Wednesday, June 17, 2009

Social Engineering

Social engineering is the act of manipulating people into performing actions or divulging
confidential information. While similar to a confidence trick or simple fraud, the term typically
applies to trickery or deception for the purpose of information gathering, fraud, or computer
system access; in most cases the attacker never comes face-to-face with the victim.
The basic goals of social engineering are the same as hacking in general: to gain unauthorized
access to systems or information in order to commit fraud, network intrusion, industrial
espionage, identity theft, or simply to disrupt the system or network. Typical targets include
telephone companies and answering services, big-name corporations and financial institutions,
military and government agencies, and hospitals. The Internet boom had its share of industrial
engineering attacks in start-ups as well, but attacks generally focus on larger entities. As for why organizations are targeted through social engineering – well, it’s often an easier way
to gain illicit access than are many forms of technical hacking. Even for technical people, it’s
often much simpler to just pick up the phone and ask someone for his password. And most
often, that’s just what a hacker will do.
Social engineering attacks take place on two levels: the physical and the psychological. First,
we'll focus on the physical setting for these attacks: the workplace, the phone, your trash, and
even on-line. In the workplace, the hacker can simply walk in the door, like in the movies, and
pretend to be a maintenance worker or consultant who has access to the organization. Then
the intruder struts through the office until he or she finds a few passwords lying around and
emerges from the building with ample information to exploit the network from home later that
night. Another technique to gain authentication information is to just stand there and watch an
oblivious employee type in his password.
The most prevalent type of social engineering attack is conducted by phone. A hacker will call
up and imitate someone in a position of authority or relevance and gradually pull information
out of the user. Help desks are particularly prone to this type of attack.Help desks are particularly vulnerable because they are in place specifically to help, a fact
that may be exploited by people who are trying to gain illicit information. Help desk employees
are trained to be friendly and give out information, so this is a gold mine for social engineering.
Most help desk employees are minimally educated in the area of security and get paid
peanuts, so they tend to just answer questions and go on to the next phone call. This can
create a huge security hole.
A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and
obtain credit card numbers and PINs this way. People always stand around phone booths at
airports, so this is a place to be extra cautious. Dumpster diving, also known as trashing, is another popular method of social engineering. A
huge amount of information can be collected through company dumpsters.The Internet is fertile ground for social engineers looking to harvest passwords. The primary
weakness is that many users often repeat the use of one simple password on every account.
So once the hacker has one password, he or she can
probably get into multiple accounts. One way in which hackers have been known to obtain this
kind of password is through an on-line form: they can send out some sort of sweepstakes
information and ask the user to put in a name and password. These forms can
be sent by e-mail .
Another way hackers may obtain information on-line is by pretending to be the network
administrator, sending e-mail through the network and asking for a user’s password. This type
of social engineering attack doesn’t generally work, because users are generally more aware
of hackers when online, but it is something of which to take note. Furthermore, pop-up windows
can be installed by hackers to look like part of the network and request that the user reenter
his username and password to fix some sort of problem. At this point in time, most users
should know not to send passwords in clear text , but it never hurts to have an
occasional reminder of this simple security measure from the System Administrator. Even
better, system administrators might want to warn their users against disclosing their passwords in any fashion other than a face-to-face conversation with a staff member who is known to be
authorized and trusted.
E-mail can also be used for more direct means of gaining access to a system. For instance,
mail attachments sent from someone of authenticity can carry viruses, worms and Trojan
horses.
A final, more advanced method of gaining illicit information is known as “reverse social
engineering”. This is when the hacker creates a persona that appears to be in a position of
authority so that employees will ask him for information, rather than the other way around. If
researched, planned and executed well, reverse social engineering attacks may offer the
hacker an even better chance of obtaining valuable data from the employees; however, this
requires a great deal of preparation, research, and pre-hacking to pull off.

Always remember , prevention is better tan cure. Once your personal information has gone then remember there is no cure!


No comments: