Social engineering (security)

From Wikipedia, the free encyclopedia

Social engineering is the act of manipulating people into performing actions or

divulging confidential information, rather than by breaking in or using technical
hacking techniques; essentially a fancier, more technical way of lying.[1] While similar
to a confidence trick or simple fraud, the term typically applies to trickery or deception
for the purpose of information gathering, fraud, or computer system access; in most
cases the attacker never comes face-to-face with the victim.

"Social engineering" as an act of psychological manipulation was popularized by

hacker-turned-consultant Kevin Mitnick (discussed below). The term had previously
been associated with the social sciences, but its usage has caught on among computer
professionals and is now a recognized term of art.

Contents
[hide]

 1 Social engineering techniques and terms

o 1.1 Pretexting
o 1.2 Diversion theft
o 1.3 Phishing
 1.3.1 IVR or phone phishing
 1.3.2 Baiting
o 1.4 Quid pro quo
o 1.5 Other types
 2 Notable social engineers
o 2.1 Kevin Mitnick
o 2.2 The Badir Brothers
 3 United States law
o 3.1 Pretexting of telephone records
o 3.2 Federal legislation
o 3.3 1st Source Information Specialists
o 3.4 Hewlett Packard
 4 In popular culture
 5 See also
 6 References
o 6.1 Notes
o 6.2 Further reading
 7 External links

[edit] Social engineering techniques and terms

All social engineering techniques are based on specific attributes of human decision-
making known as cognitive biases.[2] These biases, sometimes called "bugs in the human
hardware," are exploited in various combinations to create attack techniques, some of
which are listed here:

[edit] Pretexting

Pretexting is the act of creating and using an invented scenario (the pretext) to engage a
targeted victim in a manner that increases the chance the victim will divulge
information or perform actions that would be unlikely in ordinary circumstances. It is
more than a simple lie, as it most often involves some prior research or setup and the
use of a priori information for impersonation (e.g., date of birth, Social Security
Number, last bill amount) to establish legitimacy in the mind of the target.[3]

This technique can be used to trick a business into disclosing customer information as
well as by private investigators to obtain telephone records, utility records, banking
records and other information directly from junior company service representatives. The
information can then be used to establish even greater legitimacy under tougher
questioning with a manager, e.g., to make account changes, get specific balances, etc.
Pretexting has even been an observed law enforcement technique, under the auspices of
which, a law officer may leverage the threat an alleged infraction to detain a suspect for
questioning and close inspection of vehicle or premises.

Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or
insurance investigators — or any other individual who could have perceived authority
or right-to-know in the mind of the targeted victim. The pretexter must simply prepare
answers to questions that might be asked by the victim. In some cases all that is needed
is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.

[edit] Diversion theft

Diversion theft, also known as the "Corner Game"[4] or "Round the Corner Game",
originated in the East End of London.

In summary, diversion theft is a "con" exercised by professional thieves, normally

against a transport or courier company. The objective is to persuade the persons
responsible for a legitimate delivery that the consignment is requested elsewhere —
hence, "round the corner".

With a load/consignment redirected, the thieves persuade the driver to unload the
consignment near to, or away from, the consignee's address, in the pretense that it is
"going straight out" or "urgently required somewhere else".

The "con" or deception has many different facets, which include social engineering
techniques to persuade legitimate administrative or traffic personnel of a transport or
courier company to issue instructions to the driver to redirect the consignment or load.

The social engineering skills of these thieves are well rehearsed, and are extremely
effective. Most companies do not prepare their staff for this type of deception.
[edit] Phishing

Main article: Phishing

Phishing is a technique of fraudulently obtaining private information. Typically, the

phisher sends an e-mail that appears to come from a legitimate business — a bank, or
credit card company — requesting "verification" of information and warning of some
dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent
web page that seems legitimate — with company logos and content — and has a form
requesting everything from a home address to an ATM card's PIN.

For example, 2003 saw the proliferation of a phishing scam in which users received e-
mails supposedly from eBay claiming that the user's account was about to be suspended
unless a link provided was clicked to update a credit card (information that the genuine
eBay already had). Because it is relatively simple to make a Web site resemble a
legitimate organization's site by mimicking the HTML code, the scam counted on
people being tricked into thinking they were being contacted by eBay and subsequently,
were going to eBay's site to update their account information. By spamming large
groups of people, the "phisher" counted on the e-mail being read by a percentage of
people who already had listed credit card numbers with eBay legitimately, who might
respond.

[edit] IVR or phone phishing

This technique uses a rogue Interactive voice response (IVR) system to recreate a
legitimate-sounding copy of a bank or other institution's IVR system. The victim is
prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free)
number provided in order to "verify" information. A typical system will reject log-ins
continually, ensuring the victim enters PINs or passwords multiple times, often
disclosing several different passwords. More advanced systems transfer the victim to the
attacker posing as a customer service agent for further questioning.

One could even record the typical commands ("Press one to change your password,
press two to speak to customer service" ...) and play back the direction manually in real
time, giving the appearance of being an IVR without the expense.

The technical name for phone phishing, is vishing.

[edit] Baiting

Baiting is like the real-world Trojan Horse that uses physical media and relies on the
curiosity or greed of the victim.[5]

In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB
flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot),
gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim
to use the device.

For example, an attacker might create a disk featuring a corporate logo, readily
available from the target's web site, and write "Executive Salary Summary Q2 2010" on
the front. The attacker would then leave the disk on the floor of an elevator or
somewhere in the lobby of the targeted company. An unknowing employee might find it
and subsequently insert the disk into a computer to satisfy their curiosity, or a good
samaritan might find it and turn it in to the company.

In either case as a consequence of merely inserting the disk into a computer to see the
contents, the user would unknowingly install malware on it, likely giving an attacker
unfettered access to the victim's PC and perhaps, the targeted company's internal
computer network.

Unless computer controls block the infection, PCs set to "auto-run" inserted media may
be compromised as soon as a rogue disk is inserted.

[edit] Quid pro quo

Quid pro quo means something for something:

 An attacker calls random numbers at a company claiming to be calling back

from technical support. Eventually they will hit someone with a legitimate
problem, grateful that someone is calling back to help them. The attacker will
"help" solve the problem and in the process have the user type commands that
give the attacker access or launch malware.

 In a 2003 information security survey, 90% of office workers gave researchers

what they claimed was their password in answer to a survey question in
exchange for a cheap pen.[6] Similar surveys in later years obtained similar
results using chocolates and other cheap lures, although they made no attempt to
validate the passwords.[7]

[edit] Other types

Common confidence tricksters or fraudsters also could be considered "social engineers"

in the wider sense, in that they deliberately deceive and manipulate people, exploiting
human weaknesses to obtain personal benefit. They may, for example, use social
engineering techniques as part of an IT fraud.

A very recent type of social engineering techniques include spoofing or hacking IDs of
people having popular e-mail IDs such as Yahoo!, GMail, Hotmail, etc. Among the
many motivations for deception are:

 Phishing credit-card account numbers and their passwords.

 Hacking private e-mails and chat histories, and manipulating them by using
common editing techniques before using them to extort money and creating
distrust among individuals.
 Hacking websites of companies or organizations and destroying their reputation.
 Computer virus hoaxes

[edit] Notable social engineers

[edit] Kevin Mitnick

Reformed computer criminal and later security consultant Kevin Mitnick popularized
the term "social engineering", pointing out that it is much easier to trick someone into
giving a password for a system than to spend the effort to hack into the system.[8] He
claims it was the single most effective method in his arsenal.

[edit] The Badir Brothers

Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—
managed to set up an extensive phone and computer fraud scheme in the village of Kafr
Kassem outside Tel Aviv, Israel in the 1990s using social engineering, voice
impersonation, and Braille-display computers.[9]

[edit] United States law

[edit] Pretexting of telephone records

In December 2006, United States Congress approved a Senate sponsored bill making
the pretexting of telephone records a federal felony with fines of up to $250,000 and ten
years in prison for individuals (or fines of up to $500,000 for companies). It was signed
by president George W. Bush on January 12, 2007.[11]

[edit] Federal legislation

The 1999 "GLBA" is a U.S. Federal law that specifically addresses pretexting of
banking records as an illegal act punishable under federal statutes. When a business
entity such as a private investigator, SIU insurance investigator, or an adjuster conducts
any type of deception, it falls under the authority of the Federal Trade Commission
(FTC). This federal agency has the obligation and authority to ensure that consumers are
not subjected to any unfair or deceptive business practices. US Federal Trade
Commission Act, Section 5 of the FTCA states, in part: "Whenever the Commission
shall have reason to believe that any such person, partnership, or corporation has been
or is using any unfair method of competition or unfair or deceptive act or practice in or
affecting commerce, and if it shall appear to the Commission that a proceeding by it in
respect thereof would be to the interest of the public, it shall issue and serve upon such
person, partnership, or corporation a complaint stating its charges in that respect."

The statute states that when someone obtains any personal, non-public information from
a financial institution or the consumer, their action is subject to the statute. It relates to
the consumer's relationship with the financial institution. For example, a pretexter using
false pretenses either to get a consumer's address from the consumer's bank, or to get a
consumer to disclose the name of his or her bank, would be covered. The determining
principle is that pretexting only occurs when information is obtained through false
pretenses.

While the sale of cell telephone records has gained significant media attention, and
telecommunications records are the focus of the two bills currently before the United
States Senate, many other types of private records are being bought and sold in the
public market. Alongside many advertisements for cell phone records, wireline records
and the records associated with calling cards are advertised. As individuals shift to VoIP
telephones, it is safe to assume that those records will be offered for sale as well.
Currently, it is legal to sell telephone records, but illegal to obtain them.[12]

[edit] 1st Source Information Specialists

U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and
Commerce Subcommittee on Telecommunications and the Internet, expressed concern
over the easy access to personal mobile phone records on the Internet during
Wednesday's E&C Committee hearing on "Phone Records For Sale: Why Aren't Phone
Records Safe From Pretexting?" Illinois became the first state to sue an online records
broker when Attorney General Lisa Madigan sued 1st Source Information Specialists,
Inc., on 20 January, a spokeswoman for Madigan's office said. The Florida-based
company operates several Web sites that sell mobile telephone records, according to a
copy of the suit. The attorneys general of Florida and Missouri quickly followed
Madigan's lead, filing suit on 24 January and 30 January, respectively, against 1st
Source Information Specialists and, in Missouri's case, one other records broker - First
Data Solutions, Inc.

Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier
lawsuits against records brokers, with Cingular winning an injunction against First Data
Solutions and 1st Source Information Specialists on January 13. U.S. Senator Charles
Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the
practice. The Consumer Telephone Records Protection Act of 2006 would create felony
criminal penalties for stealing and selling the records of mobile phone, landline, and
Voice over Internet Protocol (VoIP) subscribers.

[edit] Hewlett Packard

Patricia Dunn, former chairman of Hewlett Packard, reported that the HP board hired a
private investigation company to delve into who was responsible for leaks within the
board. Dunn acknowledged that the company used the practice of pretexting to solicit
the telephone records of board members and journalists. Chairman Dunn later
apologized for this act and offered to step down from the board if it was desired by
board members.[13] Unlike Federal law, California law specifically forbids such
pretexting. The four felony charges brought on Dunn were dismissed[14].

[edit] In popular culture

 In the film Hackers, the protagonist used a form of social engineering, where the
main character accessed a TV network's control system by telephoning the
security guard for the telephone number to the station's modem, posing as an
important executive. Although the film is not highly accurate, the particular
method demonstrates the power of social engineering when applied to criminal
behavior.
 In Jeffrey Deaver's book The Blue Nowhere, social engineering to obtain
confidential information is one of the methods used by the killer, Phate, to get
close to his victims.
  In the movie Live Free or Die Hard, Justin Long is seen pretexting that his
father is dying from a heart attack to have a BMW Assist representative start
what will become a stolen car.
 In the movie Sneakers, one of the characters poses as a low level security guard's
superior in order to convince him that a security breach is just a false alarm.
 In the movie The Thomas Crown Affair, one of the characters poses over the
telephone as a museum guard's superior in order to move the guard away from
his post.
 In the James Bond movie Diamonds Are Forever, Bond is seen gaining entry to
the Whyte laboratory with a then-state-of-the-art card-access lock system by
"tailgating". He merely waits for an employee to come to open the door, then
posing himself as a rookie at the lab, fakes inserting a non-existent card while
the door is unlocked for him by the employee.

[edit] See also

 Phishing
 Confidence trick
 Certified Social Engineering Prevention Specialist (CSEPS)
 Media pranks, which often use similar tactics (though usually not for criminal
purposes)
 Physical information security
 Vishing
 SMiShing