Social Engineering

Term used among crackers and samurai for cracking
techniques that rely on weaknesses in wetware rather than
software; the aim is to trick people into revealing passwords
or other information that compromises a target system's
security. Classic scams include phoning up a mark who has the
required information and posing as a field service tech or a
fellow employee with an urgent access problem. See also the
tiger team story in the patch entry.
Taken for

So you got someone sending you an AIM saying they are AOL and they need your password.
Come on an AIM this guy is obvisously stupid. Why would a major company send you an AIM to get your password come on think about it. This is when you take out that chainsaw that you have been hiding since Halloween. Ask them for there address (Yes there are people that are stupid enough to send you there Address trust me.) and you go pay them a visit. Mwahaha
Oh ok sorry got carried away.

So what do you do?

Well in this situation, I would recommend that you do a couple of things.
1. Call AOL or Email them and let them know that you got this message, if there is any Validity in the message at all they will let you know. "Though the chances of it being real, are really rare."

2. You oculd have a little fun with the person by asking them really stupid questions i.e. I forgot my password, can you send it to me. Sorry thing is I once had someone send me there password from that one.

3. Tell them to **** off, this and the first one are the ones that I recommend that you do. They are both safer

So I think I will give you an exampleof Social Engineering and just how it could happen to an un-suspecting person,
It's 10:00 in the Morning, Tina is at the work.

Ring, Ring, Ring
Hi this is Tom, I work in the IT department and the boss called me and told me that I need to update the Security and Passwords, for everyone in the company. I was told to start with the Day Shift, I am going to copy down your old password and I need you to tell me the new one also. So that I know that you didn't make it the same thing, Now what I need you to do is give me your, Present Password. Ok Now go to Control Panel, User Accounts and Create New Password. I need for you to tell me what that new Password is going to be.
Now Tina has no Idea that she just gave her password to me. That is a simple example of something, that could happend very easily. The system admins control the complete running of the entire network so why would they be calling for your password? If they insist that they need it for password updates or for any other reason ask them to formly request that you disclose your password to your manager in writing.
I personally would not be mad if one of my guys, made sure that they were being asked for there password, by the system admin I would have no adversion to be involved.

Another Form of Social Engineering is alot of people's Favorite Dumpster Diving. Oh you don't know what that is Very simple. All you need is a pair of gloves, a Gas Mask and Probably No ****ing Common sense, But, sense it is a very big part of Social Engineering I have to talk about it. In the example what is done is:
Tom was just Fired from his Job as IT department Supervisor, he wants to get even. But everyone knows he lost his job and he nolonger has any access so what does he do. Get out the gloves, The Gas Mask and START DIVING BABY DIVE. (There are alot of people that don't realize when you through something in the Garbage it is suseptable to people going through it. No one guards the trash at your job. There is alot of information, about the company, about your customers that goes through the workers. So where does it end up at. Bingo in the Trash.) So now that Tom has decided that he his going to get even and he is already smelly he search around for a while and what does he see the Password for the New System Admin, that can be useful. He keeps searching and what else does he find the Social Security Numbers to all the Employees at the company. That can definately be useful
Now with the recently acquired info Tom just goes in like he's picking up his stuff logs into theSys Admin's account and Voila everything that you need.
Now with the Social Security Numbers he just signs everyone that annoyed him up for another Credit Card and there you go. .
Now as a refernce on what to do about Dumpster Diving, you don't have to shread every single peice of paper that you have but at the same time. Here is a go bye.

If it has Social Security Numbers on it.
If it has any Vital information about the company, I.e. Stick Holdings, Budget, and Account Number

Now are those the only instances of Social Engineering we are going to come face to face with No.

Another instance is that you get an Email saying that your bank account information is needed. Now this is a little more tricky. You might have a legitimate request here altough most companies call for information like that. So count 2 out on this just in case it is real but you can still call the company.

Last how to avoid giving out information to a person that is asking for something that they should not be asking for i.e How to Hack there girl friend's account. Yeah there are people that actually have permission to do that but guess what they need to learn somewhere else.

So what do you do? Do you flame, Neg or what?

I personally recommend that you let them know, that they are not going to get the answer to that question.

Next thing is to remember that there are actual people out there that need help and to ignore there outrageous request for information is wrong so what do you do. You get them to do something stupid. Like deleting there autobat or Rm something.

Now the problem with Social Engineering is that there are actual people that will do it and not know that they are doing it so for them I recommend that you just, let them know what they are doing is wrong and carry on.

The final line of defense against Social Engineering falls with you, you have got to remember that there are people out there that want your information to do Mallicios things and it is your job to keep them away,

The last two things to remember are that if in doubt verify ask the person that you are talking to questions if they are real, they will not have an adversity to you making sure that what they want they actually are entitled to.that information.

Last but not least if in doubt just don't give them that information.
Better Safe then Sorry.

Hope this helps someone out.

Any questions let me know and I will answer them

I am going to say Thank You to Valhallen for helping me with this.

Thanks Val.

There is also a little thing that you need to watch out for on. Programs that look like bots, asking you for your password, it is not that hard to program a bot and could be easily done.

Mr. Jizz