August 21st, 2003, 09:49 PM
Term used among crackers and samurai for cracking
techniques that rely on weaknesses in wetware rather than
software; the aim is to trick people into revealing passwords
or other information that compromises a target system's
security. Classic scams include phoning up a mark who has the
required information and posing as a field service tech or a
fellow employee with an urgent access problem. See also the
tiger team story in the patch entry.
Taken for www.dictionary.com
So you got someone sending you an AIM saying they are AOL and they need your password.
Come on an AIM this guy is obvisously stupid. Why would a major company send you an AIM to get your password come on think about it. This is when you take out that chainsaw that you have been hiding since Halloween. Ask them for there address (Yes there are people that are stupid enough to send you there Address trust me.) and you go pay them a visit. Mwahaha
Oh ok sorry got carried away.
So what do you do?
Well in this situation, I would recommend that you do a couple of things.
1. Call AOL or Email them and let them know that you got this message, if there is any Validity in the message at all they will let you know. "Though the chances of it being real, are really rare."
2. You oculd have a little fun with the person by asking them really stupid questions i.e. I forgot my password, can you send it to me. Sorry thing is I once had someone send me there password from that one.
3. Tell them to **** off, this and the first one are the ones that I recommend that you do. They are both safer
So I think I will give you an exampleof Social Engineering and just how it could happen to an un-suspecting person,
It's 10:00 in the Morning, Tina is at the work.
Ring, Ring, Ring
Hi this is Tom, I work in the IT department and the boss called me and told me that I need to update the Security and Passwords, for everyone in the company. I was told to start with the Day Shift, I am going to copy down your old password and I need you to tell me the new one also. So that I know that you didn't make it the same thing, Now what I need you to do is give me your, Present Password. Ok Now go to Control Panel, User Accounts and Create New Password. I need for you to tell me what that new Password is going to be.
Now Tina has no Idea that she just gave her password to me. That is a simple example of something, that could happend very easily. The system admins control the complete running of the entire network so why would they be calling for your password? If they insist that they need it for password updates or for any other reason ask them to formly request that you disclose your password to your manager in writing.
I personally would not be mad if one of my guys, made sure that they were being asked for there password, by the system admin I would have no adversion to be involved.
Another Form of Social Engineering is alot of people's Favorite Dumpster Diving. Oh you don't know what that is Very simple. All you need is a pair of gloves, a Gas Mask and Probably No ****ing Common sense, But, sense it is a very big part of Social Engineering I have to talk about it. In the example what is done is:
Tom was just Fired from his Job as IT department Supervisor, he wants to get even. But everyone knows he lost his job and he nolonger has any access so what does he do. Get out the gloves, The Gas Mask and START DIVING BABY DIVE. (There are alot of people that don't realize when you through something in the Garbage it is suseptable to people going through it. No one guards the trash at your job. There is alot of information, about the company, about your customers that goes through the workers. So where does it end up at. Bingo in the Trash.) So now that Tom has decided that he his going to get even and he is already smelly he search around for a while and what does he see the Password for the New System Admin, that can be useful. He keeps searching and what else does he find the Social Security Numbers to all the Employees at the company. That can definately be useful
Now with the recently acquired info Tom just goes in like he's picking up his stuff logs into theSys Admin's account and Voila everything that you need.
Now with the Social Security Numbers he just signs everyone that annoyed him up for another Credit Card and there you go. .
Now as a refernce on what to do about Dumpster Diving, you don't have to shread every single peice of paper that you have but at the same time. Here is a go bye.
If it has Social Security Numbers on it.
If it has any Vital information about the company, I.e. Stick Holdings, Budget, and Account Number
Now are those the only instances of Social Engineering we are going to come face to face with No.
Another instance is that you get an Email saying that your bank account information is needed. Now this is a little more tricky. You might have a legitimate request here altough most companies call for information like that. So count 2 out on this just in case it is real but you can still call the company.
Last how to avoid giving out information to a person that is asking for something that they should not be asking for i.e How to Hack there girl friend's account. Yeah there are people that actually have permission to do that but guess what they need to learn somewhere else.
So what do you do? Do you flame, Neg or what?
I personally recommend that you let them know, that they are not going to get the answer to that question.
Next thing is to remember that there are actual people out there that need help and to ignore there outrageous request for information is wrong so what do you do. You get them to do something stupid. Like deleting there autobat or Rm something.
Now the problem with Social Engineering is that there are actual people that will do it and not know that they are doing it so for them I recommend that you just, let them know what they are doing is wrong and carry on.
The final line of defense against Social Engineering falls with you, you have got to remember that there are people out there that want your information to do Mallicios things and it is your job to keep them away,
The last two things to remember are that if in doubt verify ask the person that you are talking to questions if they are real, they will not have an adversity to you making sure that what they want they actually are entitled to.that information.
Last but not least if in doubt just don't give them that information.
Better Safe then Sorry.
Hope this helps someone out.
Any questions let me know and I will answer them
I am going to say Thank You to Valhallen for helping me with this.
There is also a little thing that you need to watch out for on. Programs that look like bots, asking you for your password, it is not that hard to program a bot and could be easily done.
August 21st, 2003, 10:12 PM
I have a few comments though if you dont mind.
Dumpster-Diving is not considered Social Engineering'.
It is good that you touched the subject and you tell people that they should shred their personal information but social engineering involves social interaction.
Further, social engeneering is not restricted to computer related stuff (although when it is not people usually call it swindle).
Then I would like to add one point into the writeup.
Social Engeneering through email is not restricted to asking for asking for banking information. A thing that gets more and more popular is spoofing emails to make them look like the come from a trusted source (we see this more and more).
For example: you recieve a mail 'supposedly from support<>@<>microsoft.com' saying it contains an important update for your software. Even though you all might not fall for it, enough people will.
Thanks I wanted to add that.
August 21st, 2003, 10:13 PM
Isnt it interesting how the most technically unskilled practice of 'cracking/hacking' yields the greatest result. Must have a discussion on that one day, nice tutorial. By the way there is plenty of info and tuts on the net about this topic. Dig around at here for more.
August 22nd, 2003, 12:03 AM
Well written Whiz.......I have a quick story to tell on this topic. My company is going to be giving a training tomorrow in an office building that isn't ours. We called the receptionist today to ask if we could come in and make sure our software could get out through their firewall. She said to come on down and didn't even ask who we were or what company we worked for. I went in with my laptop and she showed me to a place where I could plug into their ethernet. I was immediatly given an IP and had access to every node on their network simply through "my network places." I could have been anyone and she believed everything I said with no questions asked. Funy isn't it?
p.s. Funny you should write a tut on this topic today of all days..
August 22nd, 2003, 12:16 AM
Well I try, maybe you should email this to her LOL.
August 22nd, 2003, 03:12 AM
Also a great thing to know when you are trying to secure a network. Most people are like dogs (well atleast all the dogs i have had) and trust whatever they hear (more so if its technical. You know everyone likes technical). So its good to be aware of what can happen.
#!/usr/local/bin/perl -s-- -export-a-crypto-system-sig -RSA-in-3-lines-PERL
($k,$n)=@ARGV;$m=unpack(H.$w,$m.\"\\0\"x$w),$_=`echo \"16do$w 2+4Oi0$d*-^1[d2%
,$_)while read(STDIN,$m,($w=2*$d-1+length($n||die\"$0 [-d] k n\\n\")&~1)/2)
August 26th, 2003, 04:20 PM
fl34bit3 makes a really interesting point which perhaps should be followed through on, which is people will more often then not believe anyone they believe to be an "authority" on the matter, this can take the form of how you talk to simply how one dresses.
there was an experiment conducted in texas a number of years back where a well dressed man in a suit, who was waiting at the light started to cross before the light turned green, and people followed him. The same was tried with a guy in a t-shirt and alot less people followed him.
So it seems that people will basically follow blindly anyone they deem to be in a position of authory/ expert on a matter.
This could so easily be applied to social engineering espcially when dealing with people who are less computer literate.
jsut a thought
August 26th, 2003, 04:26 PM
Another interesting experiment was carried out on the concorse of one of London's busiest stations.
Posing as a researcher an individual was able to get over 70% of the 'suits' questioned to reveal their username & password.
One CEO even commented that the IT guy doesn't like him telling people the details since his account has admin rights!
Who needs technology to get into systems, why not just ask people!
So how do we educate our users, especially the senior ones, that stuff like this is important?
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
August 26th, 2003, 04:35 PM
I think that the general way to do it is. To have them read things like this it will atleast give them an idea of what can happen.
I know what I am going to do next time I want to get someon'e password.
So I got a question, should we stop telling people to ask the person for there password when they ask How To Hack Homail.
We are pointing them in the right direction.
I would imagine that if someon eput enough time in it there could be a nice little Article written on this for a Major paper then maybe that # would go down to atleast 30%.
People are just stupid.
I have said it once I will say it again.
People are Stupid.
August 26th, 2003, 07:26 PM
Nice post whiz!
I have always felt that people are their own worst enemies
We have to be a bit careful that we don't get "superior" though.......after all we are in a position of trust? I suppose it's all a question of balance. Most Users I have worked with would not know that with admin rights you can find/change all passwords. They trust me....and with a "UK eyes only 2B", DoD and NATO security clearance, I suppose they should?...I have never asked them for their password though......told them after I have changed it maybe
Another point, which is probably why a lot of these social engineering scams actually work, is that people are ashamed to admit to what they don't know??? They get sucked into the "tekkie" trap?
Hell, I don't know what I don't know because the field is too large for me but there are many who would not admit to that. I think that it becomes worse the higher up you go, as the people seem to think that they "ought" to know, so they are more vulnerable?
just a few thoughts.......again...a nice post
EDIT: no greenies..it wouldn't let me!
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?