Social Engineering

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

283 εμφανίσεις

Social Engineering



Matthew J Duffy


Abstract


While Software Engineering and Computer Science have become notable fields in the workforce
today, the term Social Engineering is a newer
concept. It is not a field one

can study and declare
as a major at a university, but is a broader concept of how users of today’s digital technologies
are easily impacted by seemingly trustworthy individuals or groups
using

technological means.
Kevin Mitnick
coined t
he term “Social Eng
ineering”
which
has been repeatedly mentioned in
several articles and papers on network and information security. In today’s constantly changing
world of technology, social engineering has become a popular form of obtaining and uti
lizing
confidential infor
mation. To combat these new IT threats,
businesses
need to
apply new
policies
to protect their users

and their information
.






Introduction


In today’s world of technology, not many people think twice when entering their password to
access their
computer, their online bank account
, or their favorite social network
. The notion of a
password and security questions seem trivial to most of these users, but to those of us that have
security at the forefront of our minds, these passwords and security qu
estions are the first and
last lines of defense against the expansive network we know as
the

Internet
.


The Merriam
-
Webster online dictionary defines the
Internet
as “
an electronic communications
network that connects computer networks and organizational c
omputer facilities around the
world
.

[1
]

The Internet uses a variety of ways to authenticate users against an existing database,
the most common form is the use of a unique username and associated password. For better
security, networks may provide additional means of authentication such as two
-
f
actor
authentication, which

requires a password and a specific pin, which is usually a randomly
generated number. Additional means of security include security questions and narrow windows
of availability for users to access a network’s resources.
However,

in recent news, not all of these
forms of authentication are secure and this is due to one very complex idea now known as Social
Engineering
.



What
is Social
Engineering?


What is Social Engineering? This is a question that not many people would be able
to
answer, as
it is still a fresh

concept

in the IT industry
.
Social Engineering is a way of convincing/forcing
computer users to divulge important information, whether it is personal or business related that
2


might compromise their identity, financial situ
ation, the security of their workstation and/or
network. The way Microsoft’s Safety and Security center defines it is

...
a way for criminals to
gain access to your computer.
The purpose of social engineering is usually to secretly install
spyware or other

malicious software or to trick you into handing over your passwords or other
sensitive fi
nancial or personal information
.


[9
]


Kevin Mitnick, a
world
-
renowned

hacker, was the first to popularize the term “social
engineering” as most of his hacks utilized common social engineering techniques that we can
study and recognize today. He describes social engineering as “using deception, manipulation
and influence to
convince a human who has access to a computer system to do something
.

[
7
]



Social Engineering Ethics


The world of social engineering may seem very bleak at this
point,

as all of the discussion has
focused on one thing: obtaining your
personal
information and using it against you.
However,

there is a bright side to social engineering and it rises
to the level
of counter
-
social engineering to
prevent malicious hackers getting at your information.



Ethical hacking: White Hat hackers


If you were
to ask any
random
person
on the street
if they like taking
a system

apart just to find
out how it works, you

will

probably have a 50/50 chance

that the answer would be yes. I
f you
asked any individual in the computer science industry,
you will most likely find that
it is a source
of great entertainment and fun to know how a
system

works. The phrase “just show me the
source code” is ubiquitous
to programmers understanding how a program works or functions.


This knowledge of how somethin
g works is invaluable to the developers of software, but is even
more useful to people that wish to break or circumvent a software program’s normal operation.
This is where the term
white hat

hacking comes into view. White hat hackers are knowledgeable
ind
ividuals whose primary job is to understand a system from the inside out and this includes
both the hardware and softwa
re sides of a system. These e
thically certified
hackers are
instrumental in probing hardware and software systems for weaknesses. The tes
ts that white hat
hackers perform asses
s

both computer system weaknesses as well as weaknesses in a business’

corporate IT policy. The three primary questions that ethical white hat hackers need to ask
themselves are “What is the company trying to protect?

What is the company trying to protect
against? How much time, effort and money is the company willing to spend to obtain adequate
protection
.

[3
]
Once one can answer those three questions they can then determine what testing
approach to take.



Black bo
x testing


Black box testing deals with the scenario that a hacker knows nothing of the internal system and
the only information they have is a name, which can be either a person’s name or a company
3


name. Their task then is to
acquire all other relevant in
formation using third party means to
determine if your system is secure or not.



White box testing


White box testing deals with the scenario that a hacker has full knowledge of the
company/person they are targeting. Details might include specific technol
ogies and devices that
are used and network schemas the company incorporates. This type of test determines what kind
of information an inside user can locate when they do not have authorized access.



Gray box testing


Gray box testing is a blend of black
and white box testing where the scenario deals with a mix of
full disclosure and partial restriction. This scenario targets the middle ground where most
unethical hackers will have some information on a company, but be lacking on the specific
internal deta
ils such as network topology and user base.



Certifications


As a white hat hacker, you can escape most of the federal laws that may apply to illegally
accessing secure networks and their associated resources by obtaining your c
ertification in
ethical hacking. Some examples of ethical hacker certifications offered by the International
Council of Electronic Commerce Consultants
are [
10
]:




CEH


Certified Ethical Hacker



CISSP


Certified Information systems Security Professional

o

Re
quires
a full
five years of professional experience in

the information security
field to obtain this level of certification.

o

Accredited by the American National Standards Institute to ISO17024:2003
[3
]



CREST


Council for Registered Ethical Security Tester
s



CTL


CHECK Team Leader



CTM


CHECK Team Member

o

Limited to those with British citizenship



QST


Qualified Security Testers



Ethical Hacking: Black and Gray Hat hackers


On the other side of the spectrum of the hacking world are
Black and Gray hat
hacker
s
, those
whose actions are not favorable in the IT industry.
A Black hat hacker’s motive usually falls
within three common themes: money, desire for a challenge, entertainment. A Gray hat hacker’s
motives do not lie on the same plane as a Black hat hacker,

as their skills are used more to
inform a company or individual that their security can be compromised and they detail how to fix
4


the problem.
A Gray hat hacker can be anyone, but most importantly, Gray hat hackers
are

not
certified by any accredited orga
nization and are not paid by any corporation for their work.

The
main difference between a Black hat and a Gray hat hacker is a Gray hat hacker uses their skills
in an unethical manner to achieve semi
-
ethical goals where a Black hat hacker uses their skill
s
only to cause disruption.



Social Engineering Techniques


Contrary to popular belief, hacking is not just a means of accessing your personal i
nformation by
brute force alone
. W
ith
the dawn of
social engineering, there are many techniques to acquire
confidential information because the end user will provide it freely
as

they believe it is for a
legitimate purpose. The primary techniques
of social engineering
are pretexting, online social
enginee
ring, shoulder surfing, dumpster diving and phishing.



Pretexting


Pretexting

is
the most common social engineering tactic used by black hat hackers. Pretexting is

the act of creating and using a contrived scenario to persuade a potential victim to
voluntarily
reveal information or perform actions
.

[6
]
This tactic targets a user by requesting a specific
amount of information by providing a false scenario in order to convince the user that real life
consequences (or benefits) will occur if they do no
t comply. Examples of this tactic in use might
be requesting a username and password to ensure that a user’s e
-
mail account stays active;
requesting

bank account information for validation purposes to verify the user in their databases;
a
sking for a user t
o confirm their home address for mailing purposes (covered in dumpster diving
later on in this
paper
).



Online Social Engineering


In this world filled with people, social networks have
become the new way of keeping in touch
with other people across the
globe.

However, with this new form of social media constantly
emerging, the technology tha
t protects it remains the same.

Most
online social engineering

comes in the form of queries on
search engine
websites such as Google

and Yahoo.

These types
of blanket

searches cover many avenues to locate information on an individual, but usually
indicate that the attacker has little or no information on their target and look to find more by a
widespread search.


More pointed
attacks

that

target

a specific person

occur

on
social networks

such as Facebook,
LinkedIn, Twitter,
MySpace
, Google+ and
BlogSpot
.
These types of attacks make up over 39
percent of all social engineering attacks
.

[2
]
These attacks look to find information on a specific
individual to
analyze

and dev
elop a social engineered attack against that person.
The security
behind social networks has become stronger in recent years, but relies mostly on the user to do
the majority

of the work in securing their identity and personal information from the outside
5


world.
This is easy enough to do by spending some time reviewing a social network’s privacy
policy and understanding the default settings for your account.


More secure websites such as
corporate websites

or
Universities

provide a
means

to authenticate
a user before
executing
a search query
.

However,

the implementation of
this type of security

for

Universities or corporate web
pages

is difficult
, which

allows any number of attackers to freely
search for information such as names, phone
numbers, mailing addresses, office location, area of
study or work and general hours of availability.

If an attacker has access to these resources, then
an

individual
is subject to a localized attack, which

may be more powerful the closer the victim
is to
the attacker.
Unfortunately, for these types of websites

there is no preventable method to
stop an insider from obtaining information on individuals within a company or university.

The
most targeted users in a corporation are new employees and contracted w
orkers whose
knowledge on the corporate policy and business procedures are lesser known.



Shoulder Surfing


This form of social engineering is the lowest level of information gathering. Shoulder surfing can
occur in any number of locations which are not l
imited to coffee shops, business offices and
cubicles, university computer labs, ATMs and even at home. This form of social engineering
looks to gain access to certain resources by observing the victim enter in his or her credentials.
This social engineeri
ng form prompts no interaction with the victim and assumes that the
attacker

is able
to memorize all of the information to carry out a successful future attack. This
form of social engineering is the most preventable by
applying a good sense of security
wh
erever

you go: Conceal the number pad when enter
ing

any pins; Have long and complex passwords and
sit in a secure location away from other individuals if necessary.



Dumpster Diving


As the world transitions to a digital era, there is a paper trail left
behind that details our past and
even our current life story. Everything from medical records, bank information, mortgage
payments, credit card statements, utility bills, social security claims, to simple postcards are all
volatile and sensitive informatio
n if put in the wrong hands. Dumpster diving is the method of
perusing through the garbage to uncover these types of documents and to use them to steal
another’s identity.
The best way to protect against dumpster divers is to remove all traces of
sensitive

data and dispose of it by either shredding or burning the documents. These methods are
not 100% effective, but do lessen the chance that a diver will be able to retrieve useful
information.



Phishing


Phishing attacks are the most prevalent social engineering attacks to date. They make up
over 47
percent of all
social engineering attacks
. [
2
]

The two charts below show the rise in phishing
attacks. Figure 1 shows the number of phishing e
-
mails caught in
October of 2006. Figure 2
6


shows the number of phishing e
-
mails caught in October of 2011. As one can see, there is a
significant increase over the course of five years.





Figure 1: Number of verified phishing e
-
mails in October 2006. Highest peak was
approximately
350 e
-
mails.





Figure 2: Number of verified phishing e
-
mails in October 2011. Highest peak was approximately
800 e
-
mails.


A phishing attack is usually a broader attack that targets a large scope of users.
These targets can
be public offic
ials, corporate employees, members of an organization, or groups of people with
7


low
-
level access to network resources (students). A phishing attack “is a two
-
time scam
technique of fraudulently obtaining private information
.

[
6
]


The first part of a phish
ing attack

usually is comprised of a

fraudulent e
-
mail
or phone call
to a
number of users, which holds the pretext of authority

or urgency
. The e
-
mail
may
attempt to
masquerade
an administrator on the network or claim to be from an organization that the user is
familiar with and requires them to verify their status. The second part of a phishing attack is the
final destination that the user reaches when needing to verify their id
entity or to input the
information that the attacker has requested. This destination is usually a fake website setup to
look familiar to the user and allows them to input the requested information.


Q
uestioning e
-
mails or phone calls

that
request personal

information or
look

illegitimate are the
best w
ays to prevent phishing attack. Notify your network administrators or support personnel if
you come across any e
-
mails that appear to be a
phishing e
-
mail
.


Social Engineering Psychological Aspects


A carefu
l social engineer chooses their targets as they specifically profile whom they want to
target in order to obtain the largest yield of information. There are three key properties that
comprise social psychology

of a social engineering attack
: Alternative ro
utes to persuasion,
a
ttitudes and
b
eliefs that affect human
interactions

and
t
echniques for persuasion and influence.
These

three traits are prime indicators of what type of human being a social engineer is likely to
target.



Alternative Routes to Persuas
ion


An alternative route to persuasion is a way a social engineer can obtain information but not by
directly asking for it, but by coercing their victim to provide it for them. A direct method of
persuasion deals with no contrived scenario and largely “
de
pends on the (victims)

logical
thinking
.

[
6
]

Rather than directly expose their desire for specific information a social engineer
looks to circumvent logical thinking and targets the victim’s emotional state to obtain
information. Such activators of emotio
n weigh heavily on either fear of consequence or desire of
reward for their actions.



Attitudes and Beliefs that affect Human Interactions


This psychological aspect primarily focuses on the relationship between the attacker and their
victim. If the vict
im knows the attacker, then they are more prone to divulging information than
if it was someone that they did not know. The only question the victims have to ask themselves
is “Do I trust this person
?


Successful social engineers build relationships in ord
er to take
advantage of them later.



8


Techniques for Persuasion and Influence


Six primary elements

make up effective persuasion techniques: authority, scarcity,

liking and
similarity

, reciprocation,

commitment and consistency


and finally social proof.
[6
]
How these
attacks are carried out depend on whether the attack is human based (focuses on human targets)
or technology based (focused on penetrating computer systems alone). The six elements listed
above appear in human based

attacks and look to incorporate several of the elements to make up
a successful social engineering attack.



Authority


If a socially engineered attack has the element of authority it usually is an indication that it
started at the top of the business hi
erarchy and worked down to the lower levels of the business
environment.
An example

that involves
Authority

occurs when
a senior member of a law firm
receives a fraudulent e
-
mail,
and

passe
s it

down to a subordinate. As the e
-
mail passes through
the chain
of command, the fraudulent e
-
mail gains more and more authority, so people are less
likely to question the e
-
mail when they see it comes from a superior member of the business.
[
4
]



Scarcity


A social engineering method of coercing a victim to do somethin
g may involve a type of reward
or consequence based on the type of victim targeted. If a victim is a frequent lottery player, then
a simple masqueraded e
-
mail mimicking an official lottery organization stating they have won a
large sum of money may suffice

to obtain a large amount of information. If the attacker knows
that their victim has had difficulty in holding a job then they might be able to force them to do
something by threatening to terminate their position. By offering rare opportunities (winning
the
lottery) or severe consequences (loss of
job),

a social engineer can trigger those emotional
reactions which cloud a user’s judgment and thus
could possibly
provide the attacker with
information.



Liking and Similarity


This trait is similar to the
At
titudes and Beliefs
section covered earlier which deals with the
relationship between the attacker and their victim. If the victim holds a particular favoritism to
the attacker, then they are more willing to provide information than if it was someone unfam
iliar
to them.



Reciprocation


By mimicking feelings of
altruism,

a

social engineer
can harvest large portions of information by
offering a false
notion
of reciprocation to the victim
. Human beings are more inclined to do
9


something when they are compensa
ted for their efforts whether that is tangibly with money or
immaterially with feelings of gratification and the satisfaction of helping other people.



Commitment and Consistency


By staying focused and committed to their objective
, a social engineer is more likely to receive
information in return if they
appear to be consistent in their behavior towards their victim. By
asking for small favors or commitments from the victim, they can continually take advantage of
their victim becau
se the victim will feel compelled to stand by their commitment.



Social Proof


Social proof is a last resort attempt to get a victim to fall within the normal
bounds that a social
engineer operates. Social proof is a type of conformity where a person is n
ot sure how to act in a
certain situation so they conform to what the group environment is around them. By getting a
victim to conform to a situation,
it is easier for
a social engineer
to
extract information from
them.
A prime example of this is
through
s
ocial networking by
introducing factors that influence
the group as a whole, which in turn
,

influences any individuals associated with the group.
[5
]



Composition of a Social Engineering Attack


Four steps make up a social engineering attack as depicted i
n Figure 3. These steps
provide a
clear
-
cut

way to determine where
exploitation occurs

in a production environment.




Figure 3: Social Engineering
Attack
cycle, which

re
peats

in order to take advantage of the
victim(s) over
time
.



The Information Gather
ing stage is where social engineers use common attacks such as online
social engineering and phishing e
-
mails to gather and obtain the necessary information to carry
10


out the next step: Developing Relationships. With the new information, a social engineer c
an
begin to work their way into an existing business structure to obtain further information. Once
the social engineer has all the information nee
ded, they perform the next step,

Exploitation.
Exploitation uses the gathered information to penetrate the tar
geted system and disrupt the
normal work environment. Some disruptions
that users

immediately notice
are

website
s

that are
down
due to
a Distributed Denial of Service Attack (DDoS) or
the loss of
secure data. Other
disruptions go unnoticed for some time

before discovery,

such as the RSA SecurID token
algorithm to generate pseudo
-
random numbers for two
-
step authentication purposes.
[8]



Defenses against Social Engineering


As noted before, social engineering is a two faceted attack that has a technology
aspect and a
human base aspect.
Fighting socially engineered attacks with technology alone is an uphill battle,
as the users of technology are more susceptible to divulging secure information than a brute
force technological attack will yield.
The best way

to defend a business environment (and
yourself) is to educate users on proper business protocol; to develop clear and concise security
policies that should be followed at all times; to require identity checks both online and in person
to verify that a per
son is who they say they are.
The best prevention
methods against socially
engineered attacks are

b
y enforcing compliance to the rules and remaining constantly vigilant on
both the technological and psychological
fronts.



Conclusion


In conclusion, Social

Engineering is a multi
-
faceted and complex way of obtaining sensitive
information from users by persuasion techniques and technological means. Anyone in today’s
modern world is vulnerable to social engineering and thus must remain constantly aware of who
they interact with both online and in person. By improving recognition of falsified information
and attempts to trick users into divulging sensitive information, a company and its users will be
able to maintain a secure environment not only for themselves,

but also for their company’s
clients and assets.



11


Bibliography


[
1
]

Internet
. (2011). Retrieved October 31, 2011, from http://www.merriam
-
webster.com/dictionary/internet

[
2
]
Social engineering risks explored
. (2011, September 22). Retrieved October 1,
2011, from
http://www.continuitycentral.com/news05936.html

[3
] Caldwell, T. (2011, July). Ethical Hackers: putting on the white hat.
Network Security,
2011
(7), pp. 10
-
13.

[
4
] Gold, S. (2010, November). Social engineering today: psychology, strategies and t
ricks.
Network Security, 2010
(11), pp. 11
-
14.

[
5
] Isaacson, A. (2011, May). Are You Following a Bot?
The Atlantic Montly, 307
(4), p. 32.

[6
] Luo, X., Brody, R., Burd, S., & Seazzu, A. (2011, July
-
September). Social Engineering: The
Neglected Human Factor f
or Information Security Management.
Information Resources
Management Journal, 24
, pp. 1
-
8.

[
7
] Luscombe, B. (2011, August 29). 10 Questions.
Time, 178
(8), pp. 37
-
1.

[8]
McMillan, R. (2011, August 26).
Was this the E
-
Mail that Took Down RSA?

Retrieved
Septe
mber 18, 2011, from PCWorld:
http://www.pcworld.com/article/238876/was_this_the_email_that_took_down_rsa.html#t
k.rss_news

[
9]

Microsoft. (2011).
Resources: What is social engineering?

Retrieved September 17, 2011,
from Microsoft Safety & Security Center:
h
ttp://www.microsoft.com/security/resources/socialengineering
-
whatis.aspx

[1
0
] Sundar, S. (2011, January 28).
So, You Want to Be an Ethical Hacker...

Retrieved
September 18, 2011, from FINS Technology: http://it
-
jobs.fins.com/Articles/SB128916361572754531/S
o
-
You
-
Want
-
to
-
Be
-
an
-
Ethical
-
Hacker