Security and Privacy in a Networked World/Social networks and social engineering
More No Tech Hacking: two cases
Note: these ones are fictional, but things like this happen in real life.
The bookkeeper of a department of a large company, Mrs Smith, receives a phone call from "Martin Marston from the internal audit". The caller asks a long sequence of questions, such as
- how many employees the department has
- how many of them have a university degree
- how frequently does the company offer professional training
- what is the staff costs account number
- how many employees have left during the last year
- what does the general work atmosphere in the department feel like
What was wrong here? Probably the account number should not be given away like this...
How to plant something nasty, using an old mobile phone with a prepaid phone card.
- call Mr Bolton at the bookkeeping, introduce yourself as the new IT support guy and ask whether everything is OK (and "to be sure", leave your phone number). Somewhere during the conversation, ask for the number of the network socket at Mr Bolton's desk (it is, say, 12).
- after a couple of hours, call the IT department of the company. Again, be the "support guy", but now speaking from "Mr Bolton's office". Complain about the new malware outbreak (using some techspeak, of course) and ask the socket number 12 to be disconnected "to allow you sort out this mess here".
- Wait for Mr Bolton to panic and call "the support guy" (you did leave your number, right?). Assure him that the matter will be handled.
- After an hour, call the IT department, report that you have managed to clean up the Sockpuppet.B.W64 virus infection from the computer and ask the socket 12 to be reconnected.
- Call Mr Bolton, report the problem solved - and ask him to download "a new patch for the firewall" (you may warn him that it does not do anything visible). Instruct him to delete the downloaded file "to conserve disk space".
- Get rid of the phone - of course, clean it up in every way (memory, battery, fingerprints etc) if you plan to dump it intact.
In these cases, some measures that might have helped are
- shared logging - all requests (e.g. the phone call in Case 1) are registered and can be responded to by several people
- callback policy - no requests are taken by phone, all contacts have to be initated "from inside"
- putting on hold - playing on the nerves of the social engineer usually works (are they contacting the security? Or police?)
- security questions - including fake ones (e.g. "I can only tell the number to people from department 12. Do you work there?" - "yes" would be a wrong answer as the department does not in fact exist).
The term has different meaning in different disciplines:
- in sociology, it means active involvement in social processes (thus it is a neutral or even positive term)
- in politology, it means the art of influencing large groups of people (mostly by media, but also by legislation, taxation etc)
- in data security, it mostly means identity manipulations, convincing others that the manipulator is in fact someone else.
A definition by Mitnick:
"Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology." - The Art of Deception
Another story also by Mitnick:
“I realized one day while riding the bus that the security of the bus transfer I had purchased relied on the unusual pattern of the paper-punch, that the drivers used to mark day; time, and route on the transfer slips. A friendly driver, answering my carefully planted question, told me where to buy that special type of punch. The transfers are meant to let you change buses and continue a journey to your destination, but I worked out how to use them to travel anywhere I wanted to go for free.
Obtaining blank transfers was a walk in the park. The trash bins at the bus terminals were always filled with only-partly used books of transfers that the drivers tossed away at the end of the shifts. With a pad of blanks and the punch, I could mark my own transfers and travel anywhere that L.A. buses went. Before long, I had all but memorized the bus schedules of the entire system.
(This was an early example of my surprising memory for certain types of information; I can still, today, remember phone numbers, passwords, and other seemingly trivial details as far back as my childhood.)” - The Art of Deception
Some more examples
Stanley Mark Rifkin
While this has sometimes been labelled the "biggest computer heist", it did not use computers much - only the perpetrator worked in this field. In October 1978, he learned of the transfer code of the day, and used it to impersonate a top official and transfer 10.2 million USD to Switzerland. After that, he flew there by himself and bought 8.3 million worth of diamond from Rosalmaz, the Sovier diamond agency. He flew back, smuggled the diamonds through the customs and attempted to sell them, but a former associate turned him in to the FBI.
READ MORE at http://www.edwardjayepstein.com/diamond/chap20.htm
From the standpoint of social engineering, the case shows several characteristics. The heist was well-planned, Rifkin was thoroughly familiar with all the procedures and had enough background information to carry out the actual social engineering attack (the phone call ordering the transfer). Again, the follow-up was well-planned again - except the last step that also proved fatal.
A controversial online 'sport', that involves replying to Nigerian scam letters, playing the Stupid White Guy (extra style points given for inventing as crazy a name as possible, e.g. Gerald Womo Milton Glockenspiel) and attempting to make the original 'entrepreneur' to do various creative things. Examples include actually receiving money from the scammer or bringing the latter 'to a meeting' to some faraway city - one of the best examples is this one.
Web 2.0 and Social Networks
The tendencies collectively known as "Web 2.0", "social software" etc, that appeared roughly at the turn of the century, have generally been very welcome. Probably the most important factor coming with it is the rediscovery of community and capability to harness combined human resources to achieve significant resources - well-known examples include Wikipedia, Linux and lots of others. It has enabled the "because we can" creation and production (i.e. pure hobbyist activities - be it in software, art, music or literature) on a much larger scale than before. It has given public voice to many groups previously unnoticed or silenced (various minorities, small ethnic or religious groups etc). Finally, it has allowed everyone to maintain and develop their network of contacts by various online social networks. Unfortunately, the last aspect does bring along some dangers as well.
Some simple examples:
- In chat: omg is this you lol? [URL]
- Facebook: You look just awesome in this new movie! [video]
Note: those who use their environments in languages other than English are a little more forewarned - why has my friend suddenly switched to English (a large majority of similar attempts happen in English, although Google translation is becoming more common too)? Yet, surprisingly many users (especially those fluent in English) do not register the change of language.
The main problem
The first and very important step in any social engineering attempt is achieving trust - whether posing as someone the victim already trusts, or generating it for the persona the attacker uses (the Nigerian "dead general's nephew" letters are an example of the latter).
Online social networks are essentially networks of trust. In general, people are "programmed" by society "to be nice" and not assume bad things from others - thus, most people will try to reciprocate if approached in a friendly manner. In online settings, this usually means accepting "friend requests" - even if the person is actually a stranger or a very casual acquaintance. This may be OK as long as people treat their friend list adequately - if anyone is accepted, it should be treated as a contact list, nothing more. If the list is to be trusted, only actual friends should be admitted.
In addition, online social network add another possible layer of problems - an attack can come from someone who has "engineered" his/her way into our network, but it can also come from a legitimate contact whose computer has been compromised. Thus, even if the "real friends only" policy is used for the friend list, all contacts with them should be screened with the "is it real?" mindset.
The problem is given a new magnitude by some unscrupulous service providers - probably the best example was the case of "a new cool social network" called gazzag.com. Their announcement offered to bring one's Orkut (a leading social network back then, that had just received the official recognition by Google - it started as a pet project of a Google employee) account - one just had to give them their Orkut password. Incidentally, it was the Google password as well, giving Gazzag access to the target's GMail mailbox and other services. Once the account was "brought over", it was also used to send out invitations without the person's consent.
- MITNICK, Kevin, SIMON, William L. The Art of Deception: Controlling the Human Element of Security. John Wiley & Sons, 2002
- Kevin D. Mitnick, William L. Simon. The Art of Intrusion. John Wiley & Sons Inc. 2005
Study & Blog
- Find and blog about a good case of social engineering.
- FOR YOURSELF ONLY (no need to blog or report): check your profile in a social network (e.g. Facebook or LinkedIn). How easy would it be for someone having access to this information to impersonate you a) face to face, b) in the phone, c) over e-mail?