Social Engineering
by Rik Farrow<rik@spirit.com>

The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it. In the world of computer security, the term "social engineering" refers to tricking someone into revealing information, such as a password, useful for an attack.

Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.

Social engineering can be used to collect any information an attacker might be interested in, such as the layout of your network, names and/or IP addresses of important servers, version numbers of operating systems and software, and security products in use internally. Also, social engineering is not limited to phone calls. Some attackers will follow people as they leave on Friday afternoon, hoping that they will go to a bar where they can chat them up.

In reality, social engineering is probably as old as speech, and goes back to the first lie. It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent. No amount of technology can protect you against a social engineering attack.

Recognizing an attack:
You can prepare your organization by teaching employees how to recognize a possible social engineering attack. The easiest attack to recognize involves the request for a password. This often comes in the form of a telephone call from someone claiming to be a technician or field engineer trying to solve a problem for your organization. And if the first person called won't give up his or her password, the caller may try several more before either succeeding or giving up.

The social engineer may also try the help desk or the server administrator. In organizations too large for workers to be familiar with everyone, an attacker may pose as a new hire, or an existing employee who has forgotten his or her password. You should develop procedures to guard against these incidents.

Prevent a successful attack:
You can prepare a defense against this form of social engineering by including instructions in your security policy for handling it. Or, if you don't have a formal security policy, teach fellow employees what social engineering is and how to deal with it.

The first rule is that no one is ever allowed to share his or her password with anyone under any circumstances. When this rule is followed, it will be possible to track any system access to a specific user-account, because only that user should know that password.

Instruct the help desk to only change or assign passwords when positive identification is provided. Make sure that the authentication method you choose is secure. Caller ID, for example, is not. One attacker who was trying to talk a help desk into changing a password fooled the company equipment into displaying an internal phone number as the caller ID.

Unless you work for the NSA, or the armed forces, you may not be constantly reminded that "loose lips sink ships". Nevertheless, vigilance is important. You and your organization need to be circumspect in the information you share with outsiders, as well as insiders, in order to protect critical information about your networks and servers.

Social Engineering People Skills

Social engineering requires people skills more than computer skills. With social engineering, hackers attempt to acquire information from someone for unethical or illegal purposes. Their goal is to obtain a person's username, password, credit card information, or other data that will benefit them.

Using social engineering, hackers may misrepresent themselves as authority figures or someone in a position to help their victim. For example, a hacker may phone a network user and say that there is a problem with the person's account. To remedy the problem, all the caller needs is the person's password. Without this information, the hacker tells the victim, the person may experience problems with their account, or will be unable to access certain information. Since the person will benefit from revealing the information, the victim often tells the hacker the password. By simply asking, the hacker now has the password and the ability to break through security and access data.

Social Engineering may also require more subtle methods of acquiring information from a person. In many cases, a hacker will get into a conversation with the user, and slowly get the person to reveal tidbits of information. While the questions seem innocuous, when all of the pieces of information are put together, it may give the hacker a great deal of insight into getting into the system.

The best protection against social engineering is awareness by users through education. People reveal information to social engineers because they are unaware that they are doing anything wrong. Often, they will not realize they have been victimized, even after the hacker uses the information given them for illicit purposes.

It is important that it is stressed to all users the importance of keeping information confidential.