Is social-engineering an actual threat

Question

I've recently finished book The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick

The book was released on 4th December 2002. Not talking only about techniques described in this book, but are the ways used by social-engineers still a threat today?

I think that now, as we moved at least 10 years from the book and issues described in it, we should be immune to such attacks, as we can quickly verify any information presented to us and with possibilities to use cyphering, high-speed mobile network connections, privileges control systems, biometric identification, etc...

Do I live in false sense of safety, or is it fear speaking from me?

And now you can think about, whether it was an social engineering to ask such question and get all your valuable knowledge, or not. :-)

*"Amateurs hack systems, professionals hack people"* - Bruce Schneier — BlueRaja - Danny Pflughoeft, Feb 19 '12 at 22:26
Without being a specialist, I'd say it can go both ways. It is easier to obtain information now than it was 10 years ago. — James P., Feb 20 '12 at 03:26
Wow. Just wow. I can think of no more effective threat to security than social engineering. — tylerl, Feb 20 '12 at 04:44
This is only partially relevant (and thus doesn't warrant an answer), but **social engineering is made much easier today with everyone's personal info out there in public view** on all those facebooks,twitters and what-have-yous. If you e.g. know that the CEO went to Someplace High School together with the CTO, what his dog's name is, what he had for dinner yesterday and that he's not in the office today, it gives you that much more leverage (see the scenarios described in the answers; I'm pretty sure each and every of these bits of data would fit in nicely someplace or another). — Piskvor left the building, Feb 20 '12 at 23:15
I'd also like to recommend Ghost in the wires, by Kevin Mitnick. Awesome book demonstrating some social engineering techniques as well (http://www.amazon.com/Ghost-Wires-Adventures-Worlds-ebook/dp/B0047Y0F0K) — Chris Dale, Feb 21 '12 at 22:11
Relevant: http://www.smbc-comics.com/index.php?db=comics&id=2526#comic — Chris Dale, Feb 29 '12 at 13:23
No, it's not a threat at all. By the way, StackExchange is having database problems, could you all send me your passwords so I can update things? ;) — Polynomial, Nov 22 '12 at 15:52

score 172 · Accepted Answer · edited Nov 13 '13 at 16:52

You most definitely live in a sense of false security! Social engineering is very prevalent still today, and I doubt that is about to change in decades if ever.

Here are some brief explanations on why social engineering works. It's tough to cover everything because social engineering is a really broad field.

Some reasons why social engineering works (From the book quoted in the bottom):

Most people have the desire to be polite, especially to strangers
Professionals want to appear well-informed and intelligent
If you are praised, you will often talk more and divulge more
Most people would not lie for the sake of lying
Most people respond kindly to people who appear concerned about them

Being helpful

Usually humans want to be helpful to each other. We like doing nice things!

I run into the reception at a big corporate office with my papers soaked in coffee. I talk to the receptionist and explain that I have a job interview meeting in 5 minutes, but I just spilled coffee over all my papers. I then ask if the receptionist could be so sweet and print them out again for me with this USB memory stick that I have.

This might lead to an actual infection of the receptionist's PC and may gain me a foothold within the network.

Using fear

The fear of failing or not doing as ordered:

The company's director's (John Smith) facebook page (or whatever other source of information) reveals that he has just left on a cruise for 3 weeks. I call the secretary and with a commanding voice I say "Hi, it's Chris calling. I just got off the phone with John Smith, he's having a very good time on his cruise with his wife Carla and kids. However, we are in the midst of integrating a very important business system and he told me to give you a call so you can help us. He couldn't call himself because they are going on a safari, but this is really urgent. All you need to do is take the USB stick that is addressed to him in the mail and plug it in, start the computer and we are all done. The project survives!

Thank you very much! You have been a great help! I am sure John Smith will recognize you for this act of helpfulness. "

Playing on reciprocation

The tailgate. I hold the entry door for you, and I quickly walk behind you. When you open the next door, which is security enabled, I head in the same direction and most people will try and repay the helpful action by holding the door for you again, thus allowing you into a place where you should not be. Worried about getting caught? Nah.. You just say you're sorry and that you went the wrong way.

The target would almost feel obliged to hold the door for you!

Exploiting the curiosity

Try dropping 10 USB sticks in various locations in your organization. You don't have to place them in too obvious places. The USB should have an auto-run phone home program so you can see when someone connects the USB stick and should theoretically be exploited.

Another version of this is to drop USB sticks with a single PDF document that is called e.g. "John Smith - Norway.pdf". The PDf document contains a Adobe Acrobat Reader exploit (there is tons of them) and once the user clicks the document he will be owned. Of course, you have made sure that the exploit is tailored to the target organization's specific version of Adobe. It will feel natural for most people to open the document so that they can try return the USB stick to its owner.
- Another example of curiosity (maybe another term explains this better) is all these SPAM mails or bad Internet ads that you have won something or a Nigerian prince is offering you a whole lot of money if you can help him. I am sure you are familiar with these already, but these are also social engineering attacks, and the reason they haven't stopped is that they still work!

That's just a few examples. Of course there are tons more!

We can also take a look at historic social engineering events:

HBGary

Full story can be read here (Page 3 contains the social engineering part)

Last year HBGary was hacked. This attack involved many different steps but also a social engineering aspect as well. Long story short, the hacker compromised the email account of a VIP in the company and sent an email to an administrator of the target system saying something like this: "Hi John, I am currently in Europe and I'm bouncing between airports. Can you open up SSH on a high numbered port for me coming from any IP? I need to get some work done". When the administrator gets this email he feels it is natural to comply with this, seeing as the email is coming from a trusted source.

But that is not it! The attacker had the password for the account, but the login was not working! So he emails back to the administrator "Hey again, it does not seem to be working. The password is still right? What was the user-name again?". Now he has also provided the actual password for the system (the attacker had it from the earlier compromise of another system in the same hack), giving the attacker a whole lot more trust from the administrator. So of course the administrator complies and tells the attacker his user-name.

The list at the top comes from the book "Social Engineering: The Art of Human Hacking" and I can very highly recommend it!

@MarekSebera, you are very welcome. I hope you recommend the community to your friends and colleagues! — Chris Dale, Feb 20 '12 at 09:04
In addition to all mentioned in this answer, think of regular life situations you've felt like a patsy or genuinely convinced you needed to buy something or give out information. Sales and marketing efforts, political campaigns, etc. all employ the same psychological techniques to achieve certain goals. The techniques might be old but the human being has not changed much and in this age of higher connectivity, there's a tonne of your data in public already. — Epoch Win, Feb 20 '12 at 20:32
Another recent example: Mat Honan http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ — , Apr 12 '13 at 08:51

score 29 · Answer 2 · answered Feb 19 '12 at 21:31

29

Yes, any system is just as weak as the weakest member, and that is the human being, and it always will be.

You may be 'immune' for some of these most obvious techniques now, but does that equally apply to the stressed secretary who gets a phone call from the 'IT department' to quickly lookup some important information on her bosses computer which can not wait until after the upcoming weekend, oh and that strange window that might popup and ask some unimportant question, she shall just click Accept. Of course she will do it ... everyone will do it in the wrong situation ...

answered Feb 19 '12 at 21:31

ordag

1,338
12
8

yes, but in most particular cases similar to this one, we should be able to eliminate possibility of breaching system like this, simply by applying security conventions. Which means, we don't allow the secretary to do anything on her bosses computer, because it would be security violation... – Marek Sebera Feb 20 '12 at 02:00
6

@MarekSebera: that only really helps if the boss himself is not susceptible to social engineering attacks. And that would be a very optimistic assumption. – Joachim Sauer Feb 20 '12 at 09:50
1

totally disagree, human beings are not **always** the weakest member. If some server only accepts ftp connections for file transfers, all you have to do to gain access is sniff some packets to read the username and password, where is the social engineering in that? Was the human being the weakest element? As for the "will always be" part, I don't know where you're getting your information from. – João Portela Feb 20 '12 at 14:08
@JoãoPortela You can sniff such ftp packets and gain the same access rights as the observed user. Or you can trick the server admin to create a root account for you. **Of course not everything else is secure because human behavior is not.** Humans tend to look over the edge, they are not strict machines which just verify: "Username. Ok. Password. Ok." but instead (unconsciously) analyze the context: "Can I trust that person even if there are some inconsistencies?". And I hope we will always be the weakest element, because that weakness is trust, and I wouldn't want to give that up. – ordag Feb 20 '12 at 16:31
@ordag The point I was trying to make with my example, was that the **weakest** element was not the human element but rather the technical element (I was in no way implying that social engineering attacks where impossible). – João Portela Feb 20 '12 at 17:18
2

@JoãoPortela obviously what he means by "humans will always be the weakest element" is that the human element is the one which cannot be easily or completely hardened against attack - and this is unlikely to ever change. – so12311 Feb 20 '12 at 19:23
3

Also, honestly I'd say that an FTP server open to an insecure network WAS a human problem--as is finding passwords in email. It's like buying a bathroom door lock that you can unlock with your fingernail and using it to secure your front door--The systems are fine, you are implementing them wrong! – Bill K Feb 20 '12 at 23:10
@zephyr if he meant that he should have written it. Appart from that I agree that it cannot be easily hardened against. – João Portela Feb 21 '12 at 22:05
@BillK if we go down that route everything is a human problem since software is written by humans, servers are configured by humans, etc.. That's why I said "where is the social engineering in that?", _trying_ to avoid going down that same route. – João Portela Feb 21 '12 at 22:09

score 17 · Answer 3 · edited Aug 18 '14 at 11:55

Social engineering (SE) is not only about exploiting information which attacker has, but also about exploiting patterns of (human) behavior.

To explain this, let's do a little exercise - say out loud the color, not the word.

enter image description here

Can you see the "exploit" here? The use in real life situation of this "exploit" is very questionable, but it very clearly shows us how our brain can be manipulated even if we have the valid information (we all learnt colors when we were babies).

The real life example could be something like this - let's say you want secretary to put your USB into her machine. Going to her and polite asking her to do so might be rejected, especially if there are policies which forbids this. But you could suit up, spill coffee on your shirt / trousers and on your papers and then come to her, holding those papers and saying - "I'm so late to the meeting and while I was driving to here, cat ran out in front of my car and I started breaking really hard. The cat did survive, but my papers didn't. I know this is strange request, but please, could you print it for me? I'm really late and your boss might be really angry at me!"

This is called pretext and basically, it's a role played by SEr. What are we doing in this pretext? We are exploiting emotions. If this is played well, and your microexpressions are genuine, most likely she'll do what you want. Why? Because we, humans, are codded like this. Yes, she might know that putting unknown device in her PC might be harmful; yes, she might be educated about it, but let's be serious, you tried not to hit the cat, you didn't drink your coffee, you ruined your suit, you're late on meeting, boss will be angry on you, and now some policy asks her to be rude to you. Come on... However, key part here is to set her in the right mood - to feel sorry for you. To do so, your microexpressions must be interpreted as true (genuine) by her. If you played your cards right, you have the same effects as with colors. She knows it's something she shouldn't do it (color of words), but emotions are telling her otherwise (meaning of words).

Another trick which SEr can pull on target is, so called, Pavlov's dog experiment. So, what does the drooling dog has to do with ITSec? Let's say I want to know about physical security at your workplace. You know you shouldn't share that information with me. I also know that after work, you always come to local pub for a drink. One day I introduce myself and we start small-talk. At first it was just about your cool car. Then we started to talk about women in bar, then about our exes, about last year vacations and so on... All in all, something what is not unusual to talk about, but it's from private life. When we met, you noticed that every time I ask question I hit table with the cigarette. At first it might be even annoying habit, but then you just ignored it. After few days / weeks when you started to feel comfortable around me, I started to ask about your work and work environment. And bit by bit, you told me what I wanted to know about physical security in your company.

So what did I do here? By casual talking to you, I trained your brain to give me answers every time I hit table with cigarette. While this is not brain-washing, and by just doing so you wouldn't tell me your darkest secrets, imagine this as - peeling one layer of onion. The second layer was trust I gained with time spent with you in bar. And so on and on... I did manipulated you and this simple trick helped me to not raise any red flags when I asked you sensitive questions. Again, it wasn't about information you have (do not tell that to strangers), but about your behavior and reaction to outside world.

What I'm trying to say here is - no matter what you know, if you are placed in right situation, you'll do what is asked from you. Why? Because it's in our genetics.

Just to give one or two "out-of-IT-sector" examples how information / knowledge which target has can be meaningless if he/she is attacked by skillful SEr. In court, evidences are pure cold facts, yet, good lawyer can, no matter in how bad position his client is, turn those facts in his favor using SE.

Before you are buying car, you'll go and inform yourself which is the best for you. When you arrive at shop to buy one, seller can convince you that you should buy more expensive car, again, using SE.

Also, check this video. How he did it? By just acting normal. Nothing more.

Ack! My brain always hurts looking at those word/colour combinations D: — NULLZ, Apr 12 '13 at 00:11

score 10 · Answer 4 · answered Feb 19 '12 at 21:41

It is one of the most used forms of targeted attack when the goal is internal information - in working with social engineering attack teams for many years we have had access to server rooms and secure areas, received confidential paperwork, been given accounts on sensitive systems etc.

People, as a generality, are helpful and ignorant. This sounds harsh, but on the whole, people will try and help out someone in distress, especially if that person looks or sounds unthreatening. And when faced with someone who knows more about a system or a procedure, many will do what they are asked to do.

A relatively cheap way to improve security in your organisation - awareness training every year. In terms of bang for buck this can be more effective than spend on IT security.

it doesn't sound so harsh, if you know, it's painful truth. **People really are helpful and ignorant, when considered as a group**, and it's not in IT dpt. capabilities, to change this. As of *awareness trainings every year*, do you have any recommendations? I think, we all would appreciate it ;-) — Marek Sebera, Feb 20 '12 at 02:07

score 6 · Answer 5 · answered Feb 19 '12 at 21:29

6

Social engineering is still very often the weakest link. People are generally trusting and sometimes the people resolving low-level tech support issues like password resets, are cheap poorly-trained labor that isn't particularly security conscious.

Additionally, information security is not necessarily as high a priority as say customer satisfaction when the systems/policies are being designed, lending to social engineering weaknesses.

answered Feb 19 '12 at 21:29

dr jimbob

38,768
8
92
161

1

Good point with customer satisfaction. I see this all the time. PayTV as an example where the whole idea of that system is broken, but used anyway. – ordag Feb 19 '12 at 21:34

score 5 · Answer 6 · answered Feb 19 '12 at 21:47

Social Engineer = Confidence Trixter. Con men have been fully successful at breaching any and every method of securing (X) out there where X equals data, weapons, patents, trade secrets, passwords, etc.

Conning people is as old as time and is flexible as the minds of people are at learning new technology and others weak spots at interacting with it.

This should be a joke (Managing CVE-0), but the best way to target your attack is to know your company and find a less tech savvy company vice president who opens the door to the company jewels.

great link, as stated there, we really should consider patching our users, to prevent security issues :D — Marek Sebera, Feb 20 '12 at 02:04

Loren Pechtel · Answer 7 · 2016-04-23T22:14:57.943

Look at all the your-account-has-been-suspended phishing spam that's out there. They wouldn't be sending it if it didn't sometimes work. That's a social engineering attack.

And since I wrote my original reply I've come across another case: A forged e-mail from the boss to an underling directing them to pay a 6-figure sum to a certain bank account in payment for a painting they purchased. Whoever tried this spearphish didn't know his target well enough, such a purchase would have been way out of character for him.

Is social-engineering an actual threat

7 Answers7

Linked

Related