Social Engineering is the art of Hacking with real life and real people. Social engineering is the art of getting people to tell you stuff that they usually wouldn’t disclose, through the use of words and your appearance.
Most people think computer break-ins are purely technical, the result of technical flaws in computer systems that the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through the initial security barriers. Lack of security awareness or gullibility of computer users often provides an easy stepping stone into the protected system in cases when the attacker has no authorized access to the system at all.
The first thought that comes to your mind when I say Social Engineering is probably something to do with Facebook/Twitter Application development or something like that but this is far from true. Social Engineering is into existence far before Facebook or any other Social Networking sites came in being.
[box type=”gray”]To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hackerÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Âsomeone who tries to gain unauthorized access to your computer systemsÃƒÂ¢Ã¢â€šÂ¬Ã¢â‚¬Âare similar to those of any other hacker: they want your company’s money, information, or IT resources. A social engineering hacker attempts to persuade your staff to provide information that will enable him or her to use your systems or system resources. Traditionally, this approach is known as a confidence trick. Many midsize and small companies believe that hacker attacks are a problem for large corporations or organizations that offer large financial rewards. Although this may have been the case in the past, the increase in cyber-crime means that hackers now target all sectors of the community, from corporations to individuals. Criminals may steal directly from a company, diverting funds or resources, but they may also use the company as a staging point through which they can perpetrate crimes against others. This approach makes it more difficult for authorities to trace these criminals. – Microsoft[/box]
I will use the example of someone trying to get someone’s password:
Now the most important thing is having a believable story. If you go to someone and say Facebook.com have requested I get your password for account checking Â, then they will most likely tell you to piss off.
One of the most common ways that I use, is I’m doing a survey. Â Make a fake survey, attach it to a clip board, and just walk up to the person and start asking him questions.
Hi, my name is Dhawal Damania I am from XYZ Company, and I am doing a survey on how strong peoples passwords are. You will be surprised at how insecure most people’s passwords are, and you may find it extremely worrying about how insecure your password may be. If you don’t mind, would you allow me to ask you a few questions?
The person will think insecure personal information Â and 9 times out of 10 will agree to talk to you.
Ask them questions like does your password contain letters numbers and symbols Â, how long is your password Â (when they are counting, watch their lips to see if they spell the words/numbers out), etc.
You may also be able to give them the I also have a good way of calculating how strong your password is. This isn’t necessary but you can give me a password you use most frequently and i can calculate how strong it is Â, but that sometimes pushes the bar a little too much.
- A confused and befuddled person will call a clerk and meekly request a password change.
- Seemingly powerful and hurried people, identifying themselves as executives, will telephone a new system administrator and demand access to their account IMMEDIATELY!
- At an airport, somebody will look over a shoulder (“shoulder surfing”) as telephone credit card numbers or ATM PINs (sometimes even using binoculars or camcorders) are keyed.
- A visitor, incognito, will watch as you enter a login-ID and password at your keyboard.
- Somebody will call and confidently instruct a computer operator to type in a few lines of instruction at the console.
- An attacker will sift through your paper trash (also known as “dumpster diving”), looking for clues to unlock your IT treasures or financial life.
Preventing social engineering attacks
I cant have a complete list, because Social Engineers are constantly changing the ways in which they gain trust.
A few things to look out for.
The best Â social engineering security strategy is user awareness that these attacks do happen. Here are some good business practices:
- Train employees never to give out passwords or confidential information over the phone.
- Update your security policy to address social engineering attacks.
- Update your incident-handling procedures to include social engineering attacks.
- Don’t type in passwords with anyone else looking.
- Require all guests to be escorted. (Once they’re inside, they have full access!)
- Keep all trash in secured, monitored areas.
- Shred important and sensitive data.
- Conduct periodic security awareness training programs.
- Something that is too good to be true
If its too good to be true, then it probably is. Always make sure that the person is trusted, or is well known. Hey, don’t just go on that, the person may have fooled everyone, but it is always good to ask yourself If this is such a good offer, how can he/she be offering it. Â
- Someone who you never usually talk to has started being really interested in you
They might just have become really interested in you, but what for? If they start asking really strange/personal questions, I would recommend you play the Playing it hard Â game. Ask them the same question as your answer, and refuse to tell them until they tell you. Then just be like I don’t believe you Â. Doesn’t matter if its true or not, but what you have just done is proven to them they aren’t as trusted as they believed they were, even if its only psychological. Then just make up an excuse so you need to go. There are plenty of ways to just get out of something, but i prefer the method where you beat them at their own game. Make it SO much more entertaining =)
- Someone you don’t know asks you for your details
Obviously you don’t give them out, you would have to be stupid to do that.
As a rule of thumb, just make sure that the person isn’t trying anything. You will find it hard to pick a real good Social engineerer, but just remember that there are always people out there who aren’t that good, trying it.
I suspect that as better hardware and software security controls are developed and implemented, attackers will be resorting to social engineering attacks to compromise systems or steal information.
Companies aren’t providing security awareness training for their employees. Companies spend a lot of money buying the latest and greatest security hardware but forget that some of the most sensitive information is stored in their employees’ minds. And human weaknesses are the easiest ones to exploit.
[box type=”note”]This post was written with beginners in mind, I could go ahead and discuss an in-depth coverage about it, but most of the people would lose interest. So if you want a detailed information you can contact me [email protected][/box]
Please Share this Post and take a preventive measure against Social Engineering