Social Engineering Can Thwart the Best Laid Security Plans

Brien Posey - December 22, 2001

Printer Friendly

E-Mail Article
- To: (e-mail address)
  
  From: (e-mail address)
  
  Subject:
  
  Message:

Articles RSS

Rate this article

Average Reader Rating 0.00

Other articles written by Brien Posey:

Product Review: GFI's LANguard Network Security Scanner

Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates?

InsideOut Makes Firewall Reporting Useful

Read Comments

Introduction

It's been my experience that a lot of IT professionals don't like to talk about social engineering. Perhaps they don't view it as a credible threat, or maybe they have a hard time accepting the idea that all of their hard work and countless hours spent securing the network could be so easily undone by the act of an end user answering an "innocent" question. What ever the reason, social engineering is a very real threat that needs to be addressed.

There are a lot of different social engineering techniques, but they all have the same basic idea. The trick behind social engineering is to get the user to give up valuable information without them suspecting anything.

Getting Inside Information

Usually, hackers use the telephone for social engineering purposes since E-mail would tend to be suspicious and can easily be traced. To pull off social engineering successfully, the hacker usually needs a little inside information. This could come in the form of a buddy who works for the company providing them with a corporate phone directory or the name of a particularly nave user. Although such information is helpful, it isn't necessary.

If a hacker can't get their hands on the name of a particularly vulnerable user or a corporate directory, they will often look up the company's phone number on the Internet or in the phone book. Since many companies have voice mail that gives an employee directory, all that the hacker has to do is to listen for someone with an upper management title. Upper management staff tend to have relatively few rights on the network, but also tend to be extremely unknowledgeable of computers (unless it's an IT company). I've seen countless examples of this over the years. The president of a major insurance company that I used to work for only knew how to use his computer for E-mail and golf. The president of a transmission parts company doesn't even know how to turn his computer on. My point is that a hacker can be reasonably sure that if they select a high level executive from the company's phone directory, that although the person may have some computer knowledge, it probably won't be enough for the person to catch on to what's going on.

Falling For The Act

Once the hacker has an unsuspecting employee on the phone, it's time for the act to begin. The hacker will usually pose as an employee. If it's a big company with a lot of offices, they might pose as support personnel from another office. If it's a smaller company, they may pretend to be a new helpdesk employee, a consultant, or a representative from the phone company. What ever the role, a social engineer's first job is to convince the employee of their bogus identity.

Once the employee has fallen for the act, it's time to begin gathering information. The hacker will usually mix several innocent questions with some serious questions. This is done to get the user to let their guard down. For example, a social engineer's conversation might start out something like this:

Hello I'm John Doe, with XYZ corporation. Bob Smith (the network manager's name) has hired me as a consultant to help him with the next phase of the network upgrade. Before we start the upgrade though, we're trying to find out if any of the users have been having any problems, so that we can make sure to address those problems with the new software.

More times than not, the user will think of some sort of problem to tell the hacker about. The hacker's job is to listen to the problem, and then begin the "troubleshooting process". For example, the hacker might ask the user to look up several pieces of information for him. Some of this information will be harmless (to throw the user off), while some will be valuable. For instance, during the phone call, the hacker may ask for the following:

How much memory the system has
How much free hard disk space
The system's IP address
The phone number of a modem that's connected to the machine
Any remote access software that may be running

During the call, a good social engineer will walk the employee through the steps of looking this information up. The steps can be easily disguised as a part of the troubleshooting process, and having the user read the information directly off of the screen insures that the hacker gets accurate information.

Coaxing The User For Information

What happens next really depends on how the conversation goes. If the user tells the hacker that they use PC Anywhere for remote support, the hacker may immediately tell the user to let them dial in and "fix" the problem. The hacker may actually fix the user's problem so that the user won't be suspicious, but more than anything, this technique provides the hacker with the remote access password and an opportunity to test it.

If the user isn't having a problem or doesn't have any remote access software, the hacker will have to get their hands on a password, whether the local password or the domain password (these are often one in the same). Getting the user's password is tricky, because most of the time, the user's have been warned not to give out their passwords. Therefore, most good hackers won't simply ask for a password unless they find the user especially friendly. Instead, they must trick the user into giving the password up.

One of the most effective techniques for this is for the hacker to tell the user that they are uploading a new security patch right this moment, but something must have gone wrong because it isn't letting them complete the operation. The hacker would then tell the user something like "I must be spelling your user name wrong, spell it for me" The user will usually then provide the hacker with the exact spelling of their user name (one of the two "keys to the kingdom"). The hacker will then wait a few minutes, and possibly bang on a keyboard just to make it all sound real, before telling the user that it still isn't working. Next the hacker will ask the user to confirm the spelling of their password. Hopefully, by now, the hacker has gotten the user to relax and let their guard down enough that the user will spell the password without even thinking about security.

If the user refuses to give up the password, the hacker may briefly try to coax it out of the user, but will quickly move on to someone else, so as not to be discovered. They will usually conclude the phone call by saying something like, "That's OK, I'll just use the master password" or "I wish that everyone was as security conscious as you." This will help to put the user at ease again so that they don't report the incident.

The Final Objective

Now, suppose that the hacker did trick the user into giving up the password. The hacker must still maintain an image of legitimacy so that the user doesn't get suspicious. This is usually done by not rushing to get off the phone. The hacker may walk the user through the steps to fix some minor problem, or might probe the user for more information. What ever technique is used, the hacker must always appear to be very pleasant and helpful.

Once a hacker has gathered all of the information that they need, their final objective is to get off the phone, and be sure that the conversation goes unreported. Naturally, the hacker can't just say, "Don't tell anyone about this call." Instead, they will usually say something like "I'll call you in a few days to follow up on your problem" or "you can reach me at ." The call back method is preferred though, because the hacker can rest assured that the user won't call some bogus number and be alerted to their phony identity. Remember that a hacker's job is to not be discovered. This doesn't just apply to the short term, a hacker wants to remain undetected forever. Therefore, a hacker will usually tell the user that they will call them back in a few days. This not only puts the user at ease, but it also gives the hacker a few days to see how good the information that they were given actually is before they call the user back. The callback gives the hacker a chance to get more information if it's needed.

Many times a user will ask the hacker for a phone number, but a skilled hacker knows to use the bogus phone number trick as a last resort. It's better for the hacker to leave their doors open by making up a bogus story about being on vacation for the next few days or something, and promising to call the user immediately upon returning to the office. Of course if the hacker has everything that they need, they won't ever call back, but one of the biggest signs of a social engineering scam is a reluctance to provide a phone number, and a promise to call back.

About The Author

Brien Posey is the Vice President of Research of Relevant Technologies. Brien is an MCSE and a renown technology journalist. He was recently voted the most popular server author on CNET's TechProGuild portal.

Brien can be reached at bposey@relevanttechnologies.com.

comments powered by Disqus

Secure Mobile ERP—Is It Possible? | SAP HANA—One Technology to Watch in 2012 (and Beyond) | Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Managing the Overflow of E-mails | Security Risk Assessment and Management in Web Application Security | Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | Enterprise Resource Planning Giants Eye the Shop Floor | The Pain and Gain of Integrated EDI Part One: The Pain of Integrated EDI | The Next Phase of Supplier Performance Management in the Retail Industry | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report Part One: Market Overview and Technology Background |

The Instant Supply Chain Challenge | Inovis Delves into PIM by Snatching QRS Part Five: Challenges and User Recommendations | Inovis Delves into PIM by Snatching QRS Part Four: Market Impact | Inovis Delves into PIM by Snatching QRS Part Three: QRS Background | Inovis Delves into PIM by Snatching QRS Part Two: QRS Marketing | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply? Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply? Part One: Event Summary and Market Impact | International Trade Logistics Challenge Automated Global E-Trading | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance Part One: Vendor and Product Information | EAM Versus CMMS: What's Right for Your Company? Part One | GXS Acquires HAHT Commerce or More Synchronized Retail B2B Data Part Four: Challenges and User Recommendations. | GXS Acquires HAHT Commerce for More Synchronized Retail B2B Data Part Three: Market Impact | GXS Acquires HAHT Commerce for More Synchronized Retail B2B Data Part Two: HAHT Commerce | Using PKI to Protect Your Business Information | Sales and Operations Planning Part One: Identifying and Forecasting Demand | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps? Part Three: Knowledge Bases and User Recommendations | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | SCE Leaders Partner To See Beyond Their Portfolio Part Three: Challenges and User Recommendations | When the Bigger Fish Eats the Smaller to Become a Bigger Fish | The Future of Secure Remote Password (SRP) Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Integrated Security: A New Network Approach Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | Increasing the Value of Your Enterprise Through Improved Supply Chain Decisions Part 3: Conclusion | 6 Immediate Business Improvements Offered by an Online SRM System: Part 3: Other Points to Consider | Hosting Horrors! | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | The Intranet Has Come a Long Way: Where is it Going Next? | The 'Joy' Of Enterprise Systems Implementations Part 4: User Recommendations | The 'Joy' Of Enterprise Systems Implementations Part 3: Causes of Failures | The 'Joy' Of Enterprise Systems Implementations Part 2: Implementation Key Success Factors | The 'Joy' Of Enterprise Systems Implementations Part 1: Inexorable Statistics | OKENA Brews Up a StormSystem that Secures All Applications | Appointment Scheduling - Achieving the Positive Ripple Effect Part 2: A Solution | Siebel Rallies Its Integration Alliance Troops Part 2: Market Impact | Siebel Rallies Its Integration Alliance Troops Part 1: Recent Announcements | Incident Handling and Response Capability: An IT Security Safeguard Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security Part 3: Selecting a Managed Security Services Provider | Outsourcing Security Part 2: Measuring the Cost | Outsourcing Security Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | PipeChain Adds Pragmatism Onto Simplicity | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | Optimizing The Supply Chain Network And Reducing Distribution Costs - Part 2 An Andersen Point Of View | The Retail Industry: Improving Supply Chain Efficiency Through Vendor Compliance - An Andersen Point Of View | Optimizing The Supply Chain Network And Reducing Distribution Costs - An Andersen Point Of View | PRISM Users Get A Dedicated, Independent Web Community | ERP Trivia - Every Why Should Have Its Wherefore Part 2: ERP Key Success Factors | ERP Trivia - Every Why Should Have Its Wherefore Part 1: ERP Trends | The SOAP Opera Progresses - Helping XML to Rule the World | Nortel and Clarify: Was There Ever Synergy Enough to Support this Marriage? | New Era of Networks Gets Blinded By the NEON | SCT Corporation Means (e)Business For Process Manufacturing | EAI Market Consolidation Continues With Peregrine Acquisition of Extricity | A New Era Dawns for Sybase | Performance Management Simplified by MSPs | Tibco Takes a Pragmatic Approach to Multicasting | Talarian and NextSet Team for B2B Solutions | Manugistics Lays Groundwork For Talus Integration | QueryObject Partners With Cognos | Quantum Snaps Off Its NAS Group | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | Navision Executes At a Slower Pace | eMachines to Ship Appliance | Sun Buys Cobalt | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | VA Linux Releases NAS Server | eConnections Expands Web With IPNet | New Internet Appliances Coming from Compaq | Lipstream Speaks to Kana | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Remedy Welcomes You To Your New Office. Now Get To Work! | Peregrine Welcomes Loran to Its Nest In Network Management Matrimony | i2 Paints Broad Strokes at eDay | Cart32 in Need of Duct Tape | More Marketplace Success For Manugistics? | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Lasership.com Looks To Descartes For Same-Day Delivery Help | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Concur Gives Up The Boast | Red Hat Releases Clustering Software | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | AT&T Has a Thing for Media | Secure Transport of EDI and XML for Trading Exchanges | Compaq and IBM Alliance for Storage | Can You Trust Entrust? | Marketing and Intelligence, Together at Last | Standard & Poor's Announces Security Certification | Evaluating the Total Cost of Network Ownership | Check Point Leads Firewall Market | Dell Snags Motorola’s Grzelakowski to Lead Wireless Business Unit | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | New Storage Array from Sun | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | Technology Project Selection and Management in Community Banks | ASP Infrastructure: The Party Has Started | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | Cobalt Releases Linux "Clustering" Software | E-Cash Rollout Replaces Amex | More Infrastructure Support for CyberCarriers | Intranets: A World of Possibilities | GSA Schedule Partnership Gets Network-1 in the Door | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Multi-mode ADSL Heads for the Mountain | Applix Still Shows a Presence in the OLAP Market | Cisco’s Complete Network in a Box | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | Manugistics To Help Amazon.com In Global Expansion | Gateway & AOL Follow Crusoe’s Footprints | Microsoft Tech Ed 2000 Win2K Attendee Network Fails Miserably | CryptoSwift Takes Rainbow Revenues Up 620% | Layer 3 or Bust | Ariba Gains Legs Courtesy of Descartes | Eppraisals.com Gives Lante High Marks | Secure in a Foundry | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The Arrow Now Points To Cisco | Network Appliance to Ship Sub-$10K Caching Hardware | The 7 Habits of Highly Effective Security | Compaq Reorganizes Again | 1 Little GB, 2 Little GB, ..., 10 Little Gigabit | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | Just One Hop Away From San Jose | Will Solomon Finally Satisfy Great Plains’ Insatiable Appetite? | Abandon All Insecurity, Ye Who Enter Here | Extreme Networks BlackDiamond Product of the Year | Top 10 Excuses For Not Securing Your Website or Network | AMD Server Plans De-Railed | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | Cisco to Become a Player in the DWDM | Napster Cooks up Soup-to-Gnutella Network Management Challenges | Voice-Over-Broadband Standards on the Horizon | A Firewall is Cheaper Than a Lawyer | Gigabit Transceivers ~ the Next Generation | USinternetworking and AT&T are Working the System | NeoModal Launches Corporate Ship On Promising Journey | Analysis of TeleCommunication Systems, Inc. Release of Menu Driven Wireless Web Capability For SMS | Navision Software a/s: Mid-market iNvasion | MCI WorldCom: “It’s not an age, it’s an attitude” | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | SynQuest, Ford Deliver a Novel Application for Inbound Logistics | Strategic Partners or Merger on the Horizon? | SynQuest Teams With InterWorld for Internet Sales and Fulfillment | USi to Offer Managed Messaging for U.S. Feds | Security Stocks Burn Rubber | Mirapoint ~ ISP Messaging Solution in a Box? | Navision Becoming More Visible | A Forum for Wireless Standards…About time isn’t it? | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Novell Uses XML, LDAP, NDS to Manage AD, IOS, etc. | Hacker Publication Gets Top Defense Attorney | HP Reorganizes Storage Group, Addresses NAS-cent Market | Concur eWorkplace Projects Vision Onto Desktop | How 3Com, Became 1Com | Saudi Arabian Network Security Provokes Local Considerations | Cisco: IPv6 is Coming, Eventually | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | IBM is Not Enough; Ariba Announces Strong Partnership with Amex | USinternetworking: One Suite ASP | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Information/Internet Appliances | Agilera.com – A new era for the web? | Security Breach: Now What? | PeopleSoft's CEO Steps Down | Descartes Evolution Yields Revenue Growth But No Profits | PeopleSoft, Lawson To Resell Integration Tools | MAPICS, Inc. to Acquire Pivotpoint, Expanding e-business Offerings for Mid-Sized Manufacturing Establishments | Microstrategy Moves Up with e-Business | Seagate Technology Refocuses its Software Business | The New Manugistics Debuts eBusiness Products | Concur's Customers Can Network Now | AT&T's Ecosystem | E-commerce Grass Getting Greener | Commerce One Meets GM: Web Now Has A Really Big Parts Department | Dynamic Ariba Trades Up | AMERICAN EXPRESS Selects TRADEX To Build New Business to Business Commerce Network | So Does your e-Business Provider have Internationally Recognized Tools in its Digital Business Consulting Toolkit? | 3Com Will Route Customers to In-house Web Design Firm | Total Uptime Guarantees? It Must Be A New Millennium! | Adsmart Blazes Vertical B2B Trail | Expedia Relaxes Registration Requirement | Be There or Be Square? David and Goliath Team on bCentral Auction Site | Ariba to Leave Integration to Specialists | Bank is First Mover in Canadian E-Commerce | Concur Scores A Bingo | Commerce One: Connectivity Improved | GE Comes to Lunch. Want to Guess Who the Appetizer Will Be? | News Analysis: Dot.Coms Getting Bred By Scient: Will Scient Spawn Into a Giant or Will Andersen Have the Edge? | Why Not Take Candy From Strangers? More Privacy Problems May Make Ad Agencies Nutty | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Dell to Acquire ConvergeNet International | Palm Tries to Take the Desktop in Hand | Cisco Tries to Cache In By Buying Software Start-Up Tasmania Networks | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Compaq and Samsung in Deal to Save Alpha | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | SSA: Evolving into systems integrator to survive | JBA: Will it remain "@ctive Enterprise"? | Advanced Planning and Scheduling: A Critical Part of Customer Fulfillment | WorldCom SPRINTs, Nokia/Visa Pays Bill, & Service Providers Gear for Wireless Tsunami | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | An Analysis of Trend Micro Systems - Who They Are and Where They're Going | Network Engines, Inc. - Double the CPUs for Web Serving | Server Appliances - "Caching" In on Internet's Growth | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |

Disadvantages Of Outsourcing To India	Outsourcing Web Development	Data Protection Registration	Solidworks Office Professional Price	Autocad Light 2007 Purchase	Business Accounting Software Systems	Misery Signals Migrate Lyrics
Cross Cultural Training Articles	Ymii Outsource India	Autocad Car Drawings	Free Solidworks Parts Download	2008 Autocad Online Tutorial	Pharmacy Inventory Control Jobs	Acecad Digital Notepad Software
Edge Business Process Outsourcing Services	Sbc Internet Services	Fdot Autocad Standards	Process Industry Plm	Lean Manufacturing Definition Improvement	Open Source Computer Inventory Software

Analyst Reports

Interactive Case Studies

Downloadable Reports and Templates

Custom Reports

Selection Services Overview

Complete Selection Projects

Software Selection Reports

Supplementary Services

Case Studies and Brochures

Consultants

TEC Advisor

ERGO

RFI / RFP Templates

Software Evaluation Reports

Company Overview

Careers

Press Room

Analysts / Selection Services

Social Engineering Can Thwart the Best Laid Security Plans