Chapter 4. Performing Social Engineering

Only two things are infinite: the universe and human stupidity, and I'm not sure about the former.

Albert Einstein

InfoSecurity Europe 2004 performed a survey of office workers in London. According to a ZDNet article published on April 20, 2004, their survey discovered that three-quarters of the office workers surveyed were willing to reveal their network-access password in exchange for a chocolate bar.

This survey illustrates how easy it is to gain access to networks without touching a single piece of equipment. At the end of the day, no matter how much encryption and security technology you have implemented, a network is never completely secure. You can never get rid of the weakest link the human factor. It does not matter how many firewalls, virtual private networks (VPNs), or encryption devices you have if your employees are willing to give out access to the systems to anyone who asks for it. The easiest way to gain access to a corporation network is to come right out and ask for it.

Penetration testers are often asked to do just that. Companies hire testers to employ social engineer tactics to discover if employees are following internal policies and not disclosing sensitive information. A social engineer is someone who uses deception, persuasion, and influence to get information that would otherwise be unavailable. To the social engineer, the fact that "there is a sucker born every minute," gives him the opportunity to circumvent some of the most secure data centers in the world. These types of networks are called candy networks, because just like M&M candy, they have a hard crunchy shell but a soft chewy center.

Two types of social engineering exist:

• Technology based

• Human based

Technology-based social engineering utilizes technology to trick users into giving out sensitive information. A classic example of a technology-based attack is to have a pop-up window on a user computer go off at a random time and prompt the user for his password, as demonstrated in Figure 4-1. Here the user is told that his session has expired, and he is asked to enter his username and password again. After the user clicks the Submit button, the username and password are sent to the computer of the malicious hacker. The malicious hacker can use that information later to log on to the network of the victim.

In contrast, human-based social engineering does not employ technology; it is done in person or through a phone call. Both techniques rely on the predictability of human behavior to want to help out those in need.