Introduction to Social Engineering

1. ###########################################################################################
2.  
3. Introduction to Social Engineering
4.  
5. By: Tal0n of NixSec 05-16-04
6.  
7. ###########################################################################################
8.  
9. 1. Introduction
10. 2. What is social engineering?
11. 3. Internet Social Engineering
12. 4. Telephone Social Engineering
13. 5. In-person Social Engineering
14. 6. Conclusion
15.  
16. ###########################################################################################
17.  
18. 1. I am writing this paper to try and shine a light on a art that has been used for years,
19. but now days, has taken new form, the art of deception, social engineering. Social
20. engineering, if used correctly, can go from a few simple favors to international
21. espionage. It can also be the most effective kind of "hacking" you can do, and the only
22. thing required is the knowledge and understanding of the human mind, people skills, and
23. abit of cleverness to achieve almost any job at task.
24.  
25. ###########################################################################################
26.  
27. 2. What is social engineering? Social engineering is basically making people do what you
28. need or want them to do or making them give you certain information that you need or want.
29.  
30. Say you want a password to your friends computer. Would it be easier to keylog it or get
31. it some other way as such, or to talk it out of him? Probley the second option.
32.  
33. Consider this situation:
34.  
35. Dan: Hi Matt.
36. Matt: Whats up Dan?
37. Dan: Not much, just tring to play this game.
38. Matt: What game?
39. Dan: Hutt 3D.
40. Matt: Ah, I heard that game rocks.
41. Dan: I could sign you up for it.
42. Matt: Really? That'd be awesome.
43. Dan: Ya, no problem. I have to go soon thou.
44. Dan: I'll try to set some of it up before I go. What do you want your password to be?
45. Matt: Hmm.. try teehee, I use it for everything else anyways.
46. Dan: Sounds great, ill send you the rest of the information later, see ya!
47. Matt: Thanks Dan, bye.
48.  
49. In a quick conversation, because of the pressure of picking a quick and easy password,
50. Matt has successfully gave Dan access to probley all his other accounts, including email,
51. just by not thinking of picking a good password instead of one he uses for most all else.
52.  
53. The social engineering part was good on Dan's part, hence he gave Matt the pressure
54. feeling because he had to "go soon" and therefore *didn't* have time to talk with Matt
55. completely about the game or the setup information. Matt decided to make it easy so he
56. could play his new game as soon as possible and give Dan a vitial key to Matt's everyday
57. internet accounts.
58.  
59. When people feel a sign of a rush or feel that they will miss out on a good opportunity if
60. they don't hurry and provide information, causing them not to think as much as they
61. should.
62.  
63. Now that situation was made possible because there was a certain kind of 'trust' between
64. Dan and Matt. If the situation was alittle different, and Matt was talking to someone he
65. didn't know very well, the situation might still be possible, but it would either take
66. some smoother talking from the attacker, or some stupidy on the victim.
67.  
68. Trust is a big factor in social engineering. If someone doesn't feel that they trust you,
69. they probley would be as likey to comfortably go along with whatever you are planning. If
70. they do trust you, according to how much trust is involved and the mentality of the
71. victim, its possible to pull off almost anything.
72.  
73. ###########################################################################################
74.  
75. 3. Internet social engineering is pretty common now days, and lots of people, companies,
76. and even sometimes ISP's fall under the control of a social engineer.
77.  
78. Heres an example situation of an attacker trying to get access to the victim's website.
79.  
80. attacker: hi, how are you?
81. victim: pretty good, you?
82. attacker: fine
83. attacker: i seen you take care of somesite.com?
84. victim: ya, thats my site
85. attacker: wow, i love the graphics
86. attacker: content is nice as well
87. victim: why thank you :)
88. attacker: you wouldn't happen to have some extra webspace would you?
89. attacker: you see, me and a couple friends need somewhere to upload some pictures and
90. mp3's
91. attacker: think you could help us out?
92. victim: hm.. i dont really know how
93. attacker: oh, well its pretty easy
94. attacker: if you want me to, ill set it up, i just need the login info please
95. victim: ok, just make yourself some space somewhere and please don't mess with any of mine
96. attacker: of course not ;)
97. victim: username is somesite, password is whitesoxs
98. attacker: thanks, we really appreicate it :)
99. victim: no problem
100.  
101. Now lets analyse that situation...
102.  
103. First, the attacker comes off being really nice and polite, complementing the owner of the
104. site for its graphics and content.
105.  
106. Then, he gently asks for some webspace on the account that hosts the victims website.
107.  
108. The victim seems not to know alot about computers or authencation, and has a good feeling
109. that nothing bad would happen, hence the attacker's good attitude and niceness.
110.  
111. After that, the victim easily hands over the login information, the username and password,
112. giving the attacker full access to the victims website.
113.  
114. "Why?" you ask. Social Engineering.
115.  
116. Now there are other situations like gaining trust of a period of time, days, weeks, or
117. yes, even months. Even social engineers can be social engineered, it just mainly takes
118. time and research.
119.  
120. Us Humans have a want pattern. If we think someone will give us something, has the ability
121. to make us 'famous', or will get us somewhere, we tend to ease up and be 'too friendly'.
122.  
123. For example, who would you trust more with your car, your best friend, or an acquaintance?
124. Your best friend of course, unless you know he cannot drive or is very wreckless.
125.  
126. Trust, as I said before, is a key factor in social engineering. If someone doesn't trust
127. you, they probley won't let you take advantage of them.
128.  
129. ###########################################################################################
130.  
131. 4. Telephone social engineering is also a danger as well. Caller ID, as proved in "The Art
132. of Deception" cannot be used as a fool-proof way of identifing a caller, since it can be
133. spoofed without much trouble.
134.  
135. Check out this situation out.
136.  
137. victim: Hello, welcome to CompNet Technical Support. Tom Hoff speaking, how may I help you?
138. attacker: Hi, is this Jeff Bridge from Accouting.
139. victim: Hi Jeff, how are you doing today?
140. attacker: Well, not too good. I lost my password yesterday and I haven't been able to
141. access the
142. server. My boss has been on my case since last night and i'm not sure if I can get the pay
143. checks
144. out by Friday.
145. victim: Oh.. that doesn't sounds too good.
146. attacker: Could you do me a favor and reset my password for me so I can get back to work?
147. victim: Sure, whats you ID number?
148.  
149. At this point the attacker looks on the company's website for a listing of a the
150. employees. He lucks up and finds a text file with their names and ID numbers.
151.  
152. attacker: 332 i think
153. victim: Ya, thats it, 332
154. victim: Hold on just a second and i'll reset the password
155. attacker: Ok
156. victim: New password: changeme
157. victim: You need to change it to whatever you want as soon as you access the server.
158. attacker: The username is still jbridge, right?
159. victim: Yep, thats what it says here.
160. attacker: Thank you! By the way, I have a friend down here from Development that needs to know
161. what the new server is for his team.
162. victim: New server? As far as I know its always been dev.compnet.com.
163. attacker: Hmm.. maybe it was just down last night, we'll try it again later.
164. victim: Oh ok
165. attacker: Well, I have to go, thanks so much for your help again.
166. victim: It was no problem
167. attacker: bye
168. victim: bye
169.  
170. Now.. what just happened here?
171.  
172. attacker, impersonating "Jeff Bridge" from accounting, has just successfully done the
173. following:
174.  
175. Got information to access the server that has access to the payroll.
176.  
177. Got access to a machine and is probley not secure and attacker may move his privledges to
178. root.
179.  
180. Got the name of the server that the company development team uses so attacker can plan
181. future attacks on the company and may gain access such as to steal source code or other
182. information for the company's new or old product line, or other confidental information.
183.  
184. And the most important thing: Has gained some trust from the victim, that can be used in
185. other attacks planned for getting information or getting something done.
186.  
187. He also was able to gain a vitial piece of information to get the password he needed,
188. "Jeff Bridge"'s company ID number, which was publically on the company's website, which
189. isn't too smart.
190.  
191. ###########################################################################################
192.  
193. 5. In-person social engineering, although to some people not appearing too smart, will
194. have great effectiveness on the victim, and sometimes even more effectiveness then the
195. other ways, because the victim can actually see the person they are talking to, making the
196. trust factor grow and sometimes making them eaiser to manipulate.
197.  
198. Take this situation into consideration.
199.  
200. A man in a nice suit, tie, fancy hair, walking elgantly up to the ISP technical support
201. center.
202.  
203. He says he's in a hurry, and needs to get his username and password he lost while he was
204. at a business meeting. He needs them asap because he's working on a project on his laptop
205. and it can't wait.
206.  
207. The lady at the counter says she don't think she's allowed to do that.
208.  
209. The attacker politly complements your loyality and askes her to join him for lunch at a
210. fancy resturant the next day. He says he thinks shes got real talent and offers her a job
211. at his 'firm'.
212.  
213. She feels flattered and thinks she must help the guy out since he was been so nice to her.
214. She carefully looks up the username and password for the account name he gives her and
215. hands it to him on a piece of paper, whispering not to tell anyone because she might get in
216. trouble.
217.  
218. The attacker just successfully got the username and password of any account on the ISP,
219. just by using some smoothe words and dressing like a professional.
220.  
221. You see how easy it can be? It happens everyday, 90% of the time people don't even realize
222. it.
223.  
224. ###########################################################################################
225.  
226. 6. My conclusion in writing this paper is to explain how do successfully get anything you
227. want from a person by 'just asking for it'. Now that you have read it, hopefully you will
228. be more educated in the field and will know howto protect yourself or maybe even your
229. company from most social engineering attacks, if not most all. Online, on the phone, on the
230. street, all places where the possible social engineer preys. Will you be his next victim?
231. Hopefully not.
232.  
233. -Tal0n cyber_talon@hotmail.com
234.  
235. #nixsec @ efnet