Hacking

Social Engineering - We Start Playing

Adrian Stolarski
July 2, 2012 by
Adrian Stolarski

If hacking is known as entering a computer system through a breach of security, social engineering can be referred to as an intrusion into the mind. That really is the basic meaning of social engineering (to influence and manipulate people) and cracking (breaking into computer systems). Many people may not realize that the combination of these two mechanisms can create a powerful tool.

Admission

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

It's not so much stupidity that plays a key role in social engineering, so much as ignorance. It is simple: most people are simply not aware of the ways that social engineering can affect their individual lives and conversations. And it is this latent power of social engineering that makes it so dangerous. Attacks carried out by the social engineers are very difficult to detect because (unlike with a standard attack) the victims of social engineering may not realize right away that an attacker has manipulated them. I would like to relate some facts with you.

Historical

No one knows who really invented of the concept of social engineering. For thousands of years, and in numerous cultures, priests from all religions have engaged in the practice. First, people were threatened with dark eclipses of the sun and moon to enforce obedience. Even now threats of demonic interaction or the apocalypse still crop up in modern culture.

Credit for inventing social media is often incorrectly attributed to Kevin Mitnick, who only popularized the concept through his two books. In fact, social engineering has existed for as long as humanity. It is used in thousands of professions such as psychology, law enforcement, etc.

Fundamentals of Social Engineering

In a socially engineered attack, we can find traces of the basic rules of social engineering:

• Rules of value and profit: Everyone wants to fight for the things they value, such as material assets or reputation. Social engineering threatens these aspects of life, in which we will gladly stand in defense.

• The rule of reciprocity: Each instance we receive a positive thing from another person produces an immediate desire to reciprocate.

• The rule of social equity: A million customers cannot be wrong. According to this rule, it is easier to convince us to do something if someone can prove to us that others will think and behave like us.

• Rule of sympathy: If we like someone, we are much more likely to acquiesce to his or her request. This is the underlying principle in all personal interactions between individuals.

• The rule of unavailability: The value of any item increases if it is temporarily or semi-permanently unavailable, while the value an item that is readily available will go down.

• The rule of engagement and consistency: If you engage in something constantly, you will eventually strive to end that activity.

• The rule of authority: It is hard to resist the boss, even if his or her decisions in your opinion are incorrect.

In fact, we use these principles every day in our professional and personal lives. However, most people really don't analyze or even display any consciousness of the principles of social engineering as they act out in facets of everyday life. The use of socially engineered manipulations can be like playing chess. But remember, we are working to build relationships based on truth, and socially engineered manipulations are often based on lies.

Weaving the Web

The biggest threat to companies, as well as the biggest advantage of social engineering, is that attackers have an unlimited amount of time to prepare a hack on a targeted organization. Socially engineered attacks are not produced by beginners who have merely read a book—rather; attacks of this level are performed by skilled individuals who view this method as a game which contains hundreds of scenarios and thousands of combinations. In other words, social engineering can be likened to a game of GO.

Attacks like this can resembles a spider's web which traps insects of every size from small to large. Below are examples of a typical attack:

First: The attacker obtains the name of an employee from the company. Theoretically there is no problem with that.

Second: The attacker enters the company's website and looks for the department in which the person is employed.

Third: The attacker acquires the company address (and private address of the employee), which does not even require knowledge of the department. This information is published on the website of the company and the account on a social network.

Fourth: Next a hacker will call the employee posing as a colleague or friend and continue to force the employee to disclose company information, or to persuade the employee to install suspicious software.

Fifth: Now an attacker will spend time stealing the identity of the employee. From here on out, he or she will not have problems obtaining corporate data.

With a first name, last name, department, e-mail address, identification number, and often the username and password, we have all the tools for identity theft. With this information, a skillful social engineer can safely impersonate an employee and continue a long-term attack.

Please note that this is not an actual action plan, but rather an example of the types of concepts which drive socially engineered attacks. In this case, the social engineer calls the targeted person and pretends to be someone else (an administrator, an employee of the company, the customer). The attacker will present a reliable, though entirely fictitious, story and a clever way to ask for simple information.

Key to the attacker's success is the idea that each of the targeted employees agrees to something without much resistance. Victims should assume that he or she has not confessed any trade secrets or intellectual property.

An Attempt to Estimate the Extent of an Attack

What exactly are the real consequences of this phenomenon? Well, it is impossible to determine for every individual instance. Every socially engineered attack is very subtle. The first problem is that companies are not readily able to find out if they've been attacked. The second problem is that even when a company recognizes that security has been breached, said companies are not likely to share this information because so much private data has already been leaked. Thus, any study of socially engineered attacks should be treated seriously.

In fact, most companies seriously underestimate this threat. Why? I live in a fairly large urban area and write articles that deal with penetration testing for InfoSec Institute. In 2011 only one organization ordered a full penetration test, including a technological attack, an attack on the physical security of the organization, and a social engineering attack.

Yet socially engineered attacks seek to target the weakest link of any organization: people. Social engineering and social engineering attacks target the subconscious level of the human mind, a realm of the existence of which we seldom focus on. Social engineering targets our reflexes and automatic mechanisms. Nothing can prevent such an attack, not firewalls, or antivirus programs, or even millions of dollars spent on security infrastructure. All we have now are socio-technical courses designed to inform and safeguard workers. We must remember that the danger actually lurks everywhere—in every organization, in every city, and in every moment.

Why are Socially Engineered Attacks Used?

The use of social engineering is simply cost-effective. It has a long history and homegrown heritage. In modern times, we still use social engineering to deal with problems in our way. Each of us knows a hundred ways to use social manipulations from movements of the face, to twists of the body, and even to display sexual provocations. Thus, we use social engineering in both our personal and professional lives.

Additionally, social engineers are employed by competitors to steal trade secrets and to lead companies into bankruptcy. Socially engineered attacks are subtle attacks that leave no tangible evidence (for example, the destruction or removal of the company's important files from your computer). So the chance of detection, even after several weeks, is minimal.

Even if an attack is discovered, the company usually does not admit to this fact because the loss of any further information could cause additional damage to the company. Admitting to a successful attack is a sign of weakness and can cost the company a lot, in particular its good image and customer confidence. Therefore, any statistics on socially engineered attacks must be evaluated seriously. In addition, there is no reliable data on the scale of this phenomenon.

Those who read this article to learn about these attacks may be intrigued by the idea of using social engineering for their own purposes. Individual readers will have to assess their personal morals and business ethics when using the information provided. You just have to remember that social engineering, like any other form of manipulating people against their will , is punishable in most countries.

The most popular and easiest tool for an attacker to use is the lie. If you have the slightest doubt as to the identity of a person you are interacting with, you should dispel that individual immediately. Additionally, every conversation in the company regarding strategic assets, such as money, information, and security should be based recorded and reviewed.

If John Smith calls me and says that he is a network administrator, I hang up the phone and call John Smith directly, as his name should have appeared under number I know, not an unknown number indicated. With social engineer, the biggest threats cannot be solved by money, but rather by awareness. It's hard to tell the average American to shut the door of a house or a car, let alone convince him or her to no longer trust people. We all tend to operate under the assumption that no one is out to hurt us.

What are the costs of implementing solutions? Practically nil. After all, we all know how to use VoIP inside a corporate telephone network. However, as already mentioned, the problem is that people in leadership positions really believe that such far-reaching security measures are not needed. And this is a very dangerous position to have when considering the problem of socially engineered attacks.

You have to remember that any information that leaks from a company could be harmful. Even if you specify the name of friend or colleague, with whom you work, this information could help a social engineer. An attacker could use the name of a colleague to present a more authentic history and identity when targeting another employee.

I cannot emphasize this idea enough: Any information that leaves the company, even the simplest and most basic spreadsheet, could harm the company. Now we come to a simple conclusion: A company cannot completely defend itself against social engineering. Employees publish an incredible amount of information both on business and social networks, and thus, there will never be a full-proof way to plan against socially engineered attacks.. We can only try to overcome or minimize the risk of a socially engineered attack.

Summary

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

This is the end of the general introduction to social engineering and attacks based on social manipulations. In the next article we will be covering situations that may be staged through social engineering. I invite you to read the next installment.

Adrian Stolarski
Adrian Stolarski

Adrian Stolarski is a freelance security tech blogger, specializing in Java, PHP, and JQuery. In his own words, he does the hard work of training the unemployed. Currently, he handles Evaluation Visualization for real-time systems with XWT and Eclipse RAP. If he sees that something works, he asks how it works and why it works, then sets out to make it work better. A researcher for InfoSec Institute, he currently lives in Poland, but plans to move to London.