People Hacking: The Psychology of Social Engineering

advertisement
People Hacking:
The Psychology of Social Engineering
Text of Harl's Talk at Access All Areas III
05/07/97
What is Social Engineering ?
Basically, social engineering is the art and science of getting people to comply to your
wishes. It is not a way of mind control, it will not allow you to get people to perform
tasks wildly outside of their normal behaviour and it is far from foolproof.
It also involves far more than simply quick thinking and a variety of amusing accents.
Social engineering can involve a lot of 'groundwork', information gathering and idle chit
chat before an attempt at gaining information is ever made. Like hacking, most of the
work is in the preparation, rather than the attempt itself.
You may think this talk may seem to be a weak excuse to demonstrate how these
techniques can be used for hacking. OK, fair enough. However, the only way to defend
against this sort of security attack is to know what methods may be used. With this
knowledge it is possible to pick-up on these techniques being used against either you or
your company and prevent security breaches before anyone gets near your data. A CERT
style security alert with few details is pointless in this case. It would simply boil down to
"Some people may try to get access to your system by pretending some things are true.
Don't let them." As usual, no help what-so-ever.
So What ?
Social engineering concentrates on the weakest link of the computer security chain. It is
often said that the only secure computer is an unplugged one. The fact that you could
persuade someone to plug it in and switch it on means that even powered down
computers are vulnerable.
Also, the human part of the a security set-up is the most essential. There is not a
computer system on earth that doesn't rely on humans. This means that this security
weakness is universal, independent of platform, software, network or age of equipment.
Anyone with access to any part of the system, physically or electronically is a potential
security risk. Any information that can be gained may be used for social engineering
further information. This means even people not considered as part of a security policy
can be used to cause a security breach.
A big problem ?
Security professionals are constantly being told that security through obscurity is very
weak security. In the case of social engineering it is no security at all. It is impossible to
obscure the fact that humans use the system or that they can influence it, because as I
stated before, there isn't a computer system on earth that does not have humans as a part
of it.
Almost every human being has the tools to attempt a social engineering 'attack', the only
difference is the amount of skill used when making use of these tools.
Methods
Attempting to steer an individual towards completing your task can use several methods.
The first and most obvious is simply a direct request, where an individual is asked to
complete your task directly. Although least likely to succeed, this is the easiest method
and the most straightforward. The individual knows exactly what you want them to do.
The second is by creating a contrived situation which the individual is simply a part of.
With more factors than just your request to consider the individual concerned is far more
likely to be persuaded, because you can create reasons for compliance other than simply
personal ones. This involves far more work for the person making the attempt at
persuasion, and almost certainly involves gaining extensive knowledge of the 'target'.
This does not mean that situations do not have to be based in fact. The less untruths the
better.
One of the essential tools used for social engineering is a good memory for gathered
facts. This is something that hackers and sysadmins tend to excel in, especially when it
comes to facts relating to their field. To illustrate this I am going to perform a small
demonstration....
[Demonstration here. This basically showed that with social pressure an individual will
conform to a group decision, even if it is obviously the wrong choice.]
Conformity
Even in cases where a person is sure they are right it is possible to cause them to act in a
different manner. If I had simply asked the last person on their own what the middle word
was they would have given me the correct answer and no matter how much I tried to
persuade them they probably wouldn't have changed their mind.
However, this group setting was a vastly different situation. This situation had what
psychologists called 'demand characteristics', that is this situation had strong social
constraints on how the participants should act. Not wishing to offend the other people,
not wanting to look dozy in front of a large audience and not undermining the views of
the other well respected participants all lead to a decision to 'go with the flow'. Using
situations with these characteristics is an effective way of guiding people's behaviour.
Situations
However, most social engineering is conducted by lone individuals and so the social
pressure and other influencing factors have to be constructed by creating a believable
situation which the target feels emmersed in.
If the situation, real or imaginary has certain characteristics then the target individual is
more likely to comply with your requests. These characteristics include:
• Diffusion of responsibility away from the target individual. This is when the individual
believes that they are not solely responsible for their actions.
• A chance for ingratiation. Compliance is more likely if the individual believes that by
complying they are ingratiating themselves with someone who may give them future
benefits. This is basically getting in with the boss.
• Moral duty. This is where an individual complies because they feel it is their moral duty
to. Part of this is guilt. People prefer to avoid guilt feelings and so if there is a chance that
they will feel guilty they will if possible avoid this outcome.
Personal persuasion
On a personal level there are methods that are used to make a person more likely to cooperate with you. The aim of personal persuasion is not to force people to complete your
tasks, but enhance their voluntary compliance with your request.
There is a subtle difference. Basically, the target is simply being guided down the
intended path. The target believes that they have control of the situation, and that they are
exercising their power to help you out.
The fact that the benefits that the person will gain from helping you out have been
invented is irrelevant. They target believes they are making a reasoned decision to
exchange these benefits for a small loss of their time and energy.
Co-operation
There are several factors, which if present will increase the chances of a target cooperating with a social engineer.
The less conflict with the target the better. Co-operation will be more readily gained
when the softly-softly approach is used. Pulling rank (or invented rank), annoyance or
orders rarely work for effective coercion.
The 'foot in the door' factor is where the focus of a persuasion attempt already knows a
you or has had experience of dealing with you. This is a particularly effective and was
known by con men as the 'confidence trick'. Psychological research showed that people
are more likely to comply with a large request if they have had previously complied to a
far smaller one. If this 'foot in the door' includes a positive history of co-operation, where
things have gone well in the past, then the chances of co-operation are greatly increased.
The more sensory information a target can gain from a social engineer the better. This is
especially true of sight and sound, you are more likely to be believed if the target can see
and hear you than if they can just hear your voice over the fone. Unsurprisingly ASCII
text communications are do not lend themselves to persuasion. It is very easy to refuse
someone via a IRC style chat.
Involvement
However, success does depend a lot on how involved a person is in the request you are
making. We can say system administrators, computer security officers, technicians and
people who rely on the system for essential work tools or communication are highly
involved in most social engineering attacks by hackers.
Highly involved people are persuaded better by strong arguments. In fact the more strong
arguments you give them the better. Suprisingly its not the same for weak arguments.
Someone highly involved in the attempt at persuasion is less likely to be persuaded if you
give them weak arguments. When someone is likely to be directly affected by a social
engineering attempt, weak arguments tend to generate counter arguments in the targets
head. So for highly involved people, the rule is more strong arguments, less weak
arguments.
People are classed as low involvement if they have very little interest in what you are
asking them to do. Relevant examples might be security guards, cleaners, or receptionists
at a computer system site. Because low involvement people are not likely to be directly
affected by a request, they tend not to bother analysing the pros and cons of persuasive
banter. Instead it is common for a decision to agree with your request or not to be made
based on other information. Such information could be the sheer number of reasons the
social engineer gives, the apparent urgency of the request or the status of the person
trying to do the persuading. The rule of thumb here is simply the more arguments or
reasons the better. Basically, people who aren't involved in what a social engineer is
trying to achieve will be more persuaded by the number of arguments or requests rather
than how relevant they are.
One important point to note is that less competent people are more likely to follow more
competent models. In the case of computer systems this is likely to be low involvement
people. The moral of these points is, don’t try and social engineer the sysadmin, unless of
course the sysadmin is less competent than you are, which as we all know is very
unlikely.
Securing against human attacks
With all this information how would someone go about making their computer system
more secure ? A good first step would be to make computer security part of everyone's
job whether they use computer or not. This will not only boost their self perceived status
with no extra cost to you but will make staff more vigilant. If you make someone
involved in keeping your computer system secure they are more likely to pay closer
attention to unauthorised individuals trying to gain access to a system.
However, the best defence against this, as with most things, is education. Explaining to
employees the importance of computer security and that there are people who are
prepared to try and manipulate them to gain access is an effective and wise first step.
Simply forewarning people of possible attacks is often enough to make them alert enough
to spot them. Remember, to give both sides of the story when educating people about
computer security. This isn't just my personal bias. When individuals know both sides of
an argument they are less likely to be disuaded from their chosen position. And if they
are involved in computer security, their chosen position is likely to be on the side of
securing your data.
There are attributes which people less likely to comply with persuasion tend to have. Less
compliant people tend to be pretty bright, highly original, able to cope with stress and
reasonably self confident. Stress management and self confidence can be taught or at
least enhanced. Self assertion courses are often used for management employees, this
training is excellent in reducing the chances of an individual being socially engineered, as
well as having many other employment benefits.
What this comes down to is making people aware and involved in your security policy.
This takes little effort and gives great rewards in terms of the amount of risk reduction.
Conclusion
Contrary to popular belief, it is often easier to hack people than sendmail. But it takes far
less effort to have employees who can prevent and detect attempts at social engineering
than it is to secure any unix system.
Sysadmins, don't let the human link in your security chain let your hard work go to waste.
And hackers, don't let sysadmins get away with weak links, when it is their chains that
are holding your data.
###
(c) Harl 1997. All rights reserved.
Download