kSocial Engineering Fundamentals, Part I: Hacker Tactics by Sarah Granger last updated December 18, 2001 A True Story One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them. The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system. In this case, the strangers were network consultants performing a security audit for the CFO without any other employees' knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner's Guide, based on an actual workplace experience with a previous employer.) Definitions Most articles I’ve read on the topic of social engineering begin with some sort of definition like “the art and science of getting people to comply to your wishes” (Bernz 2), “an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system” (Palumbo), or “getting needed information (for example, a password) from a person rather than breaking into a system” (Berg). In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. Security is all about trust. Trust in protection and authenticity. Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. Many experienced security experts emphasize this fact. No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much... and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured. Target and Attack The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities. Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized (after all, to admit a fundamental security breach is not only embarrassing, it may damaging to the organization’s reputation) and/or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not. As for why organizations are targeted through social engineering – well, it’s often an easier way to gain illicit access than are many forms of technical hacking. Even for technical people, it’s often much simpler to just pick up the phone and ask someone for his password. And most often, that’s just what a hacker will do. Social engineering attacks take place on two levels: the physical and the psychological. First, we'll focus on the physical setting for these attacks: the workplace, the phone, your trash, and even on-line. In the workplace, the hacker can simply walk in the door, like in the movies, and pretend to be a maintenance worker or consultant who has access to the organization. Then the intruder struts through the office until he or she finds a few passwords lying around and emerges from the building with ample information to exploit the network from home later that night. Another technique to gain authentication information is to just stand there and watch an oblivious employee type in his password. Social Engineering by Phone The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense. Here’s a classic PBX trick, care of the Computer Security Institute: “’Hi, I’m your AT&T rep, I’m stuck on a pole. I need you to punch a bunch of buttons for me.’” And here’s an even better one: “They’ll call you in the middle of the night: ‘Have you been calling Egypt for the last six hours?’ ‘No.’ And they’ll say, ‘well, we have a call that’s actually active right now, it’s on your calling card and it’s to Egypt and as a matter of fact, you’ve got about $2,000 worth of charges from somebody using your card. You’re responsible for the $2,000, you have to pay that...’ They’ll say, ‘I’m putting my job on the line by getting rid of this $2,000 charge for you. But you need to read off that AT&T card number and PIN and then I’ll get rid of the charge for you.’ People fall for it.” (Computer Security Institute). Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole. The facilitator of a live Computer Security Institute demonstration, neatly illustrated the vulnerability of help desks when he “dialed up a phone company, got transferred around, and reached the help desk. ‘Who’s the supervisor on duty tonight?’ ‘Oh, it’s Betty.’ ‘Let me talk to Betty.’ [He’s transferred.] ‘Hi Betty, having a bad day?’ ‘No, why?...Your systems are down.’ She said, ‘my systems aren’t down, we’re running fine.’ He said, ‘you better sign off.’ She signed off. He said, ‘now sign on again.’ She signed on again. He said, ‘we didn’t even show a blip, we show no change.’ He said, ‘sign off again.’ She did. ‘Betty, I’m going to have to sign on as you here to figure out what’s happening with your ID. Let me have your user ID and password.’ So this senior supervisor at the Help Desk tells him her user ID and password.” Brilliant. A variation on the phone theme is the pay phone or ATM. Hackers really do shoulder surf and obtain credit card numbers and PINs this way. (It happened to a friend of mine in a large US airport.) People always stand around phone booths at airports, so this is a place to be extra cautious. Dumpster Diving Dumpster diving, also known as trashing, is another popular method of social engineering. A huge amount of information can be collected through company dumpsters. The LAN Times listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.” These sources can provide a rich vein of information for the hacker. Phone books can give the hackers names and numbers of people to target and impersonate. Organizational charts contain information about people who are in positions of authority within the organization. Memos provide small tidbits of useful information for creating authenticity. Policy manuals show hackers how secure (or insecure) the company really is. Calendars are great – they may tell attackers which employees are out of town at a particular time. System manuals, sensitive data, and other sources of technical information may give hackers the exact keys they need to unlock the network. Finally, outdated hardware, particularly hard drives, can be restored to provide all sorts of useful information. (We’ll discuss how to dispose of all of this in the second installment in this series; suffice it to say, the shredder is a good place to start.) On-Line Social Engineering The Internet is fertile ground for social engineers looking to harvest passwords. The primary weakness is that many users often repeat the use of one simple password on every account: Yahoo, Travelocity, Gap.com, whatever. So once the hacker has one password, he or she can probably get into multiple accounts. One way in which hackers have been known to obtain this kind of password is through an on-line form: they can send out some sort of sweepstakes information and ask the user to put in a name (including e-mail address – that way, she might even get that person’s corporate account password as well) and password. These forms can be sent by e-mail or through US Mail. US Mail provides a better appearance that the sweepstakes might be a legitimate enterprise. Another way hackers may obtain information on-line is by pretending to be the network administrator, sending e-mail through the network and asking for a user’s password. This type of social engineering attack doesn’t generally work, because users are generally more aware of hackers when online, but it is something of which to take note. Furthermore, pop-up windows can be installed by hackers to look like part of the network and request that the user reenter his username and password to fix some sort of problem. At this point in time, most users should know not to send passwords in clear text (if at all), but it never hurts to have an occasional reminder of this simple security measure from the System Administrator. Even better, sys admins might want to warn their users against disclosing their passwords in any fashion other than a faceto-face conversation with a staff member who is known to be authorized and trusted. E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. A good example of this was an AOL hack, documented by VIGILANTe: “In that case, the hacker called AOL’s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment ‘with a picture of the car’. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.” Persuasion The hackers themselves teach social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack. Basic methods of persuasion include: impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship. Impersonation generally means creating some sort of character and playing out the role. The simpler the role, the better. Sometimes this could mean just calling up, saying: “Hi, I’m Joe in MIS and I need your password,” but that doesn’t always work. Other times, the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him over the phone. According to Bernz, a hacker who has written extensively on the subject, they use little boxes to disguise their voices and study speech patterns and org charts. I’d say it’s the least likely type of impersonation attack because it takes the most preparation, but it does happen. Some common roles that may be played in impersonation attacks include: a repairman, IT support, a manager, a trusted third party (for example, the President’s executive assistant who is calling to say that the President okayed her requesting certain information), or a fellow employee. In a huge company, this is not that hard to do. There is no way to know everyone - IDs can be faked. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most employees want to impress the boss, so they will bend over backwards to provide required information to anyone in power. Conformity is a group-based behavior, but can be used occasionally in the individual setting by convincing the user that everyone else has been giving the hacker the same information now requested, such as if the hacker is impersonating an IT manager. When hackers attack in such a way as to diffuse the responsibility of the employee giving the password away, that alleviates the stress on the employee. When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. Beyond that, most employees respond in kind, especially to women. Slight flattery or flirtation might even help soften up the target employee to co-operate further, but the smart hacker knows when to stop pulling out information, just before the employee suspects anything odd. A smile, if in person, or a simple “thank you” clenches the deal. And if that’s not enough, the new user routine often works too: “I’m confused, (batting eyelashes) can you help me?” Reverse Social Engineering A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off. According to Methods of Hacking: Social Engineering, a paper by Rick Nelson, the three parts of reverse social engineering attacks are sabotage, advertising, and assisting. The hacker sabotages a network, causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets what he really came for. They never know it was a hacker, because their network problem goes away and everyone is happy. Conclusion Of course, no social engineering article is complete without mention of Kevin Mitnick, so I’ll conclude with a quote from him from an article in Security Focus: “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” Stay tuned for Part II: Combat Strategies, which will look at ways of combatting attacks by identifying attacks, and by using preventative technology, training, and policies. To read Social Engineering, Part Two: Combat Strategies, click here. Social Engineering Fundamentals, Part II: Combat Strategies Sarah Granger 2002-01-09 Social Engineering Fundamentals, Part II: Combat Strategies by Sarah Granger last updated January 9, 2002 All Access This is the second part of a two-part series devoted to social engineering. In Part One, we defined social engineering as a hacker’s clever manipulation of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. To review: the basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. My first attempt at social engineering came before I even knew what the term meant. In my junior and senior years of high school, I was the student representative on my school district’s pilot technology committee. The district wanted to test having a district-wide computer network at my school my senior year, before implementing the network across the district the following year. They requested bids and selected the hardware and software for the pilot network, and my job senior year was to help test the network. One day, I noticed that the new machines and peripherals were not locked down, so I grabbed a monitor and mouse and started strolling down the hall to see if anyone noticed. No one did. Then I decided to take them outside. I made it to the back of the parking lot and turned around, then decided that was a good enough test and returned the items. The fact that no one noticed or stopped me disturbed my sense of what network security ought to mean, so I reported the test to the principal. The following year, all of the new computers and peripherals in the district were physically locked. My experience shows how simple, straightforward and effective social engineering attacks can be. To this day, I wonder how many computers school districts have lost due to nonexistent prevention of social engineering attacks. This article will examine some ways that individuals and organizations can protect themselves against potentially costly social engineering attacks. I refer to these practices as combat strategies. Where to Begin? Security Policies Social engineering attacks can have two different aspects: the physical aspect or the location of the attack, such as in the workplace, over the phone, dumpster diving, on-line, and the psychological aspect, which refers to the manner in which the attack is carried out, such as persuasion, impersonation, ingratiation, conformity, and friendliness. Combat strategies, therefore, require action on both the physical and psychological levels. Employee training is essential. The mistake many corporations make is to only plan for attack on the physical side. That leaves them wide open from the social-psychological angle. So to begin, management must understand the importance of developing and implementing well-rounded security policies and procedures. Management must understand that all of the money they spend on software patches, security hardware, and audits will be a waste without adequate prevention of social engineering and reverse social engineering attacks (Nelson). One of the advantages of policies is that they remove the responsibility of employees to make judgement calls regarding a hacker's requests. If the requested action is prohibited by policy, the employee has no choice but to deny the hacker's request. Strong policies can be general or specific, but I recommend somewhere in between. This gives the policy enforcers some flexibility in how procedures will develop in the future, but limits staff from becoming too relaxed in their daily practices. (See Security Focus’s Introduction to Security Policies series.) The security policy should address information access controls, setting up accounts, access approval, and password changes. Modems should never be permitted on the company intranet. Locks, IDs, and shredding should be required. Violations should be posted and enforced. Preventing Physical Attacks In theory, good physical security seems like a no-brainer, but in order to truly keep trade secrets from escaping the building, extra caution is required. Anyone who enters the building should have his/her ID checked and verified. No exceptions. Some documents will need to be physically locked in file drawers or other safe storage sites (and their keys not left out in obvious places). Other documents may require shredding – especially if they ever go near the dumpster. Also, all magnetic media should be bulk erased as “data can be retrieved from formatted disks and hard drives.” (Berg). Lock the dumpsters in secure areas that are monitored by security. Back inside the building, it should go without saying that all machines on the network (including remote systems) need to be well protected by properly implemented passwords. (For some helpful hints, please see SecurityFocus’s article Password Crackers, - Ensuring the Security of Your Password.) Screen saver passwords are also recommended. PGP and other encryption programs can be used to encrypt files on hard drives for further security. Phone & PBX One common scam is to illicitly place toll calls through an organization’s PBX, or private branch exchange, a private telephone network used within an organization. Hackers can call in and do their impersonation routine, ask to be transferred to an outside line, and then make multiple calls around the world, charging them to that corporation. This can be prevented by instituting policies that disallow transfers, controlling overseas and long-distance calls, and by tracing suspicious calls. And if anyone calls saying that they are a phone technician who needs a password to gain access, he/she is lying. According to Verizon Communications, phone technicians can conduct tests without customer assistance, therefore requests for passwords or other authentication should be treated with suspicion (Verizon). All employees should be made aware of this so that they are not susceptible to this tactic. As was stated in the first article in this series, the Help Desk is a major target for social engineering attacks, primarily because their job is to disclose information that will be helpful to users. The best way to protect the Help Desk against social engineering attacks is through training. The Help Desk should absolutely refuse to give out passwords without authorization. (In fact, it should be organizational policy that passwords should never be disclosed over the phone or by e-mail; rather, they should only be disclosed in person to trusted, authorized personnel.) Callbacks, PINs, and passwords are a few recommended ways to increase security. When in doubt, Help Desk workers are encouraged to “withhold support when a call does not feel right” (Berg). In other words, just say no. Training, Training, Retraining The importance of training employees extends beyond the Help Desk across the entire organization. According to Naomi Fine, expert in corporate confidentiality and President and CEO of Pro-Tec Data, employees must be trained on “how to identify information which should be considered confidential, and have a clear understanding of their responsibilities to protect it” (Pro-Tec Data). In order to be successful, organizations must make computer security part of all jobs, regardless of whether the employees use computers (Harl). Everyone in the organization needs to understand exactly why it is so crucial for the confidential information to be designated as such, therefore it benefits organizations to give them a sense of responsibility for the security of the network. (Stevens) All employees should be trained on how to keep confidential data safe. Get them involved in the security policy (Harl). Require all new employees to go through a security orientation. Annual classes provide refreshers and updated information for employees. Another way to increase involvement, recommended by Ms. Fine, is through a monthly newsletter. Pro-Tec Data, for example, provides newsletters with real world examples of security incidents and how those incidents could have been prevented. This keeps employees aware of the risks involved in relaxing security. According to SANS, organizations use “some combination of the following: videos, newsletters, brochures, booklets, signs, posters, coffee mugs, pens and pencils, printed computer mouse pads, screensavers, logon banners, notepads, desktop artifacts, T-shirts and stickers” (Arthurs). Wow, I can just picture Dilbert in his cubicle with all of that stuff. The important point made, however, is that these things be changed regularly, or the employees will lose sight of their meaning. Spotting a Social Engineering Attack Obviously, in order to foil an attack, it helps to be able to recognize one. The Computer Security Institute notes several signs of social engineering attacks to recognize: refusal to give contact information, rushing, name-dropping, intimidation, small mistakes (misspellings, misnomers, odd questions), and requesting forbidden information. “Look for things that don’t quite add up.” Try thinking like a hacker. Bernz recommends that people familiarize themselves with works such as the Sherlock Holmes stories, How to Make Friends and Influence People, psychology books, and even Seinfeld (he and George Costanza do have a knack for making-up stories) (Bernz). To understand the enemy, one must think like him. Companies can help to ensure security by conducting ongoing security awareness programs. Organizational intranets can be a valuable resource for this approach, particularly if on-line newsletters, e-mail reminders, training games, and strict password changing requirements are included. The biggest risk is that employees may become complacent and forget about security. Continued awareness throughout the organization is the key to ongoing protection - some organizations even create security awareness programs, such as the distribution of trinkets mentioned above. Responding to Social Engineering Attacks In the event that an employee detects something fishy, he or she will need procedures in place for reporting the incident. It is important for one person to be responsible for tracking these incidents – preferably a member of the Incident Response Team (IRT), if the organization has one. Also, that employee should notify others who serve in similar positions as they may be threatened as well. From there, the IRT or individual in charge of tracking (a member of the security team and/or system administrator) can coordinate an adequate response. Kevin Mitnick made an interesting point in his article entitled "My First RSA Conference". Mitnick stated that the decision by conference organizers to not hold any social engineering sessions was a mistake, saying: “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” This is important. To increase awareness, more security organizations should make social engineering a priority for their programs and conferences. Also, organizations should routinely conduct security audits so that security doesn’t become stale. The following table lists some common intrusion tactics and strategies for prevention: Area of Risk Hacker Tactic Combat Strategy Phone (Help Desk) Impersonation and persuasion Train employees/help desk to never give out passwords or other confidential info by phone Building entrance Unauthorized physical access Tight badge security, employee training, and security officers present Office Shoulder surfing Don’t type in passwords with anyone else present (or if you must, do it quickly!) Phone (Help Desk) Impersonation on help desk calls All employees should be assigned a PIN specific to help desk support Office Wandering through halls looking for open offices Require all guests to be escorted Mail room Insertion of forged memos Lock & monitor mail room Machine room/Phone closet Attempting to gain access, remove equipment, and/or attach a protocol analyzer to grab confidential data Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment Phone & PBX Stealing phone toll access Control overseas & long-distance calls, trace calls, refuse transfers Dumpsters Dumpster diving Keep all trash in secured, monitored areas, shred important data, erase magnetic media IntranetInternet Creation & insertion of mock software on intranet or internet to snarf passwords Continual awareness of system and network changes, training on password use Office Stealing sensitive documents Mark documents as confidential & require those documents to be locked GeneralPsychological Impersonation & persuasion Keep employees on their toes through continued awareness and training programs Realistic Prevention Yes, real prevention is a daunting task. Let’s be realistic, most companies don’t have the financial or human resources to do all of what’s listed above. However, some of the money spent on plugging network holes can be redirected. The threat is as real, if not more real than most network holes; however, we don’t want to create militant help desk staff. Just be smart and reasonable. It is possible to keep morale high and have a fun company culture without sacrificing security. By slightly changing the rules of the game, the intruders no longer take the wheel.