimenting in online - high-resolution graphics display on the UNIX

BSD 4.3 system and it's derivatives. But we need your help in testing our new product
- Turbo Tetris. So, if you are not busy, please try out the Tetris game in your
machine's /tmp directory. Just type: /tmp/ttetris. Because of the graphics handling and
screen-reinitialization, you will be prompted to log on again. Please do so, and use
your real password. Thanks for your support. You'll be hearing from us soon!

OmniCore (9)

The company sent out a memo with actions to be followed if an employee should be
presented with the above message or something like it.

Following are some basic ways suggested to handle situations that may arise in the
office setting:

-If you cannot personally identify a caller who asks for personal information about
you, about your computer system or any other sensitive information, do not give it.
Verify the caller's identity by calling them back at the their proper phone number as
listed in your company's telephone directory (1).

-Passwords are sensitive and should remain unknown to everyone but you. Systems
administrators or maintenance techs that need to work on your computer do not need
your password. They will have their own password that will allow them access to do
their job (1).
-Verify all systems maintenance techs from outside vendors that come on site to
perform repairs or maintenance. A simple phone call can verify this (1).

-Be knowledgeable about common SE attacks and know how to spot them (2).

Summary, Conclusions and Further Work

Using SE, the attacker is using the weakest link, the human user, to gain information.
Hackers, Crackers, Corporate spies, etc. know that they can exploit this weakness.
"drOz", a self-proclaimed hacker gives instructions on how to use SE techniques.SE is
a low-tech attack that works well because of human psychology characteristics that
can be easily exploited. Fostering trust, soliciting, finding common ground, blending
in, playing on sympathy and guilt are some of the ways an attacker gets the
information desired. As stated above, the possibilities are endless and limited only by
the attacker's creativity, so this short paper is nowhere near a complete account of SE
attack techniques and safeguards.

Computer users need to be aware that any personal information given out can
potentially be used against them, whether it is at home or in the office setting.
Following security guidelines, being knowledgeable about the systems being used and
plain old common sense can usually thwart an SE attack. No matter how "new and
improved" system security may be, if a user unknowingly gives away key pieces of
information, that security is completely useless. According To Albert Einstein “ There
are two things in this universe which have no end , one is universe and other is
Human’s Stupidity”. So technology can help us to secure our side from the outside
threats but cannot from the most dangerous inside ones.

References
(1) "Social Engineering" [Online], Available:
www.smdc.army.mil/SecurityGuide/v1comput/Social.htm

(2) Nelson, R. "Methods of Hacking: Social Engineering" [Online], Available:

www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html

(3) Bernz. "What is Social Engineering?" [Online], Available:

http://morehouse.org/hin/blckcrwl/hack/soceng.txt
(4) Mokhiber, R. and Weissman, R. (2001). "Corporate Spooks". [Online], Available:
www.commondreams.org.views01/0306-03.htm

(5) "Crime, Security, and Privacy: Social Engineering" [Online], Available:

www.msci.memphis.edu/~ryburnp/cl/cis/crime.html

(6) Guttman, et al. "User's Security Handbook" [Online], Available:

http://sunite.dk/RFC/rfc/rfc2504.html

(8) Network ICE Corporation (1998-2001). "Social Engineering" [Online], Available:

www.netice.com/advICE/Underground/Hacking/Methods/WetWare/Social_Engineeri
ng.htm

(9) CERT Advisory CA-1991-04 (1997). "Social Engineering". [Online], Available:

www.cert.org/advisories/CA-1991-04.html