Module Objectives | Staf of EC-Council - Ethical Hacking Student Courseware. Certidied Ethical Hacker-Exam 312-50 (EC-Council E-Business Certification Series)

If you have seen the movie 'War Games', then you have already seen social engineering in action. Arguably one the best 'social engineers ' around, Kevin Mitnick's story captured on the celluloid, shows the art of deception.

In this module, you will get an overview of:

What Social Engineering is,
The Common Types of Attack,
Social Engineering by Phone,
Dumpster Diving,
Online Social Engineering,
Reverse Social Engineering,
Policies and Procedures and
Educating Employees .

It must be pointed out that the information contained in this chapter is for the purpose of overview alone. While it points out fallacies and advocates effective countermeasures, the possible ways to extract information from another human being is only restricted by the ingenuity of the attacker's mind. While this aspect makes it an 'art' and the psychological nature of some of these techniques make it a 'science', the bottom line is that there is no one defense against social engineering and only constant vigilance can circumvent some of these advances.

What is Social Engineering?

Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action.
Companies with authentication processes, firewalls, virtual private networks and network monitoring software are still wide open to attacks
An employee may unwittingly give away key information in an email or by answering questions over the phone with someone they don't know or even by talking about a project with co workers at a local pub after hours.

It is said that security is only as strong as the weakest link. Social engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action. It need not be restricted to corporate networks alone. It does not matter if enterprises have invested in high end infrastructure and security solutions such as complex authentication processes, firewalls, VPNs and network monitoring software. None of these devices or security measures is effective if an employee unwittingly gives away key information in an email, by answering questions over the phone with a stranger or new acquaintance or even brag about a project with coworkers at a local pub after hours.

Most often, people are not even aware of the security lapse made by them, albeit inadvertently. Attackers take special interest in developing social engineering skills and can be so proficient that their victims would not even realize that they have been scammed. Despite having security policies in place within the organization, they are compromised because this aspect of attack preys on the human impulse to be kind and helpful.

Attackers are always looking for new ways to access information. They will ensure that they know the perimeter and the people on the perimeter - security guards , receptionists and help desk workers - to exploit human oversight. People have been conditioned not to be overtly suspicious that, they associate certain behavior and appearance to known entities. For instance, on seeing a man dressed in brown and stacking a whole bunch of boxes in a cart, people will hold the door open because they think it is the delivery man.

Some companies list employees by title and give their phone number and email address on the corporate Web site. Alternatively, a corporation may put advertisements in the paper for high-tech workers who trained on Oracle databases or UNIX servers. These little bits of information help Attackers know what kind of system they're tackling. This overlaps with the reconnaissance phase.

Art of Manipulation.

Social Engineering includes acquisition of sensitive information or inappropriate access privileges by an outsider, based upon building of inappropriate trust relationships with outsiders.
The goal of a social engineer is to trick someone into providing valuable information or access to that information.
It preys on qualities of human nature, such as the desire to be helpful, the tendency to trust people and the fear of getting in trouble.

Social engineering is the art and science of getting people to comply with an attacker's wishes. It is not a way of mind control, and it does not allow the attacker to get people to perform tasks wildly outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most Attackers get a foot into the corporation. There are two terms that are of interest here.

Social engineering is hacker jargon for getting needed information from a person rather than breaking into a system.
Psychological subversion is the term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users.

Let us look at a sample scenario.

Attacker: "Good morning Ma'am, I am Bob; I would like to speak with Ms. Alice"

Alice: "Hello, I am Alice"

Attacker: "Good morning Ma'am, I am calling from the data center, I am sorry I am calling you so early..."

Alice : " Uh, data center office, well, I was having breakfast , but it doesn't matter"

Attacker: "I was able to call you because of the personal data form you filled when creating your account."

Alice: "My pers.. oh, yes"

Attacker: "I have to inform you that we had a mail server crash tonight, and we are trying to restore all corporate users' mail. Since you are a remote user , we are clearing your problems first."

Alice: "A crash? Is my mail lost?"

Attacker: "Oh no, Ma'am, we can restore it. But, since we are data center employees, and we are not allowed to mess with the corporate office user's mail, we need your password; otherwise we cannot take any action"(first try, probably unsuccessful )

Alice: "Er, my password? Well..."

Attacker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it was written by the legal department, you know, all law stuff for compliance. (effort to gain victim's trust)

Attacker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and telephone, but, as smart as they are, not the password. See, without your password nobody can access your mail, even we at the datacenter. But we have to restore your mail, and we need access. You can be sure we will not use your password for anything else, well, we will forget it." (smiling )

Alice: "Well, it's not so secret (also smiling! It's amazing...), my password is xxxxxx"

Attacker: "Thank you very much, Ma'am. We will restore your mail in a few minutes" Alice: "But no mail is lost, is it?"

Attacker: "Absolutely, Ma'am. You should not experience any problems, but do not hesitate to contact us just in case. You will find contact numbers on the Intranet"

Alice: "Thanks"

Attacker: "Goodbye"

Human Weakness

People are usually the weakest link in the security chain.
A successful defense depends on having good policies in place and educating employees to follow the policies.
Social Engineering is the hardest form of attack to defend against because it cannot be defended with hardware or software alone.

Note	Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers is vulnerable.

Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach. Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it.

Attempting to steer an individual towards completing a desired task can use several methods . The first and most obvious is simply a direct request, where an individual is asked to complete the task directly. Although difficult to succeed, this is the easiest method and the most straightforward. The individual knows exactly what is wanted of them. The second is by creating a contrived situation which the victim is simply a part of. With other factors than just the request to consider, the individual concerned is far more likely to be persuaded, because the attacker can create reasons for compliance other than simply personal ones. This involves far more work for the attacker, and almost certainly involves gaining extensive knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The fewer untruths, the better the chances of success.

One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field.

Common Types of Social Engineering

Social Engineering can be broken into two types: human based and computer based

Human-based Social Engineering refers to person to person interaction to retrieve the desired information.
Computer based Social Engineering refers to having computer software that attempts to retrieve the desired information.

Note	Social Engineering can be broadly divided into two types: human based and computer based.

Human based social engineering involves human interaction in one manner or the other. Computer based engineering depend on software to carry out the task at hand.

Gartner Group notes six human behaviors for positive response for social engineering. Corroborate this with the traits discussed in module one of the course.

Reciprocation	Someone is given a "token" and feels compelled to take action.	You buy the wheel of cheese when given a free sample.
Consistency	Certain behavior patterns are consistent from person to person.	If you ask a question and wait, people will be compelled to fill the pause.
Social Validation	Someone is compelled to do what everyone else is doing.	Stop in the middle of a busy street and look up; people will eventually stop and do the same.
Liking	People tend to say yes to those they like, and also to attractive people.	Attractive models are used in advertising.
Authority	People tend to listen and heed the advice of those in a position of authority.	"Four out of five doctors recommend...."
Scarcity	If someone is in low supply, it becomes more "precious" and, therefore, more appealing.	Furbees or Sony Playstation 2.
Source: Gartner Research

The social engineering cycle can be seen as four distinct phases.

Human based - Impersonation

Human based social engineering techniques can be broadly categorized into:

Impersonation
Posing as Important User
Third-person Approach
Technical Support
In Person
- Dumpster Diving
- Shoulder Surfing

Attack Methods

Impersonation - This is a popular social engineering technique often seen depicting the attacker as impersonating an employee resorting to an out of the normal method to gain access to privileges. It is not the only portrayal though. Other examples such as a 'friend' of an employee querying a colleague to retrieve information needed by the employee in sick bed, and using it for further social engineering etc. There is a well-recognized rule in social interactions that a favor begets a favor even if it were offered without any request from the obtainer. This truth is known as reciprocation. Reciprocation is seen constantly in the corporate environment. An employee will help out another with the expectation that, eventually, the favor will be returned. Social engineers try to take advantage of this social trait in impersonation. The possibilities are endless and only limited by imagination . Few employees question a personal visit from a repairman, IS support person, a contractor, or a cleaning person. These ruses have been used in the past also as a disguise to gain physical access. A great deal of information can be gleaned from the tops of desks, the trash or even phone directories and nameplates.

Attack Methods

Important User - Impersonation is taken to a higher degree by assuming the identity of an important employee in order to add an element of intimidation . The reciprocation factor also plays a role in that a lower level employee would go out of the way to help a higher order employee so that his favor gets him the attention needed to help him out in the corporate environment. Another behavioral trigger that aids a social engineer is the implicit nature not to question authority. People will do an out-of-the-turn routine for someone who they perceive is in authority. An attacker posing as an important user (such as vice president, director) can manipulate an employee who has not been prepared very easily. This trigger is assumes greater significance by the reality that it is considered a challenge to even verify the legitimacy of the authority. This lack of perspective by employees makes it easy for anyone willing to misrepresent him or herself as an authority figure. For example, a help desk employee is less likely to turn down the request of a Vice President who says he has very little time to get some important information he needs for a meeting and needs to access resources. The social engineer use authority to intimidate or may even threaten to report the employee to their supervisor if they do not provide the information required.

Attack Methods

Third-party Authorization - Another popular social engineering technique is for the attacker to present self to a resource claiming that he has the approval of the designated authority. For instance, on knowing who is responsible to grant access to desired information, the attacker might keep tabs on him and use his absence as leverage to access resources. He might approach the help desk or other personnel claiming he has approval to access information. This can be particularly effective if the person is on vacation or out of town - where verification is not instantly possible. People have a tendency to follow through with commitments in the workplace - even if they are suspicious that the request may not have been legitimate . This tendency is so strong that people will fulfill the commitments that they believe were made by their fellow employees. People have a tendency to believe that others are expressing their true attitudes when they make a statement. Unless there is strong evidence to the contrary, people will believe that the person with whom they are talking is telling the truth about what they feel or need.

Attack Methods

Masquerading as technical support - an often used tactic - especially when the victim is not proficient on technical areas. The attacker may pose as a hardware vendor or technician or a computer related supplier and approach the victim. One demonstration at a hacker meet had the speaker calling up Starbucks and asking the employee if his broadband connection was working fine. The perplexed employee replies that it is the modem which was giving them trouble. The hacker went on to make him read out the credit card number of the last transaction - without giving any credentials. In the corporate scenario, the attacker may ask employees to part with their login information including password to sort out a non-existent problem.

Attack Methods

In Person - The attacker might actually try to visit the target site and physically survey for information. He may disguise himself as courier delivery person, janitor, mailman or even hang out as a visitor in the lobby. He can pose as a businessman, client or technician. Once inside, he can look for passwords stuck on terminals, find important data lying on desks or overhear confidential conversations. There are two other techniques known for their use by Attackers. These are:

Dumpster Diving - This refers to looking through an organization's trash for valuable information.
Shoulder Surfing - Looking over someone's shoulder to try to see what they are typing as they enter their password.

Once inside, the intruder has a whole menu of tactics to choose from, including wandering the halls of the building looking for the Holy Grail--vacant offices with employees' login names and passwords attached to their PCs; going to the mail room to insert forged memos (on forms or letterhead recovered from the trash or during an earlier foray) into the corporate mail system; attempting to gain physical access to a server or telephone room to get more information on the systems in use; finding dial-in equipment and noting the telephone numbers (which are probably written on the jacks ); placing a protocol analyzer in a wiring closet to capture data, user names , and passwords or simply stealing targeted information.

Example

In 1998, Attackers discovered a security lapse in America Online that has yielded access to subscriber and AOL staff accounts in at least some instances, giving them free rein to alter or deface company pages or subscriber profiles.

It is thought that more than one person, equipped with user information such as screen name, real name , and address, has been able to call support lines and persuade some customer service representatives to reset an unsuspecting user's password. The attacker then armed with a new password, gained exclusive access to the account.

The attacker, who went by the screen name "PhatEndo," convinced an AOL representative that he was the remote staff member who had publishing privileges in the ACLU's AOL site. He got ACLU's account by calling AOL, pretending to be the account owner, and had the password reset. What was alarming was that he didn't even give the account owner's name.

The help desk employees should be trained on handling calls from "employees" coming in on outside lines. This can be identified by most PBX systems. Help-desk personnel must be made aware of these indicators and trained to be suspicious of such calls, limiting information given until the caller is properly identified.

Help-desk staffers should verify the identity of all employees before addressing their problems or questions. One way to do this is to check a company phone book and call the employee back before working with him or her. Another is to assign each employee a personal identification number (PIN) that must be given before support is offered. Calls regarding password changes are a security mine field.

Example

In June 2000, Larry Ellison, the Oracle chairman, admitted that Oracle had resorted to dumpster diving in an attempt to unearth information about Microsoft in the federal antitrust case. Named 'larrygate', this was not something new in corporate espionage. In 1993, Microsoft had done the same to produce evidence against a company that made pirate copies of its software. While two wrongs don't make a right; on the hacking scene, Attackers love to go "trashing" to find documents that help them piece together the structure of the company, provide clues about what kinds of computer systems used, and most important, obtain the names, titles, and telephone numbers of employees.

Some of the interesting things a dumpster can yield:

Company phone books - Knowing who to call and whom to impersonate are the first steps to gaining access to sensitive data. It helps to have the right names and titles to sound as a legitimate employee. Finding dial-in access numbers is an easy task when an attacker can ascertain the telephone exchange of the company from the phone book.
Organizational charts ; memos; company policy manuals; calendars of meetings, events, and vacations ; system manuals; printouts of sensitive data or login names and passwords; printouts of source code; disks and tapes; company letterhead and memo forms; outdated hard drives .

These items provide a wealth of information to attackers. There are some countermeasures against dumpster diving resulting in useful material.

Use a paper shredder to prevent an attacker from gaining any printed information. Make sure all magnetic media discarded is bulk erased, data can be retrieved from formatted disks and hard drives. Dumpsters should be kept in secured areas.

In a real life scenario, a private detective agency was able to obtain a classified report from a corporation by resorting to dumpster diving that unearthed a company phone book. With a few phone calls, the team was able to identify the concerned authorized person whose job was to help users get reports , and also to request the report they wanted from the person.

Company memo forms, also taken from the trash, were used to prepare a properly formatted request (with the help of the unwitting staffer). These were dropped into the company mail during a quick venture into the building by the infiltrator disguised as a courier. Finally, the Attackers called the concerned department to let the staff know that the report would be picked up by a courier--who then walked out the door with the multi-thousand-page report. It's important to note that the attackers did not even have to physically access the company's computer systems.

Countermeasure

You can prevent this type of activity with some of the following countermeasures:

Require that all visitors are to be escorted at all times;
Instruct employees to report any repair people that show up without being called, and to not grant access to equipment until the workers' identities are established;
Keep wire closets, server rooms, phone closets, and other locations containing sensitive equipment locked at all times;
Keep an inventory of the equipment that is supposed to be in each server room, wire closet, and so on. Periodically check for extra or missing equipment.

Computer Based Social Engineering

These can be divided into the following broad categories:

Mail / IM attachments
Pop-up Windows
Websites / Sweepstakes
Spam Mail

At a large e-business enterprise, during an after hours Internet chat session, an employee was asked for a picture of himself. Although he didn't have one available, he obligingly asked for a photo from the other party. After a bit of additional encouragement, the other party agreed, sending an attachment that, in all respects, resembled a JPEG file. Upon accessing the attachment the hard drive started spinning, and of course, there was no photo.

Fortunately, the employee was sophisticated enough to understand the danger of a Trojan horse being enclosed , and immediately alerted the IT department, who terminated the Internet connection. Later investigations revealed that the computer was infected with SubSeven, the most powerful backdoor at that time. Eventually, the company reloaded the computer, rolled back to the day before with a backup tape (losing a full day of online orders), and stayed offline for three full days overall.

Attack Methods

Computer-based social engineering use software to retrieve information.

Popup Windows - A window will appear on the screen telling the user that he has lost his network connection and needs to reenter their user name and password. A program previously installed by the intruder will then email the information back to a remote site.

Mail Attachments - The use of a topical subject to trigger an emotion which leads to unwitting participation from the target. There are two common forms that may be used. The first involves malicious code. This code is usually hidden within a file attached to an email. The intention is that an unsuspecting user will click/open the file; for example, 'IloveYou' virus, 'Anna Kournikova' worm (It also is an example of how Social Engineers try to hide the file extension by giving the attachment a long file name. In this case, the attachment is named AnnaKournikova.jpg.vbs. If the name is truncated it will look like a jpg file and the user will not notice the .vbs extension) or more recently the 'Vote-A' email worm. The second equally effective approach involves sending a hoax mail asking users to delete legitimate files (usually system files such as jdbgmr.exe). These have been designed to clog mail system by reporting a non existent threat and requesting the recipient to forward a copy on to all their friends and co-workers . As history has shown, this can create a significant snowball effect once started.

Websites - A ruse used to get an unwitting user to disclose potentially sensitive data, such as the password they use at work. For example, a website may promote a fictitious competition or promotion, which requires a user to enter in a contact email address and password. The password entered may very well be similar to the password used by the individual at work. A common trick is to offer something free or a chance to win a sweepstakes on a website. Many employees will enter the same password that they use at work, so the Social Engineer now has a valid user name and password to enter an organization's network.

Reverse Social Engineering

More advanced method of gaining illicit information is known as "reverse social engineering"
This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around.
The three parts of reverse social engineering attacks are sabotage , advertising and assisting.

Generally, reverse social engineering is the most difficult to carry out. This is primarily because it takes a lot of preparation and skill to execute.

Attack Methods

The social engineer will assume the role of a person of authority, and have the employees asking him for information. The attacker usually manipulates the types of questions asked so he can draw out the information required. Preliminarily, the social engineer will cause some incident creating a problem, then presents himself as the solver of the problem and through general conversation; he encourages employees to ask questions as well. As an example, an employee may ask about how this problem has affected particular files, or servers or equipment. This provides pertinent information to the social engineer. A lot of different skills and experiences are required to carry this tactic off well.

Sabotage - After gaining simple access, the attacker either corrupts the workstation or gives it an appearance of being corrupted. The user of the system discovers the problem and tries to seek help

Marketing - In order to ensure the user calls the attacker, the attacker must advertise. The attacker can do this by either leaving their business cards around the target's office and/or by placing their contact number on the error message itself

Support - Finally, the attacker would assist with the problem, ensuring that the user remains unsuspicious while the attacker obtains the information they require.

The "My Party" e-mail worm is an example of a "reverse social engineering" virus. Reverse social engineering viruses do not rely on sensational subject lines, such as AnnaKournikova or Naked Wife, to tempt users. Instead, reverse social engineering viruses use innocuous sounding subject lines and realistic attachment names.

Policies and Procedures

Policy is the most critical component to any information security program.
Good policies and procedures are not effective if they are not taught and reinforced to the employees.
They need to be taught to emphasize their importance. After receiving training, the employee should sign a statement acknowledging that they understand the policies.

Countermeasure

No software or hardware security solutions can truly secure a corporate computing environment unless there is a sound security policy. Things like acceptable use policy and Internet use policy should be clearly articulated to users. The security policy sets the standards and level of security a corporate network will have. It also gives the network a security posture that can serve as a benchmark.

This is even more critical when the security policy is formulated keeping in mind the threat the network faces from social engineering. The security policy can provide guidelines to users who are in a quandary when confronted by a attacker's con. The policy can point directions to users on whether or not certain information can be given out. This should be well defined in advance by people who have seriously contemplated about the value of such information.

Increasing employee awareness by laying out clear policies decreases the chance of the attacker wielding undue influence on an employee. The security policy must address a number of areas in order to be a foundation for social engineering resistance such as information access controls, setting up accounts, access approval and password changes. It should also deal with locks, ID's, paper shredding , and escorting of visitors. The policy must have discipline built in and, above all, it must be enforced. The policies have a balancing effect in that the user approached will not go out of his way to assist the attacker, or assume a different role when interacting with the attacker in person or on the phone. The policy also sets responsibility for information or access that is given out so that there is no question as to the employee's own risk when giving away privileged information or access. The users must be able to recognize what kind of information a social engineer can use and what kinds of conversations should be considered suspicious. Users must be able to identify confidential information and understand their responsibility towards protecting the same. They also need to know when and how to refuse information from an inquirer with assurance of management backing.

Security Policies - Checklist

Account Setup
Password change policy
Help desk procedures
Access Privileges
Violations
Employee identification
Privacy Policy
Paper documents
Modems
Physical Access Restrictions
Virus control

Account Setup: There should be an appropriate security policy that new employees can familiarize themselves with regarding their responsibility and use of the computing infrastructure.
Password change policy: The password policy should explicitly state that employees are required to use strong passwords and encouraged to change them frequently. They should be made aware of the security implication in case their password is stolen or copied by their mishandling of its storage.
Help Desk procedures: There must be a standard procedure for employee verification before the help desk is allowed to give out passwords. A caller id system on the phone is a good start so the help desk can identify where the call originates. The procedure could also require that the help desk call the employee back to verify his location. Another method would be to maintain an item of information that the employee would be required to know before the password was given out. Some organizations do not allow any passwords to be given out over the phone. The help desk must also know who to contact in case of security emergencies.
Access Privileges: There should be a specific procedure in place for how access is granted to various parts of the network. The procedure should state who is authorized to approve access and who can approve any exceptions.
Violations: There should be a procedure for employees to use to report any violations to policy. They should be encouraged to report any suspicious activity and assured that they will be supported for reporting violation.
Employee Identification: One way is to require employees to wear picture ID badges. Any guest should be required to register and wear a temporary ID badge while in the building. Employees should be encouraged to challenge anyone without a badge.
Privacy Policy. Company information should be protected. A policy should be in place stating that no one is to give out any more information than is necessary. A good policy would be to refer all surveys to a designated person. The policy should also contain procedures for escalating the request if someone is asking for more information than the employee is authorized to provide.
Paper Documents: All confidential documents should be shredded.
Physical Access Restriction: Sensitive areas should be physically protected with limited access. Doors should be locked and access only granted to employees with a business need.
Virus Control: Established procedures should be in place to take action and prevent the spread of any viruses.

Summary

Social Engineering is the use of influence and persuasion to deceive people for the purpose of obtaining information or persuading the victim to perform some action.
Social Engineering involves acquiring sensitive information or inappropriate access privileges by an outsider.
Human-based Social Engineering refers to person to person interaction to retrieve the desired information.
Computer based Social Engineering refers to having computer software that attempts to retrieve the desired information
A successful defense depends on having good policies in place and diligent implementation.