December 17th, 2003, 04:47 PM
Secured: Fact or Fiction?
heres a paper i wrote. any feed back will help me out very much to better my paper. its due today at 4pm. so any information that can be giving ASAP will help me finalizing it.
Secured: Fact or Fiction?
You’re not safe, I’m not safe, nobody is safe. Companies spend millions of dollars each year guarding their buildings with surveillance cameras, alarm systems, and security guards. They even go as far as placing password protection and network security programs in their computers. The driving force behind all this spending is the fact that companies feel much safer when equipped with such precautions. At the same time, however, millions of people all over the world spend their entire lives learning the art of theft.
Among the most skilled thieves are the experts of so called “breaking and entering.” Why break in, so the argument goes, if you can walk in? Furthermore, why walk in when you can have someone on the “inside” -- an accomplice -- come out and simply give you what you want? Is it really possible to get precisely what you want, simply by asking for it?
The answer, surprisingly, is yes. Furthermore, the art of getting what you want through simple request has become so refined that it has attained an official name: Social Engineering (Mitnick 3). Social engineering is used mainly by criminals; thieves, hackers, con-artists, terrorists, embezzlers, private investigators, and other such groups, including typical adolescents who possess time, ingenuity, and the desire to commit misdeeds.
One might ask how the technique of social engineering works so well among those who practice it. Gullibility, lack of caution, unwariness, innocence, and vulnerability combine to create the typical human psyche, and thus average human beings are their own weakest link in personal security (Mitnick 3). The social engineers main objective is to convince the persons disclosing the information that the social engineer is in fact a person they can trust with sensitive information”(Granger par 20).
The problem with trying to prevent social engineering is that its undetectable because of three basic, psychological weaknesses that the human being possesses: first, the willingness and desire to trust others, second, the willingness and desire to believe information presented if for no other reason than the listener has never heard contradictory information, and third, the altruistic willingness and desire to help others; making social engineering stealth; providing the ability to prevent detection by the human. With social engineering being in existence protection is very limited. Detection of social engineering is usually only done when beginners who are still learning social engineering make common beginner mistakes, such as not being calm and/or professional (Bernz's Social Engineering Tips). But the experience social engineer, is undetectable, even to a trained observant because social engineering techniques are applied to real world situations (RSnake 3). The attack to the victim does not seem like an attack, but more like questions being asked from a reliable source inside the circle in hopes of furthering the good of the group, making social engineering stealth. “The truth is that even those companies that do make an effort to protect confidential information may be at serious risk” (Mitnick 64). This risk affects all of society; all of our personal information that we once thought was secure is really not and because anyone who knows the art of social engineering can obtain it, which makes un-detection very harmful and scary because there’s not telling what the social engineer will do with the information.
Social engineers learn their craft from a psychological point-of-view, “emphasizing how to create the perfect psychological environment for the attack” (Social Engineering Fundamentals: Part 1, par 23). Once created, the key to successful social engineering is trust. Once the aspiring social engineer has a victim’s trust, said victim will believe anything they are told so long as it is within the realm of believability. Giving the victim, also known as a “mark” (bernz 1), a spurious callback phone number, fake password or code, or “talking in their lingo“ are all techniques which assist the social engineer in achieving his or her aims. It is human nature to trust one’s fellow men, especially when the request meets the test of being reasonable (knowing the lingo) (Mitnick 32).
Every person knows how important their social security number is. It is the identity of a person in a nutshell. Every person also knows to never give out their social security number to anyone. So we never give people our number, right? But wait, some applications require a social security number to do back ground checks, such as banking, jobs, credit cards, and cell phones. Is it possible for someone to call my phone and to act as if they were from one of these companies and get me to give out my social security number? The answer is yes. Here’s an example.
Ring, Ring, Ring.
Social Eng: Hello, This is Mark Thompson calling from ATT Wireless. May I please speak with John Doe?
Person who answered: Hold on one moment please while I get him.
John Doe: This is John Doe.
Social Eng: Hello Mr. Doe, This is Mark Thompson calling from ATT Wireless your account has reached its monthly limit of $1000.00 in phone calls. If you look at your service agreement it states that the plan you choose has a limit of $1000.00 each month. Once you reach the limit you have the choice of either paying for it then otherwise your account with me locked until paid.
John Doe: What the hell? I never made $1000.00 in calls! I only use my phone when my kids go out and there’s no way they could of made $1000.00 in calls.
Social Eng: Let take a look at your account. Sir I’m going to need to verify you’re the owner of the phones before I can access you account.
John Doe: Sure.
Social Eng: Can you please verify your billing address please.
John Doe: 1234 Street. Beverly Hills, CA 90210.
Social Eng: Can you provide the last 4 digits of the social security number used to sign up the account.
At this point the social engineer has gotten the information needed to now call the ATT and sign up another cell for themselves. At this point the social engineer would act as if there was a call made to Africa for 45 minutes or a story like that. They could say something like “There’s a chance that they could of called that number with the cell phone being in the child’s pocket and without them knowing. I can wave the fees the one time as a complementary waver, but next time you will have to pay for the fees.” Next explained how to prevent accidental calls, and then insured them that the account was now at good standing.
What Joe Doe just did was very scary and harmful. He just gave this anonymous person all the information they would need to access his account. The reason why this it happened was because of the human error, which makes of social engineering stealth.
A few years ago in Texas there was an experiment performed with a well dressed man in a suit. He was waiting at a stoplight and began to cross before the light turned green, and people followed him. The set up was done at the same light, same times, ect…, except this time it was done with a guy in a t-shirt, not as many people followed him. It seems that people tend to trust position of authority/expertise. This is also applied to social engineering especially when dealing with people who lack knowledge on the information that’s being spoke about.
Successfulness in social engineers involves strong people skills; charming, polite, and easy to like, all traits needed to establish rapid rapport and trust. (Mitnick 8) Just imagine two men. The first man is very nice, funny, charming, polite, down to earth, and easy to like. Then another man who’s lacks some of these traits. Who are you going to trust more? Very few wouldn’t trust a nice charming polite man. The key to gaining trust is confidence. If the image you set looks professional and sounds as if you know what you are talking about, not only will people trust you, but they will believe you.
At some point in everyone’s life, they find themselves lost on a car ride to a destination which they have never been to. Not knowing their way around town, the average person will do one of three things. One, try to find their way, even though they are lost, something men tend to do a lot because of their egos. Two, ask for directions. Three, give up and go back to where they came from. Sometimes one will work and sometimes it won’t. Let’s say you got wrong directions and the possibility of finding the destination is just impossible. Why do people ask directions? This is because every human has the willingness and desire to believe information presentation due to their lack of knowledge. If it wasn’t for us willing to trust others, then no one would ask for directions. They would then think that everyone might give them false information and would not believe anyone. If this was the case then the world would be running around lost and afraid to ask for directions.
Another great example of how humans have the willingness and desire to believe information presented because of lack of knowledge is #49 an anonymous article titled 68 things to do at Walmart, “Go to an empty checkout stand and try to check people out.” The sounds of “I can help the next person in line”, will grab attention of anyone waiting in a long line.
Another factor to the human belief system is, people are ashamed to admit to what they do not know. A great example is children in school whose friends talk about topics that they have no knowledge of, such as sex. The reasoning behind all of this is not wanting to look stupid or to feel ashamed of not knowing.
Believing others because based on lack of knowledge opens a door for all information true and false to enter the mind, allowing humans to believe false information. This is dangerous because humans are unaware of what’s untruthful, allowing the social engineer to be who ever they desire in the humans mind.
Social engineering doesn’t just stop there. It takes the best of people, their great hearts and uses that side of the human against themselves. The way it works is people tend to want to help each other out. All of our lives we are taught team work; working as a team and helping each other. This human error makes it hard to thinking doubtful when a person believes they have just received a phone call at work from a fellow employee that needs their help. People tend to favor others who have similar traits as them, such as other people who don’t know how computers work. They might give little tips and secrets if they feel that it might better the person. Also, people from the same hometown tend to favor others from their hometown. This favoring leads to extra help.
Being a woman in the field of social engineering is the biggest advantage. The reason why is because men love women. Men always want to help a woman over a man. Being a women and having a sexy voice is also a plus. Imagine a beautiful person of the opposite sex asking you a quick question. Chances are your going to try to spend as much time as you can communication with them and of course you would help them. You do want to make your self look good.
Two great examples of how fellow employee had the willingness and desire to help others are excerpts from Kevin Mitnick’s The Art of Deception. The first one involves a woman named Didi who calls the Real Estate of a department pretending to have reached the wrong number. The call starts out with "Sorry to bother you", she explains that she’s a fellow employee who has lost her company directory. She then asks where she is supposed to call to get a new copy. He implies that he can helpfully look up the number for her. He does and she has the number. It’s more than likely that the reason why he gave her the number was to keep her on the phone. Her style of talking included her sweet, sexy voice. Another example is a social engineer dials the private phone company number for the MLAC, the Mechanized Line Assignment Center. When the woman answers the call he tells her “Hey, this is Paul Anthony. I’m a cable splicer. Listen, a terminal box out here got fried in a fire. Cops think some creep tried to burn his own house down for the insurance. They got me out here alone trying to rewire this entire two hundred-pair terminal. I could really use some help right now. What facilities should be working at 6723 South Main?” The reasoning behind why she helped him is because she feels sorry for him; she too has had a few bad days of her own working on the job. So she decides to help her fellow employee with the problem.
Some people just have a good heart. Others do not, but when receiving a phone call from a higher authority, people tend to bow down and many like to kiss ass. With the social engineer calling and acting like some big shot that has higher authority over the person they called can get them all the help they could ever want. Most people are afraid of losing their jobs by doing their duties wrong or by upsetting their bosses. That’s the reason behind gaining extra and, in some cases, instant help by just saying you’re a CEO.
Giving out help to someone is very dangerous and harmful because victim in a sense is loading the gun for the social engineer with the bullets.
To sum it up you could say that social engineering is very similar to one of the those "help the homeless/battered" people standing outside of a supermarket asking if you can donate any change to help the homeless/battered. People usually trust them and believe them. People who don’t donate are mostly people that do not want to give up their change and people who do not have any money. The reason why people do contribute to the jar is because they have the willingness and desire to help others. There is not a way to verify that they are legit except to call their affiliation. Even then you don’t know if the people answering the phone that was given to you by the person ringing the bell are going to be completely honest. They could be part of the scheme, if there was one.
With social engineering, the person being attacked has no real way to identify if the person they are speaking to is really who they say they are, unless they in fact know the person and can recognize that the person they are speaking to is in fact not the person they say they are by their voice.
That’s the reason why social engineering succession exists and why it is impossible to detect is because of human error, and with it in effect no one is safe; not you, not me, nobody. This is very dangerous because everyone’s sensitive information is up for grabs for the social engineer. Not knowing what the social engineering will use this information is harmful. There is not such thing as Security. It’s only an illusion designed to keep thefts away, but in reality creates a false feeling of safety. A safety net that will never be safe because of the human error.