|
-
December 4th, 2003, 06:21 PM
#1
Social Engineering
There is alot of talk about how to properly secure your computer or network but no matter how well locked down you are if those people accessing your system with valid usernames/passwords are not well enough trained on how to handle the information needed to enter your system then you could find yourself breached.
One of the biggest problems for a network admin is that of social engineering. A social engineer really does not need very much computer knowledge instead they rely upon you or your staff's stupdity to allow them to gain access.
This kind of attack has been called by some as people hacking - rivking someone else into revealing their username/password or even in some cases financial details. You may think "I would never do such a thing as give out any details" but you'd be surrprised by how many people do.....
There are several different types of social engineering the first one I will focus on will be over the telephone.
The telephone has a major advantage for the social engineer - the person he or she is speaking to can not actually see them or any identification. They can call posing as anyone and with a good enough line can usually sucker people into giving them the info they need. this first example is taken from Security Focus
::
The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant.
here you can see that the person betty was easily taken in as the caller provided a simple yet effective way of convincing her that they needed and had a right to her information.
- Social Engineering over the telephone does not only exsist in the workplace. People may also dupe householders into revealing sensitive information.
Imagine the situation John Smith has an aol account - [email protected] - he talks to someone in one of the chatrooms - have a conversation about usual things where he's from, does he have kids etc etc
this is all valuable information that can then be used to trick him into revealing more....
while talking to J.Smith posing as just someone in a chatroom the social engineer learns that his real name is John, he lives in Wilmington and has 2 sons and a daughter.
The Social Engineer can then use that information plus a simple phone directory to get J.Smith's phone # & address
Now obviously there are going to be quite a few John Smiths in Wilmington but I used that name as an example - the more unique the name the less people there are going to be in an area with it obviously
So armed with his new information he calls Mr Smith posing as an AOL accounts employee - he knows Mr Smiths login name, billing adress, and home telephone number. He can also see that there is 3 other people registered under his account (his 2 sons and the daughter)
Due to the amount of information this person has Mr Smith does not query them and when told that in a recent server upgrade his billing details were lost he happily hands over his Credit Card number to the caller.
This is whats known as a central route to persuasion.
This means that by asking the correct questions and providing the correct infoprmation the person being engineered reaches the decision that the Social Engineer hopes they will - in the above case to hand over their CC details.
That is just an example i came up with off the top of my head but am sure that similar schemes have been put in to use across the world.
SO what about online? well there are many different ways that a Social Engineer may attempt to gleam information from you.
Via email :: They will often register accounts with email providers such as hotmail that sound offical. Then sen emails to different people informing them of some kind of problem with the service for which they need the persons username/password to be returned to them for verification.
another old scheme that was used for stealing hotmail passwords was by using a mixture of social engineering and an exploit in the way hotmail displayed emails with html/java script
the email when opened would redirect the user to another page which a perfect match for the hotmail login page - assuming they had timed out the user would enter their username/password - but instead of the user/pass being sent to hotmail it would be sent to the email addy of the social engineer.
the bug with displaying java has now been fixed so this no longer works but similar scemes are still in opeation - so be sure of where you are entering your password and that it is def the legitamite site.
Many schemes use fake webpages - a recent one was a clone of the paypal site - users recieved faked emails which seemed to cme from paypal requesting they visit the site as there had been a problem with the card supplied or that details had been lost - the site which looked identical to the actual paypal site would then ask them to re-enter the details which would then be sent to the Social Engineer.
Ok so you've heard a couple of examples but with the ever changing basis of Social Engineering how can you protect yourself or your company???
heres a short list of things to do ::
- Make sure all staff is properly trained in security procedures and have a well thought out and established mathod for dealing with calls where sensitive information is asked for
- When sen an email requesting details do not reply to the email - instead go to the company site and find another email address such as [email protected] and email them a copy of the email you recieved and ask them to verify its authenticity before giving over any details.
- When called by someone asking for details over the phone ask them for a contact number you can call in order to give over the details - then check a secondary source (phonebook, company website) to ensure phone number is correct and call them and explain the situation.
- When sent an email requesting you visit a site to enter details do not click on the link - instead enter the company's address into your browser yourself eg: if the link was http://[email protected]/ the link will actually take you to antionline! so instead type out www.aol.com - and look for a link to the relevant page from there - if none is found again email an address you should be able to get form the aol site with a copy of the email and request them to verify it.
these simple steps should be enough to prevent yourself from falling victim to a Social Engineer
v_Ln
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote