Results 1 to 9 of 9

Thread: Social Engineering: The Overview

  1. #1
    Senior Member
    Join Date
    Jul 2002
    Posts
    339

    Social Engineering: The Overview

    hello all. i'm newbie here, although not that newbie in internet security world.
    but this is my first tutorial, so you may find some errors...

    background: as a newbie, i noticed that some discussions are techie, some are
    very techie, some are very, very techie... take a break man, a real hacker
    doesn't always need sophisticated tools to hack a system (a script kiddie does).
    i know most techies are reluctant talking about people. and that's exactly what
    we will do now. we'll talk about people instead of technology.


    =================================== CUT HERE ===================================


    Document Code: JDTT0201.

    Social Engineering: The Overview.


    Introduction.

    What is the easiest way to obtain a password from a user's PC? Install a
    keylogger? No. Install a password cracker? Wrong answer. So? Simply ask him/her.
    Using the social engineering method, a potential hacker can easily gather
    valuable information right from the user without touching a keyboard or mouse.

    Have you ever received an phone call or email that informs you that you've won
    a free vacation in some tropical island? All you have to do is to send back
    some particular information, including your credit card number. The sender
    will tell you that the credit card information is needed for hotel
    reservation. This is not just a spam. This is a classic example of social
    engineering.


    Definition.

    The following definition of "social engineering" as it pertains to computer
    hacking is taken from The Jargon File, Version 4.0.0 at
    http://www.outpost9.com/reference/ja...4.html#TAG1652 .

    ---

    social engineering /n./

    Term used among crackers and samurai for cracking techniques that rely on
    weaknesses in wetware rather than software; the aim is to trick people
    into revealing passwords or other information that compromises a target
    system's security. Classic scams include phoning up a mark who has the
    required information and posing as a field service tech or a fellow
    employee with an urgent access problem. See also the tiger team story in
    the patch entry.

    ---

    Usually social engineering comes in the form of users receiving requests to
    take an action that results in the capturing of valuable information
    , such as
    password. The request could be initiated in a simple telephone call or an
    e-mail message. Some instructs the user to run a program which will prompt
    the user for his/her password. When the user executes the program, the user's
    name and password are e-mailed to a remote site.

    In his presentation titled "Human Security Issues: Managing People and
    Defending Against Social Engineering," Gartner analyst Rich Mogull said that
    people are, by nature, unpredictable and susceptible to persuasion and
    manipulation
    . Social engineering is the most difficult security issue to
    manage and he said that most IT departments do a poor job of combating the
    threat.

    Social engineering techniques usually follow a common pattern:
    1. Information gathering
    2. Development of relationship
    3. Exploitation of relationship
    4. Execution to achieve the objective

    Hint: Don't be fooled by sweet young women or older folks, that can be part
    of the scam.


    How to Combat.

    In one of their advisory, the CERT/CC (Computer Emergency Response Team/
    Coordination Center) recommends the following actions:

    1. Any users receiving such a request should verify its authenticity with
    their system administrator before acting on the instructions within the
    message. If a user has received this type of request and actually entered
    a password, he/she should immediately change his/her password to a new one
    and alert the system administrator.

    2. System administrators should check with their user communities to ensure
    that no user has followed the instructions in such a message. Further, the
    system should be carefully examined for damage or changes that the intruder
    may have caused. We also ask that you contact the CERT/CC.

    3. The CERT/CC urges system administrators to educate their users so that
    they will not fall prey to such tricks.

    Some real world examples show us that the weakest link in a security system
    is the people rather than the machines. And the key things to strengthen this
    weak link is a well-defined security policy and user education. Publish a
    formal written security policy stating that the IT people will never ask for
    a user's password. And train the users regularly.

    In this tutorial, I also list down some articles describing what social
    engineering is and its risks. Note: Some of the sites like SANS and TEC,
    require you to register (for free) to view the article.


    An eye-opener to social engineering.

    Social engineering: examples and countermeasures from the real-world.
    http://www.gocsi.com/soceng.htm

    You'll find loads of examples on how you can get hacked and how to prevent
    these incidences. The main point is how people can scam information off you
    over the phone by impersonating a number of people. These hackers know how
    to get you to give up passwords, etc., by pretending to be police officers,
    a help desk person or even someone from a fraud department.


    Listen what Kevin Mitnick has said about social engineering.

    Mitnick teaches social engineering.
    http://www.zdnet.com/filters/printer...80-2%2C00.html

    The key to former hacker Kevin Mitnick's exploits: social engineering. That
    is the ability to manipulate individuals. In this article, Mitnick explains
    how he was able to obtain valuable information over the phone and how
    companies can deter other hackers from doing the same.


    Understand why not so many people see social engineering as a real threat.

    Social Engineering: What is it, why is so little said about it and what can be done?
    http://www.sans.org/infosecFAQ/social/social.htm

    Social engineering is a common security threat that needs to be taken seriously.
    Yet, it gets little press compared to the latest computer virus. Perhaps that is
    why social engineering is effective; few users know what it is and therefore don't
    react in the best interest of their company. This article addresses why social
    engineering is often ignored and what you can do to change that.


    A step-by-step social engineering example in action.

    Social engineering can thwart even the best laid security plans.
    http://www.technologyevaluation.com/...12_23_01_1.asp

    This article explains the security threats of social engineering. It brings up
    some interesting points about how easily hackers can get inside information and
    what you should be aware of to protect yourself and your company.


    A real case study of an AO member dealing with social engineering.

    Sales Call or Social Engineering: Recent post from an AO Member.
    http://www.antionline.com/showthread...hreadid=231663

    Palemoon was noticing red alert lines on his Firewall GUI indicating attempts to
    access a port scan from a company, when a very nice sounding woman called him and
    told him that she's from the very company he was watching. Read what he has done
    in responding such a bogus "sales call".


    Finally, the official statement.

    CERT® Advisory CA-1991-04 Social Engineering
    http://www.cert.org/advisories/CA-1991-04.html

    Social engineering is not something new. The Computer Emergency Response Team/
    Coordination Center (CERT/CC) already warned us about social engineering, eleven
    years back! See also CERT Advisory CA-91.03.


    Conclusion.

    It doesn't take sophisticated technology to break into a computer system via
    its users. All it takes is a little social engineering. Because users can be
    easily manipulated they may be the weakest link to a security breach.

    We must have a well-defined security policy in place and enforce it to ensure
    that every user in the organization is participating in the whole security
    system. And the only way to do that is education, education and education.


    =================================== CUT HERE ===================================


    ok, i hope you enjoy the tutorial. see ya...

    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


  2. #2
    excellent first tutorial, good job. hope to see more like it too.
    *the wise do sooner what the fools do later.
    --Gracian

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    250
    Woah, that's a great tutorial. Really nice for your first tutorials. /me applauds.

    Thanks for your time~
    [gloworange]Die, or surrender, either way won\'t work.[/gloworange]
    [shadow]HuntX7[/shadow]

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    317
    Dude, that is a kick ass tut. Looking forward to more should you be so inclined.
    \"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"


  5. #5
    Senior Member
    Join Date
    May 2002
    Posts
    168
    nice one, I've read a few Social Engineering tuts (astalavista.com) and that was the best one yet, great stuff!

    P
    \"Why is the bomb always gettin\' the last word?\" - Will Smith - Lost & Found (2005)

  6. #6
    Hey jdenny excellent tutorial very informative!

    I would just like to add this statement You can put a computer inside a sealed room with 10-foot thick concrete walls, but if an employee who knows the logon sequence is chatty, lonely, or otherwise pliable, 50- foot walls won't secure the system! Security is made up of firewalls, passwords, shredders, alarm systems, secure rooms, etc But the old age applies: The security chain is only as strong as its weakest link. And all too often that weak link is a person. [glowpurple]Social engineering is the single most effective security penetration technique of all[/glowpurple]

  7. #7
    Junior Member
    Join Date
    Aug 2001
    Posts
    17
    Nice article

  8. #8
    Member
    Join Date
    Aug 2002
    Posts
    86
    Hey,

    You... the newbie from the orginal Java islan.....

    an excellent article worth to be read by the newbies. I like to appreciate you. It seems you woule like to continue in this forum for the long run. Best of luck

    Long run in the sense that

    Some join the forum..... start asking embarassing questions like How to hack this.... How to hack that... and get axed to ban from the forum.

    Anyway... Nice
    http://www.AntiOnline.com/sig.php?imageid=210 ۯ

    UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity. Dennis Ritchie.

  9. #9
    Nice work! Be proud your self!
    I breathe, therefore I am!
    I type, therefore I live!
    [shadow]I love, therfore I die![/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •