Ethics and Law in New Media/Social Engineering in Social Networks
The term has a number of different meanings in different circles - for sociologists, it is a rather positive term denoting intervention to social processes (akin to a doctor curing an ailment). Political scientists understand it as an art of influencing large groups of people - most of all through media, but also via legislation, taxation and other means. While the latter is also quite actual in new media, social engineering as understood by security specialists is one of the prime threats in the field. Kevin Mitnick, a notorious computer systems intruder (NB! Not "hacker" in its real sense) of the 90s, has defined social engineering as follows:
Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.
Note the last sentence - "with or without the use of technology". Actually, most of Mitnick's most notable achievements occurred when he either did not use technology at all or used such a mundane apparatus as an ordinary phone. His first "hack", by his own words from his book, was as follows:
"I realized one day while riding the bus that the security of the bus transfer I had purchased relied on the unusual pattern of the paper-punch, that the drivers used to mark day; time, and route on the transfer slips. A friendly driver, answering my carefully planted question, told me where to buy that special type of punch.
The transfers are meant to let you change buses and continue a journey to your destination, but I worked out how to use them to travel anywhere I wanted to go for free. Obtaining blank transfers was a walk in the park.
The trash bins at the bus terminals were always filled with only-partly used books of transfers that the drivers tossed away at the end of the shifts. With a pad of blanks and the punch, I could mark my own transfers and travel anywhere that L.A. buses went. Before long, I had all but memorized the bus schedules of the entire system. (This was an early example of my surprising memory for certain types of information; I can still, today, remember phone numbers, passwords, and other seemingly trivial details as far back as my childhood.)" (Kevin Mitnick, "The Art of Deception")
From there, he moved to phone phreaking and in his high school days cracked his first public computer (his school's). Yet his infamy came from deeds that actually did not need a computer.
In his book, Mitnick also describes the scheme by Stanley Mark Rifkin, who stole 10.2 million USD from a US bank using just a phone and a snooped wire transfer code. He made a transfer to a Swiss bank, flew to Geneva, used 8.1 million to purchase diamonds from a Russian company, and smuggled the stones back to the US. He only got caught when attempting to sell the diamonds. Somehow his stunt has gone to record as "the biggest computer theft", although computers were not used at all.
Web 2.0 vs Snoop 2.0
The rise of Web 2.0 - social networking portals, wikis, blogs etc - at the turn of the century brought along a lot of new, interesting and useful ways to interact with people one would never be able to meet otherwise. Unfortunately, it has opened the whole new avenues to social engineers, too.
Social engineering has some overlap with phishing and spam. While spam in its classic form is mostly a very obnoxious kind of advertisement, it can also be used for social engineering schemes (the most known of which are probably the Nigerian letters). Phishing - tricking people to fake information (e.g. redirecting the web traffic to a similar-looking malicious page) - can also be used for both.
While viruses and other malware are not directly considered a part of social engineering, many Trojan horses do use similar mechanisms. A recent example: a trojan exploits the MSN Messenger, sending the victims' contacts a link which begins with the name of the victim (fished out from the user data). The link asks the MSN username and password to enter the site. As the name of the fake site is familiar (as well as the sender), the victim is likely to fall for it. The harvested information may be used for direct attack or for using the stolen identity for further activities.
Combining the abovesaid with the "networks of trust" evident in many Web 2.0 applications results in a pretty explosive mix. Nearly all social engineering schemes begin with building up trust between the attacker and victim. While Mitnick in his phone-based attacks had to do it over in many cases, these relations are ready to be exploited in the current social networks.
The problem with consolidation
While sometimes it is possible for a talented "engineer" to achieve his/her goals with a single well-placed phone call, it is usually not that simple. The essence of social engineering is to collect small pieces of information - which usually are not so revealing when looked at in isolation - and to "put the puzzle together". The Mitnick's book contains a lot of very telling stories about that.
In case of social engineering via telephone, the pieces must be connected "by hand". Yet in case of today's web-based social networks, it has become even easier, as many different services are consolidated under a single owner (e.g. Google, Yahoo, Microsoft). The more complex these services become, the more likely are undisclosed security vulnerabilities - for example some are mentioned here). Exploiting one at e.g. YouTube may give the offender the "master password" of all Google sites (including GMail mailbox and Orkut social networks). This in turn places all the victim's contacts in a danger zone, as the offender can pose as the victim, making use of the trust that he/she has among friends.
"An engineer" may also use Orkut or some other similar site (MySpace, Facebook etc) to create a network of potential victims, then attempt to lure them reveal personal information to be further used in impersonation. Therefore, it is important to critically assess all personal information revealed via these sites.
Perhaps the most telling case was Gazzag.com (nowadays redirects to Octopop.com), which was launched in 2006 and marketed online as a new cool social networking site. On registration, it offered the user to import all contacts from Orkut, asking for its password. Again, this was the Google general password, for GMail, Orkut, YouTube and others. To top it off, registration used the imported contacts and sent everyone an invitation to join, signed by the user.
What to do?
In his book's last part, Kevin Mitnick gives a lot of good advice against the social engineering attacks. One of the slogans worth remembering is "Security through technology, training and procedures". Let's look at all three components.
- Technology - while no firewall or other technological solution can help alone, the first line of defense should be in place. This may mean keeping unauthorised persons out, limiting network traffic etc. Sometimes, potential shortcomings in training and/or procedures can also be compensated by technological measures - e.g. while people can untrained in choosing a good password, the system can be configured to reject too short or letters-only passwords.
- Training - all personnel must be aware of the risks associated with social engineering. People must face the fact that there will be attempts. Knowing something about possible manipulations will definitely help. Another part of the training should focus on procedures (see below).
- Procedures - established security policies and rules. While there are situations where rules must be bent or broken, well-planned security guidelines are very valuable.
While these are written with corporate security in mind, they do apply for even an ordinary citizen:
- Technology - use adequate level of protection for your computer (antivirus, firewall, anti-malware etc). Another way to limit attack vector is to use alternative software platforms.
- Training - educate yourself about potential attacks and scam schemes
- Procedures - establish a routine to inspect the computer for signs of trouble, as well as be prepared for a possible incident (where to get help etc)
The SANS Institute white paper "A Multi-Level Defense Against Social Engineering" provides a measure list not unlike Mitnick's:
- Foundational level: security policy that targets social engineering
- Parameter level: security awareness training for all users
- Fortress level: resistance training for key personnel
- Persistence level: ongoing reminders
- Gotcha! level: social engineering land mines
- Offensive level: incident response
Note: the "land mines" are people, practices and solutions set up in the way of potential attackers to produce alarm. It may be a curious person sanctioned by the company to know all people on the floor, a central security log or a set of specific questions to answer.
Coming to the Web 2.0 and social networking applications, these guidelines can be applied as well:
- use the security measures provided by the application itself
- override consolidation where possible (i.e. use separate login data, not a unified password)
- do not recycle passwords (even a good password loses a lot of its strength when used in several places at the same time)
- learn about the vulnerabilities in software as well as popular exploits and attacks
- develop a personal policy of disclosing private information
To sum it up
What makes the social engineering so dangerous? Probably the best answer is given again by Mitnick: "There is no patch for stupidity." One can fix systems, patch the security holes in them, update them to be secure. All these cannot be done with humans. After all, even Albert Einstein had to admit: "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."... But more often than not, people do not even need to be stupid. Just unawareness will do.
- MITNICK, Kevin D., SIMON, William L. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons 2002 (Partially readable from Google Books)
- GOLBECK, Jennifer. Gazzag.com is my new enemy. O'Reilly.com, November 4, 2006.
- GRAGG, David. A Multi-Level Defense Against Social Engineering. SANS Institute, December 2002.
Food for Thought
- Stanley Rifkin did not use a computer for his scam at all. What could be the reason that his scheme is often referred to as the largest computer fraud?
- Does Internet have some innate characteristics that seem to favour social engineering?
- Blog about a good case of social engineering
- Formulate some measures which can reduce the effectiveness of social engineering attempts