Social Engineering

[valhallen]

There is alot of talk about how to properly secure your computer or network but no matter how well locked down you are if those people accessing your system with valid usernames/passwords are not well enough trained on how to handle the information needed to enter your system then you could find yourself breached.

One of the biggest problems for a network admin is that of social engineering. A social engineer really does not need very much computer knowledge instead they rely upon you or your staff's stupdity to allow them to gain access.

This kind of attack has been called by some as people hacking - rivking someone else into revealing their username/password or even in some cases financial details. You may think "I would never do such a thing as give out any details" but you'd be surrprised by how many people do.....

There are several different types of social engineering the first one I will focus on will be over the telephone.

The telephone has a major advantage for the social engineer - the person he or she is speaking to can not actually see them or any identification. They can call posing as anyone and with a good enough line can usually sucker people into giving them the info they need. this first example is taken from Security Focus

::

The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.

here you can see that the person betty was easily taken in as the caller provided a simple yet effective way of convincing her that they needed and had a right to her information.

- Social Engineering over the telephone does not only exsist in the workplace. People may also dupe householders into revealing sensitive information.
Imagine the situation John Smith has an aol account - J.Smith@aol.com - he talks to someone in one of the chatrooms - have a conversation about usual things where he's from, does he have kids etc etc
this is all valuable information that can then be used to trick him into revealing more....

while talking to J.Smith posing as just someone in a chatroom the social engineer learns that his real name is John, he lives in Wilmington and has 2 sons and a daughter.

The Social Engineer can then use that information plus a simple phone directory to get J.Smith's phone # & address
Now obviously there are going to be quite a few John Smiths in Wilmington but I used that name as an example - the more unique the name the less people there are going to be in an area with it obviously

So armed with his new information he calls Mr Smith posing as an AOL accounts employee - he knows Mr Smiths login name, billing adress, and home telephone number. He can also see that there is 3 other people registered under his account (his 2 sons and the daughter)

Due to the amount of information this person has Mr Smith does not query them and when told that in a recent server upgrade his billing details were lost he happily hands over his Credit Card number to the caller.

This is whats known as a central route to persuasion.
This means that by asking the correct questions and providing the correct infoprmation the person being engineered reaches the decision that the Social Engineer hopes they will - in the above case to hand over their CC details.

That is just an example i came up with off the top of my head but am sure that similar schemes have been put in to use across the world.

SO what about online? well there are many different ways that a Social Engineer may attempt to gleam information from you.

Via email :: They will often register accounts with email providers such as hotmail that sound offical. Then sen emails to different people informing them of some kind of problem with the service for which they need the persons username/password to be returned to them for verification.

another old scheme that was used for stealing hotmail passwords was by using a mixture of social engineering and an exploit in the way hotmail displayed emails with html/java script
the email when opened would redirect the user to another page which a perfect match for the hotmail login page - assuming they had timed out the user would enter their username/password - but instead of the user/pass being sent to hotmail it would be sent to the email addy of the social engineer.

the bug with displaying java has now been fixed so this no longer works but similar scemes are still in opeation - so be sure of where you are entering your password and that it is def the legitamite site.

Many schemes use fake webpages - a recent one was a clone of the paypal site - users recieved faked emails which seemed to cme from paypal requesting they visit the site as there had been a problem with the card supplied or that details had been lost - the site which looked identical to the actual paypal site would then ask them to re-enter the details which would then be sent to the Social Engineer.

Ok so you've heard a couple of examples but with the ever changing basis of Social Engineering how can you protect yourself or your company???

heres a short list of things to do ::

1. Make sure all staff is properly trained in security procedures and have a well thought out and established mathod for dealing with calls where sensitive information is asked for
2. When sen an email requesting details do not reply to the email - instead go to the company site and find another email address such as support@hotmail.com and email them a copy of the email you recieved and ask them to verify its authenticity before giving over any details.
3. When called by someone asking for details over the phone ask them for a contact number you can call in order to give over the details - then check a secondary source (phonebook, company website) to ensure phone number is correct and call them and explain the situation.
4. When sent an email requesting you visit a site to enter details do not click on the link - instead enter the company's address into your browser yourself eg: if the link was http://www.aol.com@63.146.109.212/ the link will actually take you to antionline! so instead type out www.aol.com - and look for a link to the relevant page from there - if none is found again email an address you should be able to get form the aol site with a copy of the email and request them to verify it.

these simple steps should be enough to prevent yourself from falling victim to a Social Engineer

v_Ln

[PM8228]

Well written. Although there have been tons of papers written on SE, it is always fun to read another. I need something to practice it on over the phone :-/

-Cheers-

[whizkid2300]

Hmm….

Social Engineering any hackers greatest tool. You can Patch every hole in your system. Read your logs 25 tims a day. Update everything everyday. And you are still Vulnerable to this one thing.

It is really rather amazing.

One of the Aspects of Security I have taken a particular interest in.

I will put it like this, people that deal with all sorts of Info that you find important are way to easy to give it up.

All you need is a little bit of inside info, and you are in. I mean, with just easy talking to a person, acting like a regular customer you can get info that is really needed. To make a big attack.

I could go on for hours about, different ways and things I have done and seen. I will say this much. If companies made it easier for you to tell them there weaknesses. I would have a LONG list of people that are not up to par.

But this is just another reason why, I have a problem with companies getting pissy when, someone tells them that there system is bad. Or there is something wrong with the way they do stuff. I am not saying that, they should invite people to mess with there stuff.
But if someone tells you, don’t sue the poor person. They are just trying to help you out.

This is definitely one of those Topics I read, a lot about, and Do a lot of hands on Activity. I will say this, I would recommend you people trying to engineer your job to see, what Info they will be willing to just give up. Mine really had me pissed off, about the info they gave out.

[\/IP3R]

nothing personnal to valhallen, but lets talk about real hacking, shall we? basic this, basic that, bull crap* aren't you guys tired already. Or nobody knows how to compromise a server with open services running?

[Noia]

best way to get what you want; be kind and 'cute'. Force gets you no where.

[whizkid2300]

\/iper I thought, V_Ln was trying to go over the security aspect of it. I might have been wrong though.

Now, as for Real hacking who’s definition, I will tell you for a fact. I have gotten people to tell me more then, there system does, at times.

\/iper so what, about compromising a server with weak security I could write a tutorial on how to do it, about 3 secs.

Computer Scan, Find open port. Running Services. Google Exploit.

Wow your real ****ing 31337.

[D0pp139an93r]

I can't remember who said it, and quite frankly I'm too lazy to search, but here goes. "Your network is only as secure as the person who keeps their password on a post-it note on their monitor." Social engineering is "real hacking". "Betty" can give me much safer access to a sytem/network than some obscure service exploit.

Security is an all encompassing field. It is not limited to the computer side. Lets face it, user error is the primary cause of most computer problems. That and Windows, lol.

\/iper, you stick to sendmail bugs, V_Ln you just keep calling Betty.
LOL

[\/IP3R]

Noia, may be some members misunderstood me here. Nevermind. All I am asking is forums are full with basic crap, and I think it is time to step up a little. look at thehorse13, even though he didn't covered a lot in his nmap tuts but still it is enough for noobs to digest. I agreed that I posted waste posts time to time but really think about it, look in the tutorial forums you will not find anything interesting going on. just basic networking, basic proramming but nothing indepth. No one ever wrote an article how would you setup an small network with 20-30 computers connected together with security policies imposed on them. I don't know whats goes in addict forum because I don't have access to it, but don't you think this place should be little more than just basic teen talk. Neblus, you got some sense of humor going on there. But thats not I am talking about.

[valhallen]

No one ever wrote an article how would you setup an small network with 20-30 computers connected together with security policies imposed on them

so \/iper when can we expect your tut on setting up a small network (20-30) computers and the security policies imposed upon them then??

v_Ln

[\/IP3R]

I will write it for those who will pm me. For you, I have three rules that you can remember, if you don't want to get lost in computer industry. Keep it in mind.

1) What it is?
2) What it does?
3) Do I need it?

Probably never heard them, have you?