|
Social Engineering 1. What is social engineering? Social engineering is, quite simply, hacking people. Just as computer hackers strive to learn all they can about computers (and how to make them do what the hacker wishes), social engineers strive to learn all they can about people. They attempt to predict and influence the actions of others. 2. What does social engineering have to do with computer security? Quite often, people are the weakest link in a corporate security chain. It is imepritive that employees learn and adhere to a strict security policy regarding information. In a high-technology world, the old adage is true: Loose lips sink ships. 3. Oh come now, what's the worst that could happen. Have a look at the following: //Engineer walks to the front desk of Random J. Company after finding that a sysadmin job //opening had been filled Secretary: May I help you? Engineer : Yessir, I was just talking to a gentlemen on the phone about securing my network? (to himself) What was his name? Sec: Mr. Thompson? Eng: Yeah, that's it, I think. New guy? Sec: Oh! I think you mean Mr. Jones. Eng: Right, could you leave him a message to call Larry, please? Sec: Yessir. Eng: Thanks //Armed with the name of a new sysadmin, the engineer performs a Google search on Jones + //Company. Aside from corporate nonsense, he retrieves a number of Usenet post: Subject: Ipchains help Newsgroup: comp.os.linux.security Hello, I'm having a few problems with the following rules: [Ipchains rules] My network is set up like this: {internet}----firewall-+-firewall----+ |D L|-Workstation 1 |M A|-Workstation 2 |Z N|-Workstation 3 Servers I'm having some trouble on the firewall between the DMZ and the LAN. I'm using the above rules, but they don't seem to be blocking traffic. Additionally, I can't find how to close port 111 on the firewall before the DMZ. Thanks! -- Achmed M. Jones Assistant SysAdmin : Random J. Company (830)-363-8720 ex 112 : Achmed@company.com //From the above, the engineer knows Mr. Jones' full name, business phone number, network //topology, and potential vulnerabilities. //That night, after Mr. Jones goes home, the engineer calls the company on the telephone, //spoofing his caller ID with one of many programs: Secretary: BigCorp, may I help you? Engineer : Yeah, hey, this is Achmed, I run the networks and need to get finished up from home today, but there's a little problem. Couldja help me out? Sec: (Checking caller ID) Who? Eng: Achmed Jones, I'm the Assistant Systems Administrator Sec: Oh, Mr. Jones, what do you need? Eng: Well, I just started and I've already forgotten how to log in to check my meail... Sec: Oh, well, just [details how to check email] ... and when it asks for the password, put in the employee password. Eng: Yeah...well, I've forgotten that too... Sec: It's YellowDog, one word. Eng: Oh, great! Thanks! //The engineer now logs in and composes an email to all employees, using Achmed's address. //He tells them that they're switching from Oracle to SQL databases, and to reply with //their password. Some fall for it. 4. How can I keep from being engineered? To put it bluntly, you can't. Social engineering is nothing more than manipulation. Every day, you're manipulated by others. When you go out to eat, the waiters pretend to care what you have to say so that you'll tip well. When the person who cuts your hair proclaims that it's "so soft, would you like some special shampoo," they aren't doing it because of your fine follicles. They want to make a sale. When you tell someone that you "have to go" or call in "sick" because you just don't feel like going to work, that's social engineering. The only way to immunize oneself from social engineering is to become a complete cynic. Luckily, it's fairly easy to tell everyone who works for you not to, under any circumstances, make known *any* company information to any party, whether or not they work for you. Passwords, addresses, phone numbers, and LAN setups should all be closely guarded. -- drumstik