hello all. i'm newbie here, although not that newbie in internet security world.
but this is my first tutorial, so you may find some errors...

background: as a newbie, i noticed that some discussions are techie, some are
very techie, some are very, very techie... take a break man, a real hacker
doesn't always need sophisticated tools to hack a system (a script kiddie does).
i know most techies are reluctant talking about people. and that's exactly what
we will do now. we'll talk about people instead of technology.


=================================== CUT HERE ===================================


Document Code: JDTT0201.

Social Engineering: The Overview.


Introduction.

What is the easiest way to obtain a password from a user's PC? Install a
keylogger? No. Install a password cracker? Wrong answer. So? Simply ask him/her.
Using the social engineering method, a potential hacker can easily gather
valuable information right from the user without touching a keyboard or mouse.

Have you ever received an phone call or email that informs you that you've won
a free vacation in some tropical island? All you have to do is to send back
some particular information, including your credit card number. The sender
will tell you that the credit card information is needed for hotel
reservation. This is not just a spam. This is a classic example of social
engineering.


Definition.

The following definition of "social engineering" as it pertains to computer
hacking is taken from The Jargon File, Version 4.0.0 at
http://www.outpost9.com/reference/ja...4.html#TAG1652 .

---

social engineering /n./

Term used among crackers and samurai for cracking techniques that rely on
weaknesses in wetware rather than software; the aim is to trick people
into revealing passwords or other information that compromises a target
system's security. Classic scams include phoning up a mark who has the
required information and posing as a field service tech or a fellow
employee with an urgent access problem. See also the tiger team story in
the patch entry.

---

Usually social engineering comes in the form of users receiving requests to
take an action that results in the capturing of valuable information
, such as
password. The request could be initiated in a simple telephone call or an
e-mail message. Some instructs the user to run a program which will prompt
the user for his/her password. When the user executes the program, the user's
name and password are e-mailed to a remote site.

In his presentation titled "Human Security Issues: Managing People and
Defending Against Social Engineering," Gartner analyst Rich Mogull said that
people are, by nature, unpredictable and susceptible to persuasion and
manipulation
. Social engineering is the most difficult security issue to
manage and he said that most IT departments do a poor job of combating the
threat.

Social engineering techniques usually follow a common pattern:
1. Information gathering
2. Development of relationship
3. Exploitation of relationship
4. Execution to achieve the objective

Hint: Don't be fooled by sweet young women or older folks, that can be part
of the scam.


How to Combat.

In one of their advisory, the CERT/CC (Computer Emergency Response Team/
Coordination Center) recommends the following actions:

1. Any users receiving such a request should verify its authenticity with
their system administrator before acting on the instructions within the
message. If a user has received this type of request and actually entered
a password, he/she should immediately change his/her password to a new one
and alert the system administrator.

2. System administrators should check with their user communities to ensure
that no user has followed the instructions in such a message. Further, the
system should be carefully examined for damage or changes that the intruder
may have caused. We also ask that you contact the CERT/CC.

3. The CERT/CC urges system administrators to educate their users so that
they will not fall prey to such tricks.

Some real world examples show us that the weakest link in a security system
is the people rather than the machines. And the key things to strengthen this
weak link is a well-defined security policy and user education. Publish a
formal written security policy stating that the IT people will never ask for
a user's password. And train the users regularly.

In this tutorial, I also list down some articles describing what social
engineering is and its risks. Note: Some of the sites like SANS and TEC,
require you to register (for free) to view the article.


An eye-opener to social engineering.

Social engineering: examples and countermeasures from the real-world.
http://www.gocsi.com/soceng.htm

You'll find loads of examples on how you can get hacked and how to prevent
these incidences. The main point is how people can scam information off you
over the phone by impersonating a number of people. These hackers know how
to get you to give up passwords, etc., by pretending to be police officers,
a help desk person or even someone from a fraud department.


Listen what Kevin Mitnick has said about social engineering.

Mitnick teaches social engineering.
http://www.zdnet.com/filters/printer...80-2%2C00.html

The key to former hacker Kevin Mitnick's exploits: social engineering. That
is the ability to manipulate individuals. In this article, Mitnick explains
how he was able to obtain valuable information over the phone and how
companies can deter other hackers from doing the same.


Understand why not so many people see social engineering as a real threat.

Social Engineering: What is it, why is so little said about it and what can be done?
http://www.sans.org/infosecFAQ/social/social.htm

Social engineering is a common security threat that needs to be taken seriously.
Yet, it gets little press compared to the latest computer virus. Perhaps that is
why social engineering is effective; few users know what it is and therefore don't
react in the best interest of their company. This article addresses why social
engineering is often ignored and what you can do to change that.


A step-by-step social engineering example in action.

Social engineering can thwart even the best laid security plans.
http://www.technologyevaluation.com/...12_23_01_1.asp

This article explains the security threats of social engineering. It brings up
some interesting points about how easily hackers can get inside information and
what you should be aware of to protect yourself and your company.


A real case study of an AO member dealing with social engineering.

Sales Call or Social Engineering: Recent post from an AO Member.
http://www.antionline.com/showthread...hreadid=231663

Palemoon was noticing red alert lines on his Firewall GUI indicating attempts to
access a port scan from a company, when a very nice sounding woman called him and
told him that she's from the very company he was watching. Read what he has done
in responding such a bogus "sales call".


Finally, the official statement.

CERTŪ Advisory CA-1991-04 Social Engineering
http://www.cert.org/advisories/CA-1991-04.html

Social engineering is not something new. The Computer Emergency Response Team/
Coordination Center (CERT/CC) already warned us about social engineering, eleven
years back! See also CERT Advisory CA-91.03.


Conclusion.

It doesn't take sophisticated technology to break into a computer system via
its users. All it takes is a little social engineering. Because users can be
easily manipulated they may be the weakest link to a security breach.

We must have a well-defined security policy in place and enforce it to ensure
that every user in the organization is participating in the whole security
system. And the only way to do that is education, education and education.


=================================== CUT HERE ===================================


ok, i hope you enjoy the tutorial. see ya...

<jdenny>