July 3rd, 2002 02:47 PM
Social Engineering: The Overview
hello all. i'm newbie here, although not that newbie in internet security world.
but this is my first tutorial, so you may find some errors...
background: as a newbie, i noticed that some discussions are techie, some are
very techie, some are very, very techie... take a break man, a real hacker
doesn't always need sophisticated tools to hack a system (a script kiddie does).
i know most techies are reluctant talking about people. and that's exactly what
we will do now. we'll talk about people instead of technology.
=================================== CUT HERE ===================================
Document Code: JDTT0201.
Social Engineering: The Overview.
What is the easiest way to obtain a password from a user's PC? Install a
keylogger? No. Install a password cracker? Wrong answer. So? Simply ask him/her.
Using the social engineering method, a potential hacker can easily gather
valuable information right from the user without touching a keyboard or mouse.
Have you ever received an phone call or email that informs you that you've won
a free vacation in some tropical island? All you have to do is to send back
some particular information, including your credit card number. The sender
will tell you that the credit card information is needed for hotel
reservation. This is not just a spam. This is a classic example of social
The following definition of "social engineering" as it pertains to computer
hacking is taken from The Jargon File, Version 4.0.0 at
social engineering /n./
Term used among crackers and samurai for cracking techniques that rely on
weaknesses in wetware rather than software; the aim is to trick people
into revealing passwords or other information that compromises a target
system's security. Classic scams include phoning up a mark who has the
required information and posing as a field service tech or a fellow
employee with an urgent access problem. See also the tiger team story in
the patch entry.
Usually social engineering comes in the form of users receiving requests to
take an action that results in the capturing of valuable information, such as
password. The request could be initiated in a simple telephone call or an
e-mail message. Some instructs the user to run a program which will prompt
the user for his/her password. When the user executes the program, the user's
name and password are e-mailed to a remote site.
In his presentation titled "Human Security Issues: Managing People and
Defending Against Social Engineering," Gartner analyst Rich Mogull said that
people are, by nature, unpredictable and susceptible to persuasion and
manipulation. Social engineering is the most difficult security issue to
manage and he said that most IT departments do a poor job of combating the
Social engineering techniques usually follow a common pattern:
1. Information gathering
2. Development of relationship
3. Exploitation of relationship
4. Execution to achieve the objective
Hint: Don't be fooled by sweet young women or older folks, that can be part
of the scam.
How to Combat.
In one of their advisory, the CERT/CC (Computer Emergency Response Team/
Coordination Center) recommends the following actions:
1. Any users receiving such a request should verify its authenticity with
their system administrator before acting on the instructions within the
message. If a user has received this type of request and actually entered
a password, he/she should immediately change his/her password to a new one
and alert the system administrator.
2. System administrators should check with their user communities to ensure
that no user has followed the instructions in such a message. Further, the
system should be carefully examined for damage or changes that the intruder
may have caused. We also ask that you contact the CERT/CC.
3. The CERT/CC urges system administrators to educate their users so that
they will not fall prey to such tricks.
Some real world examples show us that the weakest link in a security system
is the people rather than the machines. And the key things to strengthen this
weak link is a well-defined security policy and user education. Publish a
formal written security policy stating that the IT people will never ask for
a user's password. And train the users regularly.
In this tutorial, I also list down some articles describing what social
engineering is and its risks. Note: Some of the sites like SANS and TEC,
require you to register (for free) to view the article.
An eye-opener to social engineering.
Social engineering: examples and countermeasures from the real-world.
You'll find loads of examples on how you can get hacked and how to prevent
these incidences. The main point is how people can scam information off you
over the phone by impersonating a number of people. These hackers know how
to get you to give up passwords, etc., by pretending to be police officers,
a help desk person or even someone from a fraud department.
Listen what Kevin Mitnick has said about social engineering.
Mitnick teaches social engineering.
The key to former hacker Kevin Mitnick's exploits: social engineering. That
is the ability to manipulate individuals. In this article, Mitnick explains
how he was able to obtain valuable information over the phone and how
companies can deter other hackers from doing the same.
Understand why not so many people see social engineering as a real threat.
Social Engineering: What is it, why is so little said about it and what can be done?
Social engineering is a common security threat that needs to be taken seriously.
Yet, it gets little press compared to the latest computer virus. Perhaps that is
why social engineering is effective; few users know what it is and therefore don't
react in the best interest of their company. This article addresses why social
engineering is often ignored and what you can do to change that.
A step-by-step social engineering example in action.
Social engineering can thwart even the best laid security plans.
This article explains the security threats of social engineering. It brings up
some interesting points about how easily hackers can get inside information and
what you should be aware of to protect yourself and your company.
A real case study of an AO member dealing with social engineering.
Sales Call or Social Engineering: Recent post from an AO Member.
Palemoon was noticing red alert lines on his Firewall GUI indicating attempts to
access a port scan from a company, when a very nice sounding woman called him and
told him that she's from the very company he was watching. Read what he has done
in responding such a bogus "sales call".
Finally, the official statement.
CERT® Advisory CA-1991-04 Social Engineering
Social engineering is not something new. The Computer Emergency Response Team/
Coordination Center (CERT/CC) already warned us about social engineering, eleven
years back! See also CERT Advisory CA-91.03.
It doesn't take sophisticated technology to break into a computer system via
its users. All it takes is a little social engineering. Because users can be
easily manipulated they may be the weakest link to a security breach.
We must have a well-defined security policy in place and enforce it to ensure
that every user in the organization is participating in the whole security
system. And the only way to do that is education, education and education.
=================================== CUT HERE ===================================
ok, i hope you enjoy the tutorial. see ya...
Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds
July 3rd, 2002 06:51 PM
excellent first tutorial, good job. hope to see more like it too.
*the wise do sooner what the fools do later.
July 3rd, 2002 07:07 PM
Woah, that's a great tutorial. Really nice for your first tutorials. /me applauds.
Thanks for your time~
[gloworange]Die, or surrender, either way won\'t work.[/gloworange]
July 3rd, 2002 07:13 PM
Dude, that is a kick ass tut. Looking forward to more should you be so inclined.
\"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"
July 3rd, 2002 08:40 PM
nice one, I've read a few Social Engineering tuts (astalavista.com) and that was the best one yet, great stuff!
\"Why is the bomb always gettin\' the last word?\" - Will Smith - Lost & Found (2005)
July 3rd, 2002 08:49 PM
Hey jdenny excellent tutorial very informative!
I would just like to add this statement You can put a computer inside a sealed room with 10-foot thick concrete walls, but if an employee who knows the logon sequence is chatty, lonely, or otherwise pliable, 50- foot walls won't secure the system! Security is made up of firewalls, passwords, shredders, alarm systems, secure rooms, etc But the old age applies: The security chain is only as strong as its weakest link. And all too often that weak link is a person. [glowpurple]Social engineering is the single most effective security penetration technique of all[/glowpurple]
August 9th, 2002 04:39 PM
August 29th, 2002 09:18 AM
You... the newbie from the orginal Java islan.....
an excellent article worth to be read by the newbies. I like to appreciate you. It seems you woule like to continue in this forum for the long run. Best of luck
Long run in the sense that
Some join the forum..... start asking embarassing questions like How to hack this.... How to hack that... and get axed to ban from the forum.
August 29th, 2002 10:17 AM
Nice work! Be proud your self!
I breathe, therefore I am!
I type, therefore I live!
[shadow]I love, therfore I die![/shadow]