A question was raised on a security community (security.stackexchange.com) on whether or not social engineering is still a threat. The question refers to Kevin Mitnick’s book from 2002: “The Art of Deception: Controlling the Human Element of Security“. The person writing the question asks if we shouldn’t be immune to these types of attacks and techniques after 10 years of technology and learning.
Social engineering is very prevalent still today, and I doubt that is about to change in decades, or if it ever will.
Here are some brief explanations on why social engineering works. It’s tough to cover everything, because social engineering is a really broad field of information. The points made in the list below is taken from the book I’ve quoted on the bottom of this article:
- Most people have the desire to be polite, especially to strangers.
- Professionals want to appear well informed and intelligent
- If you are praised, you will often talk more and divulge more.
- Most people would not lie for the sake of lying
- Most people respond kindly to people who appear concerned about them
Usually humans wants to be helpful to each other. We like doing nice things!
- I run into the reception at a big corporate office with my papers soaked in coffee. I talk to the receptionist and explain that I have a job interview meeting in 5 minutes, but I just spilled coffee over all my papers. I then ask if the receptionist could be so sweet and print them out again for me with this USB memory stick that I have.This might lead to an actual infection of the receptionist PC and may gain me a foothold within the network.
The fear of failing or not doing as ordered:
- The company’s director’s (John Smith) facebook page (or whatever other source of information) reveals that he has just left on a cruise for 3 weeks. I call the secretary and with a commanding voice I say “Hi, it’s Chris calling. I just got off the phone with John Smith, hes having a very good time on his cruise with his wife Carla and kids. However we are in the middle of integrating a very important business system and he told me to give you a call so you can help us. He couldn’t call himself because they are going on a safari, but this is really urgent. All you need to do is take the USB stick that is addressed to him in the mail and plug it in, start the computer and we are all done. The project survives!Thank you very much! You have been a great help! I am sure John Smith will recognize you for this act of helpfulness. “
- The tailgate. I hold the entry door for you, and I quickly walk behind you. When you open the next door, which is security enabled, I am heading in the same direction and most people will try and repay the helpful action by holding the door for you again. Thus allowing you into a place where you should not be. Worried about getting caught Nah.. You just say you’re sorry and that you went the wrong way.The target would almost feel obliged to hold the door for you!
Exploiting the curiosity
- Try dropping 10 USB sticks around in various locations in your organization. You don’t have to place them in too obvious places. The USB should have a auto-run phone home program so you can see when someone connects the USB stick and should theoretically be exploited.Another version of this is to drop USB sticks with a single PDF document that is i.e. called “John Smith – Norway.pdf”. The PDF document contains a Adobe Acrobat Reader exploit (there is tons of them) and once the user clicks the document he will be owned. Of course you have made sure that the exploit it tailored to the target organizations specific version of Adobe. It will feel natural for most people to open the document so that they can try return the USB stick to its owner.
- Another example of curiosity (maybe another term explains this better) is all these SPAM mails or bad Internet ad’s that you have won something or a Nigerian prince is offering you a whole lot of money if you can help him. I am sure you are familiar of these already, but these are also social engineering attacks, and the reason they are not stopping is that they are still working!
That’s just some examples. Of course there is tons of more!
We can also take a look at historic social engineering events:
Full story can be read here: http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/ (Page 3 contains the social engineering part)
- Last year HBGary was hacked. This attack involved many different steps but also a social engineering aspect as well. Long story short, the hacker compromised email account of a VIP in the company and he sent an email to an administrator of the target system reading something like this: “Hi John, I am currently in Europe and I’m bouncing between airports. Can you open up SSH on a high numbered port for me coming from any IP? I need to get some work done”. When the administrator gets this email he feels it is natural to comply to this seeing as the email is coming from a trusted source.But that is not it! The attacker had the password for the account, but the login was not working! So he emails back to the administrator “Hey again, It does not seem to be working. The password is still right? What was the user-name again?”. Now he has also provided the actual password for the system (the attacker had it from the earlier compromise of another system in the same hack), giving the attacker a whole lot more trust from the administrator. So of course the administrator complies and tells the attacker his user-name.
The list in the top comes from the book “Social Engineering: The Art of Human Hacking” and I can very much recommend it!
I will sum up this article on a quote by the famous Bruce Schneier: “Amateurs hack systems, professionals hack people” //Win
[important]The full question and my answer to the question can be read here: http://security.stackexchange.com/q/11920/294[/important]