TUCoPS :: Wetware Hacking :: Others :: whatse.txt

Social Engineering


Social Engineering

1. What is social engineering?

        Social engineering is, quite simply, hacking people.  Just as
computer hackers
strive to learn all they can about computers (and how to make them do
what the hacker
wishes), social engineers strive to learn all they can about people. 
They attempt to
predict and influence the actions of others.

2. What does social engineering have to do with computer security?

        Quite often, people are the weakest link in a corporate
security chain.  It is
imepritive that employees learn and adhere to a strict security policy
regarding
information.  In a high-technology world, the old adage is true: Loose
lips sink ships.

3. Oh come now, what's the worst that could happen.

        Have a look at the following:

//Engineer walks to the front desk of Random J. Company after finding
that a sysadmin job
//opening had been filled

Secretary: May I help you?
Engineer : Yessir, I was just talking to a gentlemen on the phone
about securing my
network?  (to himself) What was his name?
Sec: Mr. Thompson?
Eng: Yeah, that's it, I think.  New guy?
Sec: Oh!  I think you mean Mr. Jones.
Eng: Right, could you leave him a message to call Larry, please?
Sec: Yessir.
Eng: Thanks

//Armed with the name of a new sysadmin, the engineer performs a
Google search on Jones +
//Company.  Aside from corporate nonsense, he retrieves a number of
Usenet post:

Subject: Ipchains help
Newsgroup: comp.os.linux.security

Hello, I'm having a few problems with the following rules:

[Ipchains rules]

My network is set up like this:

{internet}----firewall-+-firewall----+
                       |D           L|-Workstation 1
                       |M           A|-Workstation 2
                       |Z           N|-Workstation 3
                   Servers

I'm having some trouble on the firewall between the DMZ and the LAN. 
I'm using the above
rules, but they don't seem to be blocking traffic.  Additionally, I
can't find how to close
port 111 on the firewall before the DMZ.

Thanks!
--
Achmed M. Jones
Assistant SysAdmin      :       Random J. Company
(830)-363-8720 ex 112   :       Achmed@company.com

//From the above, the engineer knows Mr. Jones' full name, business
phone number, network
//topology, and potential vulnerabilities.

//That night, after Mr. Jones goes home, the engineer calls the
company on the telephone,
//spoofing his caller ID with one of many programs:

Secretary: BigCorp, may I help you?
Engineer : Yeah, hey, this is Achmed, I run the networks and need to
get finished up from
home today, but there's a little problem.  Couldja help me out?
Sec: (Checking caller ID) Who?
Eng: Achmed Jones, I'm the Assistant Systems Administrator
Sec: Oh, Mr. Jones, what do you need?
Eng: Well, I just started and I've already forgotten how to log in to
check my meail...
Sec: Oh, well, just [details how to check email] ... and when it asks
for the password, put
in the employee password.
Eng: Yeah...well, I've forgotten that too...
Sec: It's YellowDog, one word.
Eng: Oh, great!  Thanks!

//The engineer now logs in and composes an email to all employees,
using Achmed's address.
//He tells them that they're switching from Oracle to SQL databases,
and to reply with
//their password.  Some fall for it.


4. How can I keep from being engineered?

        To put it bluntly, you can't.  Social engineering is nothing
more than
manipulation.  Every day, you're manipulated by others.  When you go
out to eat, the
waiters pretend to care what you have to say so that you'll tip well. 
When the person
who cuts your hair proclaims that it's "so soft, would you like some
special shampoo,"
they aren't doing it because of your fine follicles.  They want to
make a sale.  When
you tell someone that you "have to go" or call in "sick" because you
just don't feel
like going to work, that's social engineering.  The only way to
immunize oneself from
social engineering is to become a complete cynic.
        Luckily, it's fairly easy to tell everyone who works for you
not to, under any
circumstances, make known *any* company information to any party,
whether or not
they work for you.  Passwords, addresses, phone numbers, and LAN
setups should all be
closely guarded.


-- 
drumstik


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH