########################################################################################### Introduction to Social Engineering By: Tal0n of NixSec 05-16-04 ########################################################################################### 1. Introduction 2. What is social engineering? 3. Internet Social Engineering 4. Telephone Social Engineering 5. In-person Social Engineering 6. Conclusion ########################################################################################### 1. I am writing this paper to try and shine a light on a art that has been used for years, but now days, has taken new form, the art of deception, social engineering. Social engineering, if used correctly, can go from a few simple favors to international espionage. It can also be the most effective kind of "hacking" you can do, and the only thing required is the knowledge and understanding of the human mind, people skills, and abit of cleverness to achieve almost any job at task. ########################################################################################### 2. What is social engineering? Social engineering is basically making people do what you need or want them to do or making them give you certain information that you need or want. Say you want a password to your friends computer. Would it be easier to keylog it or get it some other way as such, or to talk it out of him? Probley the second option. Consider this situation: Dan: Hi Matt. Matt: Whats up Dan? Dan: Not much, just tring to play this game. Matt: What game? Dan: Hutt 3D. Matt: Ah, I heard that game rocks. Dan: I could sign you up for it. Matt: Really? That'd be awesome. Dan: Ya, no problem. I have to go soon thou. Dan: I'll try to set some of it up before I go. What do you want your password to be? Matt: Hmm.. try teehee, I use it for everything else anyways. Dan: Sounds great, ill send you the rest of the information later, see ya! Matt: Thanks Dan, bye. In a quick conversation, because of the pressure of picking a quick and easy password, Matt has successfully gave Dan access to probley all his other accounts, including email, just by not thinking of picking a good password instead of one he uses for most all else. The social engineering part was good on Dan's part, hence he gave Matt the pressure feeling because he had to "go soon" and therefore *didn't* have time to talk with Matt completely about the game or the setup information. Matt decided to make it easy so he could play his new game as soon as possible and give Dan a vitial key to Matt's everyday internet accounts. When people feel a sign of a rush or feel that they will miss out on a good opportunity if they don't hurry and provide information, causing them not to think as much as they should. Now that situation was made possible because there was a certain kind of 'trust' between Dan and Matt. If the situation was alittle different, and Matt was talking to someone he didn't know very well, the situation might still be possible, but it would either take some smoother talking from the attacker, or some stupidy on the victim. Trust is a big factor in social engineering. If someone doesn't feel that they trust you, they probley would be as likey to comfortably go along with whatever you are planning. If they do trust you, according to how much trust is involved and the mentality of the victim, its possible to pull off almost anything. ########################################################################################### 3. Internet social engineering is pretty common now days, and lots of people, companies, and even sometimes ISP's fall under the control of a social engineer. Heres an example situation of an attacker trying to get access to the victim's website. attacker: hi, how are you? victim: pretty good, you? attacker: fine attacker: i seen you take care of somesite.com? victim: ya, thats my site attacker: wow, i love the graphics attacker: content is nice as well victim: why thank you :) attacker: you wouldn't happen to have some extra webspace would you? attacker: you see, me and a couple friends need somewhere to upload some pictures and mp3's attacker: think you could help us out? victim: hm.. i dont really know how attacker: oh, well its pretty easy attacker: if you want me to, ill set it up, i just need the login info please victim: ok, just make yourself some space somewhere and please don't mess with any of mine attacker: of course not ;) victim: username is somesite, password is whitesoxs attacker: thanks, we really appreicate it :) victim: no problem Now lets analyse that situation... First, the attacker comes off being really nice and polite, complementing the owner of the site for its graphics and content. Then, he gently asks for some webspace on the account that hosts the victims website. The victim seems not to know alot about computers or authencation, and has a good feeling that nothing bad would happen, hence the attacker's good attitude and niceness. After that, the victim easily hands over the login information, the username and password, giving the attacker full access to the victims website. "Why?" you ask. Social Engineering. Now there are other situations like gaining trust of a period of time, days, weeks, or yes, even months. Even social engineers can be social engineered, it just mainly takes time and research. Us Humans have a want pattern. If we think someone will give us something, has the ability to make us 'famous', or will get us somewhere, we tend to ease up and be 'too friendly'. For example, who would you trust more with your car, your best friend, or an acquaintance? Your best friend of course, unless you know he cannot drive or is very wreckless. Trust, as I said before, is a key factor in social engineering. If someone doesn't trust you, they probley won't let you take advantage of them. ########################################################################################### 4. Telephone social engineering is also a danger as well. Caller ID, as proved in "The Art of Deception" cannot be used as a fool-proof way of identifing a caller, since it can be spoofed without much trouble. Check out this situation out. victim: Hello, welcome to CompNet Technical Support. Tom Hoff speaking, how may I help you? attacker: Hi, is this Jeff Bridge from Accouting. victim: Hi Jeff, how are you doing today? attacker: Well, not too good. I lost my password yesterday and I haven't been able to access the server. My boss has been on my case since last night and i'm not sure if I can get the pay checks out by Friday. victim: Oh.. that doesn't sounds too good. attacker: Could you do me a favor and reset my password for me so I can get back to work? victim: Sure, whats you ID number? At this point the attacker looks on the company's website for a listing of a the employees. He lucks up and finds a text file with their names and ID numbers. attacker: 332 i think victim: Ya, thats it, 332 victim: Hold on just a second and i'll reset the password attacker: Ok victim: New password: changeme victim: You need to change it to whatever you want as soon as you access the server. attacker: The username is still jbridge, right? victim: Yep, thats what it says here. attacker: Thank you! By the way, I have a friend down here from Development that needs to know what the new server is for his team. victim: New server? As far as I know its always been dev.compnet.com. attacker: Hmm.. maybe it was just down last night, we'll try it again later. victim: Oh ok attacker: Well, I have to go, thanks so much for your help again. victim: It was no problem attacker: bye victim: bye Now.. what just happened here? attacker, impersonating "Jeff Bridge" from accounting, has just successfully done the following: Got information to access the server that has access to the payroll. Got access to a machine and is probley not secure and attacker may move his privledges to root. Got the name of the server that the company development team uses so attacker can plan future attacks on the company and may gain access such as to steal source code or other information for the company's new or old product line, or other confidental information. And the most important thing: Has gained some trust from the victim, that can be used in other attacks planned for getting information or getting something done. He also was able to gain a vitial piece of information to get the password he needed, "Jeff Bridge"'s company ID number, which was publically on the company's website, which isn't too smart. ########################################################################################### 5. In-person social engineering, although to some people not appearing too smart, will have great effectiveness on the victim, and sometimes even more effectiveness then the other ways, because the victim can actually see the person they are talking to, making the trust factor grow and sometimes making them eaiser to manipulate. Take this situation into consideration. A man in a nice suit, tie, fancy hair, walking elgantly up to the ISP technical support center. He says he's in a hurry, and needs to get his username and password he lost while he was at a business meeting. He needs them asap because he's working on a project on his laptop and it can't wait. The lady at the counter says she don't think she's allowed to do that. The attacker politly complements your loyality and askes her to join him for lunch at a fancy resturant the next day. He says he thinks shes got real talent and offers her a job at his 'firm'. She feels flattered and thinks she must help the guy out since he was been so nice to her. She carefully looks up the username and password for the account name he gives her and hands it to him on a piece of paper, whispering not to tell anyone because she might get in trouble. The attacker just successfully got the username and password of any account on the ISP, just by using some smoothe words and dressing like a professional. You see how easy it can be? It happens everyday, 90% of the time people don't even realize it. ########################################################################################### 6. My conclusion in writing this paper is to explain how do successfully get anything you want from a person by 'just asking for it'. Now that you have read it, hopefully you will be more educated in the field and will know howto protect yourself or maybe even your company from most social engineering attacks, if not most all. Online, on the phone, on the street, all places where the possible social engineer preys. Will you be his next victim? Hopefully not. -Tal0n cyber_talon@hotmail.com #nixsec @ efnet