Social Engineering

A social engineering (SE) is a wide range of techniques used to influence person to take action that may or may not be in their best interest. Very often social engineering is referred to as an art of human hacking; Yet, a lot of techniques used by attackers is reinforced by a science and human psychology. Attackers use these techniques because it’s much easier to persuade a person to plug in an infected USB thumb drive into victim’s system, rather than try to hack their way in by targeting hardware and software vulnerabilities.

Over the millennia there have many con artists and hackers that used social engineering to scam people into doing things that they normally would never do. For instance one of the early and interesting examples of social engineering can be found in the bible, when the Devil himself tricked Eve into eating the forbidden fruit.

Image result for eve apple painting

Yep that’s right, SE is Satan’s greatest wicked non technological weapon, and Eve did not stand a chance. At least not till the modern age when we have access to tools such as Internet and world wide web which are great resources for educating our selfs.

Another example, and little closer to earth is an infamous Kevin Mitnick, who in the 90’s became one of the first FBI’s most wanted hacker. Many times he has deluded agents, doing practical pranks such as leaving donuts for the agents  in the fridge but eventually due his arrogance and help of much respected computer security expert Tsutomu Shimomura got caught.

According to the records Kevin has been sentenced to five years of prison for braking into the government systems, networks of Pacific Bell, Nokia, IBM, Motorola, and few other companies. What is the moral of the story is that Mitnicks did not refer to what he was doing as hacking; instead, he liked to call it “social engineering.”

Later on, after getting out of the prison and cleaning up his act, he has been asked by US government to look into improving FBI’s information security practices; which later lead him to launch his own security consulting firm. As of today Kevin is still in the business doing information security consulting and once again claims to have a hundred percent success rates when deploying a “social engineering trade craft”. After all Humans, not computers, are usually the weakest links.

An Information Security is based entirely on establishing trust, and if an attacker using social engineering framework can elevate that trust and eventually lead to further exploitation that is when we can get in real trouble. Fort that reason best approach is to understand at least the basic techniques that social engineers use and establish clear guidelines and procedures so everyone can follow.

For instance, let’s imagine one day a good looking person wearing workers uniform knocked at your door, and kindly pointed at your name on their binder that there is a problem with your account and ask to see your most recent bill to straight it out. Would you comply? Right now your answer is probably no, but why wouldn’t you? Nobody likes to have problems, and if a nice person can fix that for you, than why not?  What if the nice person would tell you that the problem is that you are using wrong supplier and by making the correction you would be saving a lot of money?  If eventually you would say sure why not, who does not like to save money, than you would have become a victim of social engineering, and your account would have been compromised.

Another real life example was when two workers from Internet Service Provider walked in to the front door of a business and asked to get access to telecommunication closed because there are some issues that they need to take care of, and the answer from the front desk was “what took you guys so long?

Thankfully the two guys where part of information security team, performing an information security audit. Can you imagine what would have happened if those two where in fact bad guys?  

 Last but not least let’s imagine a person come to your company for an interview. But instead of a resume, he\she is holding a piece of paper that looks like it has been true some rough life. With a desperate look on the persons face, he\she explains that the resume slipped through and fell straight to puddle. Thankfully they have a copy on a thumb drive, and you would have become a life saver if you could reprint him/her a copy. Again, it’s just using our imagination to create a very generic scenario but in real life a professional social engineer would have carefully crafted the conversation and the situation you to are at, and if you would have plugged that thumb drive into your PC or even a printer, that exact second you would have bypassed all information security controls that might have been in place.