Results 1 to 6 of 6

Thread: Social Engineering Volume 1

  1. #1
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741

    Post Social Engineering Volume 1

    I was told this seemed like a better place to put this article so the only way I know how was to delete the old one and recreate it here.

    Social Engineering: How to protect yourself and your office Volume 1

    Ring….Ring….Ring….
    It’s a cold late night, John has been at the office since 6 in the morning and the clock is just striking 11 PM.
    Rii…. Hello?

    Hi this Rob with Sonitrol (posted on all the windows of the building), I noticed on our security system that your alarm hasn’t been set yet tonight and I need you to tell me the password otherwise we will be sending a police car out immediately

    John: yellow legos
    Rob: Thank you have a nice night

    One week later John comes into the office to find they have been robbed and the police still haven’t been alerted to this event. How can this happen you wonder?

    What happened was most security companies make this call if it gets late to make sure their client didn’t forget their alarm or they haven’t been broken into. To foil this method Rob drove by the office and noticed the name of the security company on all the windows and came back a different day to see just one car in the parking lot late at night. Made this phone call from his cell phone and got the password so that when he broke into the office the next week and the real company called he gave them the password John so readily gave to him.
    This is a prime example of social engineering and some of the creativity that goes behind it. What is one step that could help protect you against something like this?

    Setup double sided passwords, one for you and one for the security company. Sure this is good practice but why not take it a step further, Have 7 different passwords for the security company one per day of the week. (ie Monday: purple, Tuesday: Infinity…) Change the password with the security company regularly and only give these codes to the select people that are going to be there late.

    So what is Social Engineering? There are multiple definitions that define a hackers methods of gaining information or whatever. I will offer my own, Social Engineering in short and simple is a psychological con. You dupe people into believing that you are something you aren’t or coax them into saying things to you because you are a “nice person”.

    We all know security is only as good as its weakest links. Yes, I know I made this a plural sentence because every employee, every piece of paper, everything that has to do with your company, has to do with security. You can gain valuable information from trashed documents, or by the above method, or say you work somewhere, call up the secretary to the CEO, CFO whatever. Tell him/her that you are from the IT department and need their password to install something and since he/she is their secretary that they get to have it first. Now you have access to almost everything the head hancho does.

    The first step is to either send out a corporate wide email instructing people that they should never give out their personal information unless they are talking with someone they KNOW is authorized to have this information. To those of you that are security professionals and are just here to learn a little bit more about how not to look stupid. Never give out your passwords to anyone, those email programs that have one of those password recovery things, fill in the answer with gibberish so someone that knows you doesn’t guess the information. If someone calls you, the most popular form of social engineering, and wants information from you like credit card numbers or bank numbers or any personal information, tell them you will call them back, ask for their phone number, then compare it to one you find in your records, every bill a company sends you has their contact information on it, now use that number on the bill call them and ask them if they really need to talk to you. These are the simple things we never seem to think about.

    There are other methods to gain information but I will supply those in a later tutorial. Below I included one of my sources, the rest is from security discussions and such I have been involved with.

    Sources
    http://online.securityfocus.com/infocus/1527
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    Social Engineering only works on people who shouldn't have access to sensitive information in the first place...

    Nice Tutorial, Spyrus :-)
    yeah, I\'m gonna need that by friday...

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Sprus: That is a good tutorial. It is only the beginning of what could amount to several hundred pages of info.

    I love reading stories like that. I don't mean to rain on your parade or anything, but anyone who wants to learn about Social Engeneering and how to help lessen the chances of becoming a victim... read. THE ART OF DECEPTION .

    It had me captivated. I read it in a very short amount of time, and it presesnts situations you would have never else though of.

    Again, good tutorial. Greens to you.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    What you call social engineering is what i would call spying. Protection from this must be balanced with the sensativity of what you are trying to protect. If someone wants what you got badly enough they will get it. You will not stop them. The only thing you can do is make it as time consuming a possible for them. There for increasing the chances of detection.

    To rely on one layer of security is asking for trouble. Use multiple layers.

    & anyone who gives out a password over the phone with no authentication needs firing.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Actually in my area which has had a dot com melt down and the ITor IS market real tough do you know that actual goverment agencies are teaching a form of social engineering? Yes it is called how to have your resume looked at, how to find the name of the person in charge of the reviews. Actually most of the info is about in Business Directories had at and US public library. Anyway had to attend this one class to get my unemployment and who taught it spoke of nothing but "Social Engineering" so want to learn more visit the State employment office they ut on a seminar every week. Ok they say to find a job but the same info and ways can be used to gain access to a weak system. But also being on the other side I could say that any place I worked for knew the tricks a goverment agency teaches people.
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  6. #6
    Junior Member
    Join Date
    Jan 2003
    Posts
    7
    Originally posted here by tampabay420
    Social Engineering only works on people who shouldn't have access to sensitive information in the first place...

    Nice Tutorial, Spyrus :-)
    I don't agree, it doesn't work on well trained call-center employee's but the administrative layer under these call-center employees do the real work and didn't have lot's/any training about this. So to gain sensitive information of a company dial a internal number.. apologise for calling the wrong number and ask if they can give you department X.
    A good employee will only give out the call center number but within 5 attempts you should have a number of a internal person at department X. That's when the show starts.

    What i'm trying to point out: The people that SHOULD answer the phone SHOULD be trained against social engeneering BUT the pleople with real acces to sensetive data SHOULD be trained (they almost never are) AND shoud be unreachable for the outside world!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •