The Art of Social Engineering

---

Being a security freak, I simply cannot discuss IT security stuff without going over the culprit that created it all: Social Engineering, more known as ‘The art of Social Engineering’ the fanciness reminds me of Prince, or better: ‘The artist formerly known as Prince’. But anyway, as I started getting familiar to the topic, I often asked: Why call it Art in the first place?

Let’s go over the dictionary definition of the word. dictionary.com states:

“A term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system’s security.”

Art? No doubt about that. The social engineers … or artists go into such detail in their acts that is almost becomes a play with a script and a website.

The human element is more often called ‘the weakest link’ for various reasons. First off, you cannot ‘negotiate’ with a computer to give you access to specific data. You’re either granted access or denied. As ignorant as IT systems may be, computer systems were built by control freaks to be impenetrable in these situations (as long as they are patched correctly that is… but that’s another story). As difficult as it may seem there is a way to break the shield using other people’s trust.

In fact, one of the easiest methods that a social engineer can use to get personal information about you or your computer is to pretend, or act like, they are someone you should trust. As humans tend to be trusting in nature this leads to an interesting situation where if a hacker disguises himself as a trusted source, it would be more likely that we give our personal information to this person compared to what we would disclose to a total stranger. Makes sense right?

Classic scenarios include phoning up a victim who has the required information whilst the social engineer is posing as an on-site tech or a fellow employee with an urgent access problem.

Lets compare two similar but different situations:

Imagine a person calling you on your home phone telling you he was from your telephone company and that there was a problem with your line that needed to be fixed. The conversation would continue like this:

“OK, so I would need to confirm your billing information, address, and your availabilities for an appointment …”

That would be pretty convincing wouldn’t it? I feel that the majority of people would think it would be ‘OK’ to disclose this information to the person because we assume they are a person who is in a position that we trust.

Now, lets go over the ’similar but different situation’. What if a stranger on the street walks up to you and asks for the same information. You would instantly go away from the chap and probably think they are nuts. That is because that person is a stranger and we were always thought to be wary of strangers.

As you can see when a person disguises themselves as someone we trust, as in the first scenario, we tend to be more open in what we disclose. This is called social engineering and is a leading method to get personal information such as passwords, phone numbers, addresses, or social security numbers from people.

Social engineering has also started to be used in automated ways using rootkits and worms. For example, as part of the Gromozon rootkit, there is a file called http://www.google.com/ that you will be prompted to download and run. Google? That’s a trusted name in almost every household these days and thus most people would allow the program to run thinking they were downloading the file from Google itself. Little did they know that by running this program they have now been infected by an adware, Trojan, and one of the most ruthless rootkits found in some time.

Another example is a new worm evaluated today by Sophos called W32/IRCBot-RJ. This malware is worm that spreads through computers with weak passwords on network shares or by exploiting common Windows exploits such as the ASN.1 Vulnerability (MS04-007). What makes this worm interesting is that it uses the filename Googlesetup.exe and adds itself to the Windows Registry, so that it starts when Windows does, with the name Google Service. Now when a person sees this program running on their computer they may think it’s a legitimate program by Google and allow it to run.

Last but not least, we come to phishing, one of the leading methods of identify theft. Phishing is when a criminal attempting to do identity theft send out an email that appears to be from a trusted source, but actually is from a carefully designed web site that is under the criminal’s control. These phishing attacks usually contain links back to the criminal’s web site which appears to be a legitimate bank or other institution. They then request that you enter personal information, which you think is on the bank’s web site, but is actually on the criminals. Now you have given the criminal your personal information.

So what can you, the end-user, do to protect yourself from attacks such as this? Here are some suggestions:

• Never ever ever give out information to a stranger, whether that be a random person on the street or someone who calls you directly. Instead hang up and call the company directly and ask if the call was legitimate.
• Never ever ever ever give out your password! There is no legitimate reason that you will ever need to give out your password. Even computer engineers for your company should not ask for your password. If they insist, ask them to reset it to a password of their choice so you do not have to disclose the one you use.
• Never ever ever ever ever provide your ATM PIN (personal identification number). There is no legitimate reason that this will ever be asked to someone and if you are asked then you know the person/email/site is not to be trusted.
• Never ever ever ever ever ever click on links in emails that you receive supposedly from banks or other financial institutions. I know you have heard this a 1,000 times but it’s obvious no one ever listens considering the amount of phishing spam we all receive. Banks will not send you emails saying that you need to reset your accounts or provide your passwords or other personal identification online. I repeat, Banks will not send you emails saying that you need to reset your accounts or provide your passwords or other personal identification online. I emphasize this because phishing attacks have become one of the leading social engineering methods for performing identity theft.

So be careful with your personal information and disclose it wisely. I am not saying to not trust anyone, just be sure you can trust who you think you can trust. I also encourage you to send this article to everyone you know including your great-grandparents, grandparents, parents, kids, loved ones, life partners, teachers, friends, enemies, and pets.

The more who know about social engineering the safer we will all be with our personal information.