SOCIAL ENGINEERING

Today, I am going to be writing about social engineering, and a couple of the main social engineering strategies that are used everyday. One of the top strategies of social engineering would be one that is used everyday more often than you may think, shoulder surfing, it is easy and a quick method to use to find out passwords and/or  files. Another very effective way of social engineering is called, Dumpster diving is when someone uses files or worksheets on how to do something within the network. Again, another technique of social engineering is called, Tailgating, Tailgating is when someone walks into a restricted entryway behind someone so that they do not need to use a key card or another means of way to get into that area. Impersonation is also another great way to use social engineering to your advantage, Impersonation is exactly what it sounds like, pretending to be someone else so you can obtain access to items that you in other ways cannot. Hoaxes are when someone tricks you into believing they are someone important or someone that needs information and uses the information that they obtain to gain access to certain files or passwords. Whaling is another form of social engineering attacks, it is when someone tries attacking let’s say the CEO of a company rather than someone way lower in the chain of executives. This essay should give you a brief knowledge of Social Engineering attacks and how effective they actually are.

 

   

“Securing the hardware, software and firmware is relatively easy; it is the “wetware” that causes us the biggest headache. According to the Jargon Dictionary “wetware” is the human being attached to a computer system. People are usually the weakest link in the security chain. In the 1970s, we were told that if we installed access control packages then we would have security. In the 1980s we were encouraged to install effective anti-virus software to ensure that our systems and networks were secure. In the 1990s we were told that firewalls would lead us to security. Now in the twenty-first century, it is intrusion detection systems or public key infrastructure that will lead us to information security. In each iteration, security has eluded us because the silicon based products have to interface with carbon-based units. It is the human factor that will continue to appear in our discussion on social engineering.

A skilled social engineer will often try to exploit this weakness before spending time and effort on other methods to crack passwords or gain access to systems. Why go to all of the trouble of installing a sniffer on a network, when a simple phone call to an employee may gain the needed userid and password. A while back a client asked us to see if we could obtain employee access accounts and passwords. They have an aggressive awareness campaign to remind employees of the need to keep the passwords from being compromised. The client wanted to know if we were going to install a sniffer, we told them that we had a better method, we would call his employees. We called twelve employees and had nine people answer our call. We told them we were from network administration and that we needed them to logon so we could troubleshoot a problem. We told them we needed their account identification and password so that our scope could see when they entered the network. Of the nine who answered, eight gave us the information we wanted. The ninth couldn’t find the Post-it note that had his password.”

 

    Firstly, I want to explain real quick that it is not the computers and our networks that remain the most vulnerable to attacks, its us. It is the Human that needs more work than the computer and until we get better security training then we will always be vulnerability to Social Engineering attacks. Now, the first one i want to talk about is Shoulder Surfing, it is probably the easiest and quickest way to gain the access to passwords and files than any other form of social engineering. It is simply just when you stand behind someone when they are typing or writing down a password so you can physically see with your naked eyes the passwords being used to enter into a computer or even worse, a server or network.

 

   

Second we have Dumpster Diving, now dumpster diving is a more, dirty way, literally, of finding a way into a network or steal personal or company or government files. Say if someone throws away a computer or a bunch of files off of their desk, some of those files or hard drives could easily be found and used to gain access into a building or into a company’s server which from there that one person could cause some serious damage to files. The safest way to rid of old files or paperwork is to shred the documents and dispose of them properly. Now hard drives from computers are harder to dispose of than you may think. You can’t simply throw away a hard drive and think that you are completely safe from someone not stealing your files. The best way to get rid and dispose a hard drive is to put them in an authorized shredding machine. Now you may have to do some digging of your own to find a place where you can do this but i am sure it cannot be that hard to do. And that in itself is the best way to stay safe from those nasty Dumpster Divers.

 

Third and definitely not last, there is tailgating, now tailgating may be hard to stop because you do not really realize that you are doing it. If you work in a government building or any building that has passwords on doors or locks, you obviously have to get past them and if you are not alone it is hard to close the door in someones face. Although it is kind of you to hold the door open for someone it may be in your best favor to close the door behind you and make sure it is completely shut before walking away from it. Another way to be able to stop this form of social engineering would be to only allow one person entry through a door at a time, it may be time consuming but in the end it is another step to keeping your files and your network safe from attackers. In security, piggybacking refers to when a person tags along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.The act may be legal or illegal, authorized or unauthorized, depending on the circumstances. However, the term more often has the connotation of being an illegal or unauthorized act.To describe the act of an unauthorized person who follows someone to a restricted area without the consent of the authorized person, the term tailgating is also used. “Tailgating” implies without consent (similar to a car tailgating another vehicle on the freeway), while “piggybacking” usually implies consent of the authorized person. Piggybacking came to the public’s attention particularly in 1999, when a series of weaknesses were exposed in airport security. While a study showed that the majority of undercover agents attempting to pass through checkpoints, bring banned items on planes, or board planes without tickets were successful, piggybacking was revealed as one of the methods that was used in order to enter off-limits areas.

 

    Impersonation is simple and is exactly what it sounds like, impersonation for anything is completely illegal but that surely does not stop some hardened criminals from using it everyday to get what they want. Impersonation can be used for a multitude of things but one big one that i want to point out is it being used to infiltrate a corporation or the government for that reason. In the military there are millions of things that would benefit others on the outside, be it money or to pay off a debt to some very bad people. Impersonation is used on a daily basis and people are getting arrested for it all the time. Impersonation could be used as an email say from your co worker asking for your password for a server so they can do daily maintenance or used to steal money from a bank in the form as malware in an email. Email is not very secure and being that it is not very secure it is easy for someone to accidentally open an email not knowing that it is encoded with malicious intent and your computer could so easily be hacked and files and passwords be stolen at any moment in time.

 

    Hoaxes are basically lies, or tricks on someone. Now we all have probably done a hoax on someone as a joke to get a good laugh but it could be used on a much bigger scale. A hoax could be used to make people believe you are someone you are not much like impersonation or could be used to make others believe that you have something they need maybe like an object they ordered and is supposed to come in the mail. That person could use that information to gain access to the location of a specific place to be able to get inside and to obtain a signature of possibly someone of high rank so they could forge the signature later on. That in a nutshell is what a social engineering hoax is.

 

    Whaling is one of my favorite forms of social engineering. Whaling is used to attack a specific person such as a high level executive, politicians, and celebrities. As with any phishing endeavor, the goal of whaling is to trick someone into disclosing personal or corporate information through social engineering, email spoofing and content spoofing efforts. The attacker may send his target an email that appears as if it’s from a trusted source or lure the target to a website that has been created especially for the attack. Whaling emails and websites are highly customized and personalized, often incorporating the target’s name, job title or other relevant information gleaned from a variety of sources. Whaling could be used to get information from a high ranking military person to find information about upcoming events to target a specific person or to be able to gain access to a top secret area of a building to be able to steal information on a project the military is working on.

 

    So as you may see Social Engineering is very effective and makes you realize that everyone is gullible in certain ways. We as people need to take a bigger interest this type of attack and we need to learn how to prevent further and more damaging ones from happening. This could be done by more online training on how to more properly secure your work environment and to protect yourself from getting attacked and possibly losing your identity. The threat is very real and very powerful. We need to take this seriously and learn from our past mistakes and figure out how to patch up ways to keep us safer. Remember OPSEC and do some studying and training of your own and maybe you can make a difference on how to keep yourself safe and your co workers!

 

Resources:

 

http://www.infosectoday.com/Norwich/GI532/Social_Engineering.htm#.VY_H08scTIU

 

https://en.wikipedia.org/wiki/Piggybacking_(security)
http://searchsecurity.techtarget.com/definition/whaling