Possible Duplicate:
Is social-engineering an actual threat
What is social engineering? Can you give me some examples?
Can social engineering have a big impact on business?
Possible Duplicate:
Is social-engineering an actual threat
What is social engineering? Can you give me some examples?
Can social engineering have a big impact on business?
When trying to break into a system, one can have multiple approaches. One of the options, that is often overseen, is rather to play the human rather than the machine. One can manipulate a victim into giving him crucial information for the attack or just handing over the information that was the initial target.
It can also mean manipulating someone into not reporting an anomaly or make him use hardware/software (Installing software with a virus/rootkit, inserting a USB drive with a virus on).
Some examples of cases where social engineering had a big impact on a business, some of these I heard through the Belgian Federal Computer Crime Unit, some others through articles.
Case 1: Large package handler looses 3 days worth of package tracking/orders , resulting in a few hundred thousands of euros of damage.
An administrator was fired, the disgruntled man came into the office a few days after he was let go. He made sure it was the less busiest moment possible. He then went on into the system and deleted (including backups) orders of 3 days. When the man came into the building, an ex-coworker noticed him coming in. Now this man knew the man was fired. The policy of the company also clearly dictated that when an employee sees someone in the building who is not an employee himself and is not accompanied by another employee, the employee needs to alert security. The co-worker confronted the administrator and asked him what he was doing there. The administrator made a story up saying he was clearing out his office. At this point we see the social engineering event. The administrator makes the ex-coworker think he's there legitemately, whilst he's not. Now the ex-coworker made the mistake of ingoring the company policy. (Of course other mistakes were made, such as not revoking the rights and access cards to the building immediately)
Case 2: Hackers throw prendrives onto the parking lot of chemical concern DSM This is a form of social engineering, in the sense of relying on the greedyness or goodness of people. Hackers threw pendrives all over the parkinglot of DSM. The pendrives themselves are infected with a Trojan that installs the rootkit. After analysis it was determined the software was looking for information, possibly company secrets. The hackers hoped employees would either use the pendrives themselves or put them in their computer to find out what documents are on it to try and see who they belong too. Fortunately the first employee to find a drive brought it to the IT department who did an anlysis of the stick and saw what was on it. They then immediately sent out messages to all the other employees to NOT insert any pendrives they find into their computer. This time there was no information stolen because an employee followed protocol.
Case 3: Hackers pretend to be of the Belgian FCCU, infect the computer with a trojan that auto redirects
In this case hackers pretented to be of the Belgian FCCU and installed malware on a victims PC that auto redirected the victim to a page looking like an official page of the police, stating that he's been disconnected because of downloading pirated software and needs to pay a fine before he can be reconnected again. Hackers use social engineering by posing as officials and threatening the target.
Case 4: Hacker calls victim and bypasses a two-factor authentication This case happened with a victim that was infected by a trojan. The victim wanted to login into his bank account which used a two factor authentication mechanism. The user has to insert his card into a reader and press the numbers that come onto the screen, provide his pincode and then insert the response into the password field. The attacker saw that the victim was about to log into his bank account and called him up. He then said to the victim that his bankaccount might have been hacked. He tells him they need to verify his identity, so he asks him to press a button a few times and tell him what number is on there (it's the serial number). The victim now believes the attacker is a bank representative. He then continued to let the victim enter the numbers he received on his pc to be able to bypass the two factor authentication mechanism. It worked and the victim's bank account was cleared out. This attack is relatively bolt to do, but not impossible. Again the victim was manipulated into thinking the representative was real.
As you can see these can all have grave impacts in day-to-day business proceedings and may cost a company a lot of money. The key is to have special seminars or other means of educating employees and users. Giving them examples of what might happen may result in them making the right decission one day when they are faced a similar situation as the ones above.
As always the risk of this happening has to be weighed to the cost of what might be lost. But in almost every case the risk is higher than the cost to train employees.
"Amateurs hack systems, professionals hack people" - Bruce Schneier
Basicly social engineering is the art of "human hacking". Instead of exploiting systems you try to exploit for example users trust, reciprocation, fear or everyone's desire to be helpfull. My answer at Is social-engineering an actual threat contains some detailed use-cases where social-engineering can be used to weaken the security of an organization.
Social Engineering is as old as humanity and has existed since one monkey figured out that if he grunted and looked elsewhere, he could probably get his branch mate to fail to pay attention so he could snatch the desirable fruit and make off with it. It is known as Conning, is practiced by Con Men and is known by its longer name as Confidence Tricking. Basically, find your mark, look for their vulnerability, gain their confidence or work their insecurity and take what you want off them while they're so distracted.
The one major vulnerability of people is their wish to be helpful, it is the foot in the door to representing yourself as any number of service people who might have access to their business to ask them and have them simply tell you some of the most confidential and vital information. If that doesn't work, there are other human foibles to play on that will get you there, a well targeted email can get you the keys to the kingdom.