December 15th, 2003, 10:11 PM
im writing a paper on social engineering and this is my into, i need some feed back on it, if u can tell what the thesis is, if its any good, if i should change stuff around, grammer mistakes, if the order of the information is proper or should sentenses be changed around... any feedback can help.
You are the weakest link.
You’re not safe, I’m not safe, nobody is safe. Companies spend millions of dollars each year guarding their buildings with surveillance cameras, alarms systems, and security guards. They even go as far as placing password protection and network security programs on their computers. The reason for spending all this money is because companies feel a lot safer than without such precautions. At the same time millions of people all over the world spend their entire lives learning the art of theft. Among the most skilled thieves are the experts of breaking and entering. Why break in if you can walk in? Furthermore, why walk in when you can have someone come outside and simply give you what you want? Could it really be possible to get what you want by simply asking for it? The surprising answer is yes. This technique of getting what you want is called Social Engineering (Mitnick 3). It is used mainly by criminals; thieves, hackers, con-artists, terrorists, embezzlers, private investigators, and kids just looking to get kicks out of tricking people.
One might ask how this works so well. Gullibility, lack of caution, unwariness, innocence, and vulnerability are all characteristic human being the weakest link in security (Mitnick 3). Social Engineering exists because of 3 psychological weaknesses that the human being possesses; the willingness and desire to truth others, the willingness and desire to believe information presented because of lack of knowledge, and the willingness and desire to help others. Social Engineers learn social engineering from a psychological point-of-view, “emphasizing how to create the perfect psychological environment for the attack” (Social Engineering Fundamentals: Part 1, par 23). Once created, the most important aspect and the key to successful social engineering is trust. Once your have the victim’s trust they will believe anything you tell them as long is it is within the limits of believability. Giving the victim, also known as a “mark” (bernz 1), a callback phone number, password or code, and talking in their lingo. It’s human nature to trust out fellow men, especially when the request meets the test of being reasonable (Mitnick 32). Another factor social engineers use the willingness and desire for humans to want to help each other. Everyone has bad days and can understand what its like to struggle, humans tend to want to help each other. It is also a human tendency to be attracted to people who are alike (Rusch 20), that is to say share similar religious beliefs, taste in music, or even the same birth place. Social Engineers take this weakness and use it to their advantage by getting the victim on their side.
“The Social Engineers main objective is to convince the persons disclosing the information that the social engineer is in fact a person they can trust with sensitive information”(Granger par 20). The 3 psychological weaknesses of social engineering; the willingness and desire to truth others, the willingness and desire to believe information presented because of lack of knowledge, and the willingness and desire to help other, make social engineering stealth; providing the ability to prevent detection by the human. With social engineering being in existence protection is very limited. Detection of social engineering usually done when beginning social engineers make common beginner mistakes, such as not being calm and/or professional (Bernz's Social Engineering Tips). But the experience social engineer is undetectable, even to a trained observant because social engineering techniques are applied to real world situations (RSnake 3). The attack to the victim doesn’t seem like an attack, but more like questions being asked from a reliable source inside the circle in hopes of furthering the good of the group, making social engineering stealth.
A great example of Social Engineering is an article written by Maniac_Dan inside the magazine 2600, Vol 19: Fall 2002, titled “Outsmarting Blockbuster”. Let’s say you have a $25 late fee at your local Blockbuster video rental store and you wanted to get the late fee cleared from your account. Sounds easy huh? The first sequence of events to come to mind would most likely be, “All I got to do is break inside the building after hours and hack the computers. Wait, He just told me I could get them to do what I wanted”. With 2 months of waiting around and a simple phone call you can have your account cleared. It is very simple in fact; all customer accounts are stored locally, which means the store that you signed your account with is the only store that has your account information. We are going to refer to this store as store #1. Store #2 which can be any store you want that is not local and it’s going to be the store you’re pretending to call from. The main object is to make store #1 believe that you are from store #2 and to get store #1 to remove the fees from your account by believing that you are paying for them at store #2. Local stores tend to know each other so the social engineer has to pretend to be calling for a store far away. To get the store number either buy something and look on the receipt or to call store #2 and to say “I’m filling out a job application. What’s your store number?” Your account number is the last 5 numbers on the back of the card. Once you have gathered this information call store #1 and tell them you are from store #2 and that the customer’s (your) account is frozen (after 2 months the account will freeze). They will ask for the account number and the customer’s name. They will tell you that the account for [your name] has a late fee of $25. You ask your wall if they would like to pay the $25 here and then you tell store #1 that the customer would like to pay the fee here. They will ask for your store number, once you give it to them they will say good bye. If they ask you to do anything all you have to do is tell them that your new and that you’ll have the manger call them back when she gets out of the bath room.(2600 23)
Social Engineering can be best seen in 2002 DreamWorks' CATCH ME IF YOU CAN. “Directed by Academy Award®-winning director Steven Spielberg, Oscar® nominee Leonardo DiCaprio and two-time Academy Award® winner Tom Hanks engage in an intriguing game of cat-and-mouse based on the autobiography of a brilliant young master of deception, Frank W. Abagnale, Jr.”( Spielbergfilms.com: Catch Me If You Can DVD Press Release). Frank W. Abagnale Jr., known as one of the world's most respected authorities on the subjects of forgery, embezzlement and secure documents (Abagnale & Associates). The film is a biography on Frank W. Abagnale Jr., which shows the procees and the techniques which social engineers use to get what they want.