Questions about this topic? Sign up to ask in the talk tab.

Social Engineering

From NetSec
Revision as of 21:15, 4 September 2011 by MargeryLeddy (Talk | contribs)

Jump to: navigation, search

Social engineering is a term applied to the art of humans manipulation as a means to have a person divulge information or perform an action of the manipulator's choosing.


Methods

Email

Until the release of StormWorm social engineering by means of email was a less commonly used method. The process involved an email being crafted with the intent to trick the recipient into downloading something, executing something or disclosing information, arbitrary or not. Emails may be forged, hijacked, rewritten and/or simply full of lies, anything to get the sender's desired reaction.

See email spoofing for more information on this topic.

Telephone

There are a variety of approaches a social engineer can use over the telephone. Impersonations of figures of authority or people closely associated with loved ones are common roles assumed. Usually excessive flattery is one of the more successful approaches used when interacting with the target as a person is more open with people they do not perceive as a threat. If niceness is not successful the manipulator will then resort to an intimidation or fear-based attacks which can involve anything from security threats on a network to harm of the target. Though the latter is much less common as the social engineer often prefers to keep their intentions less obvious.

Examples

An example of using both email and telephone would be an email sent creating a weakness in a network. Then followed by informing an administrator of a security hole in which his configuration is vulnerable and providing a website or link providing a malicious piece of software that the engineer will call the "patch" to the vulnerability.

Average employees are often vulnerable to social engineering attacking. For example if the engineer has a lot of information on the employee (such as name, date of birth, the last four digits of his social security number, and so on) they may call the employee during off hours impersonating the employee's workplace, verify the last four social security digits and current password to "verify identity". This is followed by a story of a problem and that the employee's password is being reset, followed by giving the employee a new password. At the same time the attacker may have called in to the employer requesting a password reset to begin with- making both sides of the corporation believe there was an issue. The advantage of this is not only the password was reset but eventual discovery of the compromised account by the corporation has been delayed.

Other easily phoned social engineering attacks include knowing enough about a corporation to gain information from an employee. Calling employees on off-hours impersonating tech support or even a solicitor is often a successful method. If the engineer knows the employee's bank, they may pass themself off as a bank representative, informing the employee that they have won a prize and requesting a piece of personal information (social security number, date of birth, or even bank account number) for verification of identity. With this newfound information the social engineer can then call the employee's company with enough information to pose as and "prove" the employee's identity in order to gain the routing and accounting information from the employee's paycheck or direct deposition. The engineer could then call the accounting department again assuming the role of a bank employee, give the routing and account number to validate identity, and then ask for the Federal Tax ID or Employer Identification Number for the targeted individual from the accounting department. By then the social engineer has enough information on their target to be able to hijack wire transfers and perhaps even successfully commit wire fraud with target corporate assets.

The examples listed are but minor ideas of social engineering over the mediums of electronic communication. Organized crime on the other hand won't always rely on such techniques. In a targeted social engineering attack the target corporation may fall prey to other variables such as malicious employees, sales agents of other corporations and furthermore may fall victim to malicious clientele.


Lesson 1

Social Engineering - By Impact


- Preface by Wikipedia

Social engineering is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. "Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.


- Outline of Social Engineering

This idea is more of a lifetime perspective or lifestyle. This means that creating milestones and reaching your targets allows you to start living a planned and directed life, a more efficient one. In order to achieve your goals, you should identify and implement them immediately.

Questions you should ask yourself include:

  1. Where do you want to go?
  2. What are the milestones in between?
  3. How do you reach them?
  4. How do you look like finishing the milestone/target?

If you are planning a hack, define yourself a finish line. Imagine yourself crossing this line, also known as self-actualisation. Also, think about the milestones you must reach in order to reach your final goal. An example of a social engineering target is a free pizza.


- Analysing and Creating Milestones

Questions to aid in the creation of milestones:

  1. What do you have to do?
  2. Who is going to help you?
  3. Who are you going to exploit?
  4. Who are you pretending to be?


- Mantras for Social Engineering

- Define short, middle and long range targets for your life planning, even if you dont have one yet, keep thinking until you work them out - Partition them into milestones - Recruit people, who will help you reaching these targets - Motivate yourself daily - Visualize yourself while running over the finish line thats the theory


- Example

Employee 1, Andrew, does not get along with employee 2, Bob. Bob knows this and feels he must take action in order to stop having to deal with Andrew. This can be done by becoming the boss of Andrew and then firing him. To attain this position of power, he identifies that he needs to become friendly with the big boss, Christian. Now Christian is not the target, but he is the milestone, required in order to remove Andrew. Bob would then try to establish trust and a relation to recruit Christian and exploit this to achieve the target, removal of Andrew.


- Other Uses

When appearing to people on a professional basis in business, always try to leave an empathetic pleased impression on them, mutual happiness. They would then associate hapiness with me and therefore remember their relationship with you as positive. Non-verbal communication can also aid in this positive relationship. By lowering your head, opening eyes wide, smiling and physical contact, you can create an open and strong relationship.


Lesson 2 - Politeness

Social Engineering - The Power of Politeness - By Laurelai


- Introduction

This lesson is about politeness and it's use in social engineering. For most social engineering attempts, you are wanting a one time goal such as someone's password, access to a system etc and after that you are done with them.

To get this one time goal to succeed, you need to emulate the same types of activity you would usually partake in by making someone your friend. Unfortunately, most people on the internet show a severe lack of social graces, making it difficult to engage in social engineering.

The solution to this is forcing yourself to be polite all the time. This at first takes a lot of effort, but once it becomes a habit, you find your ability to social engineer comes easier. You can practice the basics by trying to make friends as it uses the same skills.


- Things To Keep in Mind

With this, you have to be really careful and not see your friends as targets. This requires mental discipline, if you start socialising your friends, they will notice and they will start to feel used and you will lose them. So remember, keep socialing separate from your real friends.


- Putting Social Engineering to Work

Once you have learned to be consistently polite, you will also notice an ease in your normal interactions with strangers. This is a good tool to have even if you aren't going to social engineer, you don't have to be overly formal, just polite as it carries a long way. For some people however, this does not work as they will mistake it for a sign of weakness. For this reason, you are being taught other skills. :)

Another thing to avoid is being too polite. By being too polite, it puts people off and they see it as false.

This is an advanced technique of this is to first obeserve a group and see what the social norm is are they friendly or somewhat hostile. Whatever it is, try to match it, not exactly but close enough to look like "one of them".

Any real con man will tell you that their scams are 90% truth, 10% lies. That helps with not being contradictory. Therefore, the best way to lie is to tell the truth. The feeling you want your target to have when you are done is for them to feel good about helping you then they won't think about it too hard


- Protecting Yourself From Social Engineering

Now the reverse of this is to defend yourself from being socialed. This part is harder, a lot harder, as the same pathways you use to make friends, others might exploit. A proposed work around is to not give anything until you have known them for at least a month. This is done as most social engineers would have moved on to easier prey.