The Problem

What is the problem? Succinctly, the problem is this: people spend a fortune on technology but are still vulnerable to good old-fashioned manipulation !

Stories about social engineering exploits abound; we promise you could spend an entertaining afternoon just trawling through Google for examples. We have. If you want to start an educational campaign against social engineering in your organization, this would be a valuable activity for you. Stories help make the concept seem more real.

Social Engineering

"Social engineering" is a broad term used mainly by psychologists to refer to various attempts to guide or create certain outcomes in society, politics, and economics. In the computer security world, its meaning is narrower. Although many definitions exist, here's the one we like: Social engineering is the art and science of getting people to comply with your wishes . ^[3]

^[3] "The Psychology of Social Engineering" by Harl (http:// cybercrimes .net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html).

Think for a moment about the word help . Is there no more powerful word in any language? When someone comes to you for help, offers a compelling reason for your involvement, and pleads for your assistance, is it easy to resist? If the person also happens to be a womanor at least appears to possess the attributes of a woman , perhaps sounding like one on the phonecompliance is positively assured. Women are implicitly more trusted than men, especially over the phone. Regardless of gender, however, the natural human desire to help leaves all of us vulnerable to social engineering attacks. We humans have a natural willingness to believe that people are honest, that their requests are genuine , that their word is good and true. Alas, there are some among us who are the polar opposite of these assumptions and look for ways to exploit and attack that natural belief. The difficult part for you and us, the security people, is hardening the usersgetting this message across. Sure, people agree that it's possible and that it can happen to others, but they'll resist mightily the idea that it can happen to themselves . Usually it has to be experiential . That's why stories can help; in fact, the best thing would be to find someone in your own organization willing to share how he or she was once the victim of a social engineering attack.

Social engineering is not a form of mind control. It won't allow you to get people to perform tasks wildly outside their normal behavior. If you want to attack the people using a computer system, you have to do lots of preparatory work: root out all kinds of information, spend hours in idle chit-chat with boring people (it can help to adopt an amusing accent here ^[4] ), and be good at maintaining deception. Indeed, social engineering might be the highest form of computer attack: it can be very easy and often yields the highest rewards. Technical attacks are fun and challenging for many people and become badges of pride for some, but in many instances it's a whole lot easier just to pick up the phone and (through a contrived situation) ask someone for his or her password.

^[4] Hint: Americans trust Australians just a bit too much. In any event, be sure to select the correct accent; see "Accents of Guilt: Effects of regional accent, race, and crime type on attributions of guilt," by John Dixon, Berenic Mahoney, and Roger Cocks (http://www.psych.lancs.ac.uk/people/uploads/JohnDixon20040416T131109.pdf), for an interesting exposition.

How Much Are Your Network Passwords Worth?

This is a good question to ask your users to get them to think about the true value of their passwords. We all know that a password is this:

A shared secret possessed only by a security principal and a secured system that authenticates the identity of the principal to the system and permits the principal to then engage in authorized activities on the system

But if you provide ordinary users with that definition, you'll likely deserve the ridicule you receive and the subsequent attacks that happen later as users look for every way possible to invent bad passwords.

Most users simply don't know any better, really. They know they have to enter this thing to get access but don't realize its purpose. So they have no problems sharing it because they don't understand its value. In early 2004, 172 office workers (a small sample) were approached on the streets of London. ^[5] Of those, 37 percent willingly revealed their passwords when asked; 71 percent accepted a chocolate bar in exchange for their passwords. And don't delude yourself into thinking that people are getting smarter : in 2002, 65 percent of people surveyed at a train station revealed their passwords for a cheap pen; in 2003, 90 percent of people did.

^[5] "Low-tech password cracker: chocolate" by Enterprise IT Planet (http://www.enterpriseitplanet.com/security/news/article.php/3342871).

So there you have it. Depending on the bribe, at least three fourths of the people in your organizationpeople trusted with varying levels of access to critical company informationplace roughly a US $0.60 to $2.00 value on their passwords and will freely exchange them for a shoddy writing utensil or a manufactured chunk of empty (but undeniably very tasty) calories .

Good passwords deserve a full chapter on their own, which we have handily provided for you in this book; see Chapter 11, "Passwords and Other Authentication MechanismsThe Last Line of Defense."

Exploits Against People

Information security works because it extends trust to some peopletrust in protection, in identity, in authenticity. Indeed, if you didn't trust anyone, you wouldn't allow anyone into your network. It would be so secure that it would be useful to no oneand its utility would be zero. Why build it then? So your security controls have to allow some people inauthorized people with a business need to access the network and the data it stores. Authorized people become an attractive target to some attackers who try to gain unauthorized access by circumventing security controls and instead attacking those who already have permission.

Typically, only amateurs ask for passwords. Most people now know that they shouldn't reveal passwords over the phone to people they receive calls from (but apparently don't see similar danger in revealing the very same passwords to people in the street, as evidenced by the examples above). Experienced attackers of people look to build emotional bonds and even some level of trust with those they are targeting or those who can help advance the attack by sharing nuggets of valuable information. Anyone with access, whether physical or electronic, is a potential riskadministrators, developers, security personnel (yep, you), security guards , receptionists.

To prove the point, try this. At your company you might have an equipment removal policy that requires a signed permission slip from a manager. The security guards are expected to see this permission slip before you leave the building. Want to circumvent the policy? Build a quick bond of trust by exploiting the guard's natural desire to help: ask him or her to help you carry the gear to your car. (Criminals would never actually engage the enemy, right?) Chances are, he'll (they're almost always men) look up from the porn magazine stashed behind the monitor, jump out from the desk, and engage in friendly conversational banter as he hoists the gear into your trunk, all the while forgetting to ask for the permission slip.

There are as many ways of exploiting people as there are people. Most exploits, however, can be grouped into eight broad categories. ^[6]

^[6] "The psychology of social engineering" by Harl (http://cybercrimes.net/Property/Hacking/Social%20Engineering/PsychSocEng/PsySocEng.html).

• Diffusion of responsibility

  "Hey, the vice-president says you won't bear any responsibility." Try to convince the target that he or she bears no responsibility for his or her actions. Do the necessary research to learn the names of people high in the organization and then casually drop one or two during your conversation, with the claim that they have authorized the request. Be sure, however, that you've done enough research to know that you aren't "authorizing" something out of character for that person.

• Chance for ingratiation

  "Look at the rewards you'll get out of this!" Most people, especially typical targets of social engineering attacks, are always looking to improve their standing somewhere in the organization by getting into the "right" crowd , receiving special insider-only perks, enjoying special access to management, or obtaining (sometimes shadowy) competitive advantage. Try to convince your target the he or she receives a fantastic benefit like this in exchange for help.

• Trust relationships

  "He sounds honest, I think I can trust him." Take the time to develop a trust relationship. This is easier than you thinka single shared experience or something you both like to complain about can be a basis for trust. (Note that it isn't required for you to have had the actual experience or hold the exact same negative feelingsyou're a criminal, so it's OK to lie.) Have a series of positive interactions, and then move in for the kill: you'll most likely succeed.

• Moral duty

  "You've got to help me! Doesn't this make you so mad?" Build up a sense of moral duty in your target. It helps to learn a lot about the target's organization, and then select something the organization has done that is likely to make many of its employees outragedenvironmental or "screw-the-customer" issues are always good. As long as your plan sounds like it'll avoid detection and mitigate some perceived wrong, your success rate improves .

• Guilt

  "What? You don't want to help me?" Guilt, somewhat the opposite of moral duty, is something nearly all people strive to avoid. Take advantage of this and build up a drama with scenarios that manipulate empathy and create sympathy. Increase your chances of success by making the target believe that compliance leads to avoidance of guilty feelings for himself or herself or even for you. (Study the history of any of the world's major religions for prime examples of using guilt as a motivator. It's worked for them; it'll work for you, too.)

• Identification

  "You and I are really two of a kind, huh?" Build a connection with the target based on information you've acquired before or during the conversation. Make the target feel as if you both have the same goals, enjoy the same foods , go to the same kinds of concerts, possess the same religious and political and cultural opinions . Learn to be glib and give people the reactions and answers they desire.

• Desire to be helpful

  "Would you help me here, please ?" We gave you a successful example of this before. Most of your targets have problems refusing requests for help, because it's against human nature to do that. Gather information by relying on people's general lack of assertiveness.

• Cooperation

  "Let's work together. We can do so much." Like with guilt, people usually try to avoid conflict. Don't create opportunities for conflict to arise within your target. Be the patient voice of reason and logic; yelling or anger or bullying or being annoying all work against you.

Involvement vs. Influence

Which exploits a social engineer chooses depends on the target. Targets can be highly involved or lowly involved.

Highly involved people (that is, people like you) are the owners or administrators of the systems and those who rely on them as work tools or for communication. They are persuaded by one or two very strong and compelling requests that won't invite counterarguments. Lowly involved people have little interest in what an attacker is trying to do, but are the day-to-day people with whom we must all interact. They are persuaded by the number and urgency of requests, not how well crafted the lie is.

How to Be a Social Engineer

So you want to try this yourself. "What? They're telling us how to hack people?" We can see your blood pressure rising in alarm. Calm down: first, you can find this information just about everywhere on the Internet; all we're doing is eliminating one Google search from your life. Second, knowing how the bad guys attack people can help you better build defenses against them. So, let's proceed.

Direct requests are usually the least likely to succeed. So the phone call asking for the password these days will get challenged and probably be refused . It's better to contrive some kind of situation, building in additional factors the target must consider and that perhaps allow the target to create nonpersonal reasons for assisting. Struggling with 50 pounds of equipment and asking the guard to help you carry some to your car is a perfect example of a contrived situation. Similar is calling the help desk of an electric utility company during a violent rainstorm. Even internal help desks at electric utilities are chaotic places when massive weather events are taxing everyone's nerves. Here you haven't had to contrive somethingnature is helping you!

Don't forget how appearance can helpthis includes clothing and props. If you dress in a uniform appropriate to what you want to achieve, you can bypass many physical security controls. In most cities in the United States, uniform stores can equip you to be a delivery agent, a telephone or utility repairperson, even a firefighter. Service personnel are rarely confronted and asked for identification. It's also easy with modern software and color printers to produce official-looking employee badges. It doesn't hurt that the vast majority of badges are made from white plastic and contain a photograph with a blue background (hint). A rapidly flashed badge accompanied by a purposeful stride barely rouses the security guard from his necessary and well-deserved afternoon nap. Consider carrying around a clipboard and scribbling notes from time to time. Although some people in some organizations might challenge those they don't recognize or those who aren't walking around with ID badges displayed, ^[7] the clipboard is a highly effective substitute. Enjoy the sudden freedom to roam around unchallenged, but have some excuse ready just in case. Think: if you saw a well-dressed person investigating your facility, making intense visual observations while jotting notes on a clipboard and engaging in the occasional mobile phone call, would you have the courage to question that person? Really? We didn't think so. In fact, most people we know would rapidly turn and walk the other direction, to avoid any potential conversation or inquisitiveness from the " examiner ."

^[7] If you don't have such a policy now, consider implementing one. Allow your people to challenge and escort out those who can't produce identification. And for especially sensitive areas, consider permitting removal even if identification is produced but the person is unknown.

Personal persuasion is useful for overcoming initial reluctance. You're trying to encourage voluntary compliance, not force a certain behavior. Make the target believe he or she is in control of the situation and has the unique required ability to help you solve your request. It's about making the target believe, after careful consideration, he or she is really in controlit doesn't matter (to you) that any perceived benefits are imaginary.

You need certain equipment: a good quality telephone in a quiet location, a caller ID unit if you're planning a callback scam requiring that you know who's returning the call, and a voice changerthis is the easy, temporary way to become a woman and thus exploit one more instance of misapplied trust. Don't use a mobile phone, remember to disable call waiting (the beep throws off your rhythm), and don't call from a coin phone in a subway station: a bellowed "This is the A train to Broadway!" clues your victim into what might really be going on.

You also need a target, a mark, a victim of some kind. This is the person you're hacking to gain access to some asset in the organization. Remember the earlier chart describing highly vs. lowly involved people and craft your argument(s) appropriately. Get a list of employees in the organizationtry the organization's own Web site. It's amazing what you can learn about an organization just by spending a little time culling through freely available public information: most people are unaware of just how much the Internet really knows about, well, everything. ^[8]

^[8] Google is one of the most valuable resources on the Internet. It lacks, however, an "erase" function, which can be both good and bad. Surely you've Googled yourself at some point. Have you ever Googled yourself on the image search page? (Note: http://www.google.com/remove.html has some tips on how to stop Google from trawling your sites.)

Don't be so aloof that you won't stoop (or, rather, climb) to Dumpster diving. In most jurisdictions in the United States and many other countries , it's perfectly legal to root through the trash of anyone you want. Although you still might be guilty of trespassing if the trash container is on private property, you generally can't be prosecuted for helping yourself to items from those containers. And trash containers can be some of the richest collections of information to help you in your quest: internal memos, corporate phone books, organizational charts , policy manuals, calendars and diaries , computer documentation and backup tapes, printouts of source code and names and (yes!) passwords, and discarded computers with completely intact and information-filled hard drives. When's the last time you reviewed your organization's data destruction policies? For wiping hard drives , CIPHER /W at the Windows command line is faster than any wiping program you can buy and probably good enough. For total annihilation, a nice sharp band saw is the best way to destroy backup tapes and discarded hard drives.

Besides researching the organization and its people, you need to research its infrastructure, too. Many tools can help you fingerprint a systemnmap ^[9] , ICMP scanning ^[10] , port scanning, even telneting for banners. Of course, these methods require that you actively probe the target's systems, and those probes might be blockedor, interestingly, intentionally falsified, which certainly isn't going to fool anyone except perhaps rank amateurs. Hiding or forging banners is pointless: because there are so many other ways to find out what a system is, banner hiding is just security theater. You think you're doing something, but in reality you're only creating more work for yourself that has no positive security return whatsoever. Besides, the Internet, in its infinite helpfulness, can assist an attacker to get around that. All organizations that have an Internet domain will have registered that domain with some registrar. You can look up any domain's registration record using http://www.geektools.com/whois.php. Note the technical contact: this is often the name , e-mail address, and telephone number of the person charged with maintaining the organization's presence. Here is Microsoft's domain record:

^[9] http://www. insecure .org/nmap/.

^[10] http://www.sys-security.com/html/projects/icmp.html and http://www.sys-security.com/html/projects/X.html.

 Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Registration Service Provider: DBMS VeriSign, dbms-support@verisign.com 800-579-2848 x4 Registrar of Record: TUCOWS, INC. Record last updated on 23-Jun-2004. Record expires on 03-May-2014. Record created on 02-May-1991. Domain servers in listed order: NS1.MSFT.NET 207.46.245.230 NS5.MSFT.NET 207.46.138.20 NS2.MSFT.NET 64.4.25.30 NS3.MSFT.NET 213.199.144.151 NS4.MSFT.NET 207.46.66.75 

Now what's true of almost all technical people, including perhaps yourself? Why, they're looking for better jobs, of course. And as part of that continual search they post their resum s at popular job listing sites on the Internet. Often these job sites are completely searchable, supplying full-text indexes of all resum swhich always include, naturally, e-mail addresses. Do you see where we're going? Try this:

Resum s usually list job experience in reverse chronological order. At the top, often right on the first page, is a thoroughly detailed explanation of this person's current work environment, expressed as a description of his or her job duties . Now, without sending a single byte of data into their network, you've learned nearly everything you need to know about their computer systems.

Let this sink in for a while, we'll wait. Back so soon? Good. Before you continue reading, look at the example registration record above. See the generic e-mail address for both contacts? That's good practice and is something you should do. Note that Microsoft hasn't followed good practice regarding telephone numbers : it would appear that Microsoft's internal telephone switch (PBX) uses an NPA-NXX of 425-882. An attacker could run a war dialer ^[11] on the entire range of 10,000 numbers (425-882-0000 through 425-882-9999) and locate any fax machines and modems, some of which might be attached to computers that are in turn connected to the internal corporate network in violation of policy. Who knows, one of these might even be running a routing protocol! Your registration records should contain only toll-free or non-PBX telephone numbers.

^[11] Tone Loc is our favorite. It's rather old but it works well.

So you've got information on the organization, their computers, and a responsible person. Now it's time to mount your attack. Call their help desk and pretend that you're having a problem logging on. It's unlikely these days that you'll just get the password right awayyou'll have to pass some kind of identity verification. All that work you've done will now start to pay off: you can create an aura of plausibility by dropping names, using the right lingo, and sounding as if you're legitimate . Use that voice changer to come across as being sultry or helpless. ^[12] It's unfortunate but true that some technical people lack social skills and are easily manipulated by appealing situations. Mention that you've seen them at work and think they're cutewatch the passwords fly now!

^[12] Please do not accuse us of being discriminatory or insensitive. We are fully aware of the possibly crass generalizations we are making here. However, it doesn't lessen the truthfulness of the statements and improved likelihood of successful attack these tactics will provide.