What is Social Engineering?

Networking/Security Forums -> Physical Security and Social Engineering

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon May 27, 2002 2:27 am    Post subject: What is Social Engineering?
    ----
Social Engineering is 80% of hacking the majority of situations.

To quote from ESR's Jargon Lexicon:

The Jargon Dictionary wrote:

social engineering n.

Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. See also the tiger team story in the patch entry.


This sums it up pretty well really, the most common form of social engineering is to phone up late at night when only the security guard is there or another time when there are not-so-technical people around and bombarding them with meaningless technical jargon, then asking for a passcode or login/password for a certain system.

There is a more in-depth guide on social engineering by Rick Nelson here:

http://www.isr.umd.edu/gemstone/infosec/ver2/papers/socialeng.html

Author: flwLocation: U.S.A. PostPosted: Mon May 27, 2002 6:28 am    Post subject: What is Social Engineering?
    ----
Six basic Persuasion and influence techniques by Jonathan J. RUSCH, Dept. of Justice, 1999

A substantial body of literature in social psychology demonstrates that there are at least six factors relying on peripheral routes to persuasion that are highly likely to persuade or influence others:

· Authority. People are highly likely, in the right situation, to be highly responsive to assertions of authority, even when the person who purports to be in a position of authority is not physically present. A study of three Midwestern hospitals showed how responsive people can be to such assertions. In the study, 22 separate nurses' stations were contacted by a researcher who identified himself (falsely) as a hospital physician, and told the answering nurse to give 20 milligrams of a specified prescription drug to a particular patient on the ward. Four factors should have indicated that the nurses might have questioned the order: (1) It came from a "doctor" with whom the nurse had never before met or spoken; (2) the "doctor" was transmitting a prescription by telephone, in violation of hospital policy; (3) the drug in question was not authorized for use on the wards; and (4) the dosage that the "doctor" had specified was clearly dangerous, twice the maximum daily dosage. Yet in 95 percent of the cases, the nurse proceeded to obtain the necessary dosage from the ward medicine cabinet and was on her way to administer it to the patient before observers intercepted her and told her of the experiment.

· Scarcity. People are also highly responsive to indications that a particular item they may want is in short supply or available for only a limited period. Indeed, research by Dr. Jack Brehm of Stanford University indicates that people come to desire that item even more when they perceive that their freedom to obtain it is or may be limited in some way. The belief that others may be competing for the short supply of the desired item may enhance the person's desire even more.

· Liking and similarity. It is a truly human tendency to like people who are like us. Our identification of a person as having characteristics identical or similar to our own -- places of birth, or tastes in sports, music, art, or other personal interests, to name a few -- provides a strong incentive for us to adopt a mental shortcut, in dealing with that person, to regard him or her more favorably merely because of that similarity.

· Reciprocation. A well-recognized rule of social interaction requires that if someone gives us (or promises to give us) something, we feel a strong inclination to reciprocate by providing something in return. Even if the favor that someone offers was not requested by the other person, the person offered the favor may feel a strong obligation to respect the rule of reciprocation by agreeing to the favor that the original criminal asks in return -- even if that favor is significantly costlier than the original favor.

· Commitment and consistency. Society also places great store by consistency in a person's behavior. If we promise to do something, and fail to carry out that promise, we are virtually certain to be considered untrustworthy or undesirable. We therefore are more likely to take considerable pains to act in ways that are consistent with actions that we have taken before, even if, in the fullness of time, we later look back and recognize that some consistencies are indeed foolish.
One way in which social custom and practice makes us susceptible to appeals to consistency is the use of writing. A leading social psychologist, Professor Robert B. Cialdini, has observed that unless there is strong evidence to the contrary, "People have a natural tendency to think that a statement reflects the true attitude of the person who made it." Moreover, once the person who receives such a statement responds by preparing a written statement of his own -- whether a letter, an affidavit, or an e-mail -- it tends to make the writer believe in what he has written as well, adding to the impression that both parties have displayed their true attitudes and beliefs.

· Social proof. In many social situations, one of the mental shortcuts on which we rely, in determining what course of action is most appropriate, is to look to see what other people in the vicinity are doing or saying. This phenomenon, known as social proof, can prompt us to take actions that may be against our self-interest without taking the time to consider them more deeply. Cults from the Jonestown Temple to Heaven's Gate, for example, provide cogent evidence of how strong the effects of that phenomenon can be in the right circumstances.

fastlanwan

Author: Chozen1Location: NW, UK PostPosted: Tue Jul 09, 2002 4:16 pm    Post subject:
    ----
I had a m8 do some Social Engineering.

He walked into an office in York, used an internal phone and rang one of the managers, told them he was security, they had a hacker in the system and he needed his usernames and passwords. Then walked out!

Cool EH!

Laughing Laughing Laughing Laughing Laughing Laughing

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Tue Jul 23, 2002 8:56 pm    Post subject:
    ----
It does happen an aweful lot, companies are blissfully unaware of the consequences of a fairly simple peice of social engineering.

Whatever security policies you have in place, they are all fairly worthless if someone just walks in and gets the password.

Author: f2kyzz PostPosted: Wed May 05, 2004 6:19 am    Post subject: Re: What is Social Engineering?
    ----
ShaolinTiger wrote:
Social Engineering is 80% of hacking the majority of situations.


My experience is that Social Engineering is only 50% because if your damn good at what your doing it only takes a few minutes. What is the BS with calling at night dude? My experience is calling in the early morning (knowing the time zone difference) and when your damn good your damn good.

Doesitmatter

Author: edrhesj45set PostPosted: Wed May 05, 2004 11:02 am    Post subject:
    ----
Chozen1 wrote:
I had a m8 do some Social Engineering.

He walked into an office in York, used an internal phone and rang one of the managers, told them he was security, they had a hacker in the system and he needed his usernames and passwords. Then walked out!

Cool EH!

Laughing Laughing Laughing Laughing Laughing Laughing



ive read that exact quote somewhere before........

Author: MattALocation: Eastbourne + London PostPosted: Wed May 05, 2004 2:03 pm    Post subject:
    ----
Social engineering is useful for many different occasions not just obtaining usernames and passwords. (in fact it's rather crude using it)
why not use it on your boss to get a pay rise or convince a client to give a contract directly to you rather than hire the company as a middle man.
Influence and persuasion are phenomenal tools when abused correctly, especially if you understand a person's psyche and can manipulate them into making a decision they later regret. Then hit them with FUD (fear , uncertainty , doubt) if they start wavering.

here's a short primer
http://www.as.wvu.edu/%7Esbb/comm221/primer.htm

Dead protocol society also used to dominate many hacking events by hacking the sysadmin not the server

Author: FoolLocation: SC, USA PostPosted: Sat Aug 28, 2004 12:04 am    Post subject:
    ----
But social engineering for hotmail pwds is soooo fun1!1! Embarassed Crying or Very sad

Most email servers have the "Forgot my password" option, where upon registration the registrar will have to fill in a "secret question" and password. If you can get to know this person a bit, find out a little bit and get the answer to his question, voila!

Takes a bit of patience is all...

Author: Mongrel PostPosted: Sat Aug 28, 2004 3:12 am    Post subject:
    ----
I'll weigh in on this topic. Basically I define social entineering (SE) to be -
Any tool or method, that convinces someone to do or say, what they
should not or would not normally do, and using that method to gain
something of value to the engineer, without that person knowing they are
giving you anything.

With that definition, the never ending pron popups are proven to be a SE
technique. They breed frustration in the user who attempts to close them
as fast as they come up. The value provided is that they will, in all
likelihood, inadvertently click on one of your ads. You have gained that
valuable clickthrough fee.

Today I witnessed a great SE tactic with my son. He wanted an MSN
screen name for chatting in Triilian. We walked through the miserable
process of getting your .net passport and signed up for hotmail. It was a
terribly frustrating process where the passport kept getting denied and we
had to try over and over. Eventually we got in and were ready to sign in
to hotmail. Great!!.

Up comes this screen where, by all appearances you must click OK for
some service or the other. I caught my son before he clicked OK and
made him close that window, then login to hotmail again. VoisLais - right
to the hotmail with no bothers.

Evidence the tricks played, too, by Real Networks. You install RealPlayer
and say "no" to everything you can see as far as advertising and
additional "services". If I'm not mistaken there are over 15 visible in the
installation process alone. Several of them are lists with scrollbars. By
default those visible on the list are unchecked. Unless you are patient
enough to go down every single list you miss the other 15 or 20 items to
uncheck.

Then once the program is installed and you think you got one over on the
big bad real networks, you go into Preferences and find another ten or so
items that were not included in the install.

Then you Message Center and find yet another 15 or 20 items to turn off.

No doubt I have not found them all and God forbid I ever do an automatic
update as these things will all be set to "default" again.

So this is SE at it's finest - getting something of value from me without my
knowing it, or against my desires, by trickery, impatience/frustration
and obscurity.

Author: liquidzLocation: /dev/null/ PostPosted: Sat Aug 28, 2004 5:06 am    Post subject:
    ----
I have a description of social engineering on my site aimed at the average person.

However I would have to say that social engineering is what hacking will be. It's going to get to a point that actualy trying to break the software is just going to take too long, hence you break the user.

I think Kevin Mitnick said it, but humans are the weakest link in the security chain.

Author: tree_twobearsLocation: Cascadia, North America PostPosted: Sat Aug 28, 2004 6:57 am    Post subject:
    ----
liquidz wrote:
I think Kevin Mitnick said it, but humans are the weakest link in the security chain.

No arguments there. No matter how up-to-date my virus defs are and which attachments I block, my users alway find a way to infect their machines.

See Mitnick's The Art of Deception: Controlling the Human Element of Security or for how the big boys do it, John Nolan's elicitation primer Confidential: Uncover your Competitors' Top Business Secrets Legally and Quickly--and Protect Your Own.

Author: WeeBit PostPosted: Sun Dec 12, 2004 6:56 am    Post subject: Social Engineering
    ----
To me using Social Engineering to gather sensitive information from a business or even a home user is nothing more than a "con artist" at work hurting businesses or home users. I don't understand why when you discuss Social Engineering why you don't call it a con artist at work to do harm?

Author: dogsitterz PostPosted: Sun Dec 12, 2004 7:32 am    Post subject: Re: Social Engineering
    ----
WeeBit wrote:
To me using Social Engineering to gather sensitive information from a business or even a home user is nothing more than a "con artist" at work hurting businesses or home users. I don't understand why when you discuss Social Engineering why you don't call it a con artist at work to do harm?


Simplifying Social Engineering as just "con artist" is a over simplification of a very deep area of professional studies. It uses any and all tools discovered in psychology, sociology, technology and is ever evolving in each area of study which all lead to tools and techniques.

Moderator note: edited to fix quote (enabled BBCode) - capi

Author: remadeLocation: Alaska PostPosted: Sat Mar 12, 2005 7:58 am    Post subject:
    ----
Of course only the truly oblivious people fall for this.... Anyone in depth in security usuals resets all questions and secret answers or password at least once to two times in a month or two...

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Fri Mar 25, 2005 12:04 am    Post subject:
    ----
Actually Social Engineering is the oldest technique in the world. Used on many areas and things.
From Politics to simple conversations between a client and a salesman...

The concept is to manage the other person to drop his/her defenses or dilemas and push it to act for you interest.. no matter if it is about a bunch of passwords , or even signing a treaty for a nation.

Take a glance , at the politics while they are , talking on TV... they tend to "push" someone over the edge in order to manipulate , temper, words, behavior , in their interest.

Social engineering is always based on the human psychology and "warfare"..
Tactical moves , opposition and fake "attacks" are a very big part of the game and their success is always based , on the way the other person will react... If it is possible to predict his/her reaction , or manipulate his behavior , by "pushing buttons" of their personallity , game is won.

Certain Books that would help you a lot , besides the advertised ones,
are::

Machiaveli's " War"
SunTzu "Art of War"
Gustave Le Bon "Psychology of the crowd"

And of course any kind of psychology book you can get your hands on.

Remember that although people tend to behave similary in situations , their small differencies on how they are going to do it , are the ones that give the advantage for the person who applies those techniques.

A significant also part is the body languange , although it will take me a whole page to analyse it here...


Gandalf

Author: remadeLocation: Alaska PostPosted: Fri Mar 25, 2005 9:43 pm    Post subject:
    ----
Quote:
A significant also part is the body languange , although it will take me a whole page to analyse it here...


Yes never underestimate how far a smile and agreement can get you.. Wink

Author: SorCerer PostPosted: Sat Mar 26, 2005 9:03 pm    Post subject:
    ----
Quote:
Of course only the truly oblivious people fall for this

I wouldn't bet on that, i've seen a lot of security geeks being SEd and I am sure that anyone can be manipulated more or less, given some time, effort and resources.

If you can't touch your mark, or he/she doesn't respond to your actions then consider moving on to their closest friends and see what you can do from there. Oh, and even the most paranoid security geeks out there tend to lower their guard in front of a nice looking girl Wink

-SorCerer

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Sat May 07, 2005 7:25 pm    Post subject:
    ----
Lets give an expanded text on Social engineering , shall we?

Social Engineering is focusing on the weakest chain of the IT security. Humans and their psychology. A way of exploiting all weakness of a person’s character, based upon simple lies to applying psychological, brutal violence upon the “subject”.

This new IT branch has a history of thousands years, and can be located in our history, under the terms “diplomacy” or “warfare”. Both terms, are indicating, situations and circumstances where “canning minds” were capable of turning around, historical events, to their benefit. Evaluating situations and opponents are crucial in those two cases as it is in Social Engineering.



I will proceed now to more details regarding Social Engineering, starting with, “specifications of Social Engineer” as they are rarely stated, comparing to other details of this area.

Social Engineer is not a simple fraud-man. He should be more than that. Patience and Intelligence is one of the most important tools of his, which need to be developed constantly as they are associated, in a way, with a “live” branch of technology which is computers. In order to “trick” someone and gain his trust ,he really needs to be updated, as to ask the right questions and do not fall into the “trap” of giving himself up. For example, if this “Engineer” tries to find a password and then asks where the “login field” is, then he is “out of the game”. Intelligence is developed ,through experience and of course education ,made out of any kind of scripts or books he can find, regarding psychology and human behavior. “Stepping” on opponent’s weaknesses or mistaken reactions, is the key to accomplish his goal. Patience, how ever needs to be gained with much harder way, as he needs to enforce his will over himself. Something that very few are able to do.



Using that “equipments” now can give him the first step, in order to begin his quest on exploring, human behaviors and reactions. No matter if the other person is a simple user or a master technician, only one thing can make the difference. It is the “know-how” of the right timing for applying questions and psychological techniques. The ability to know , when and how to put down his “pressure points” to gain the right reaction from the “talking opponent” at the other side of the phone or from the man , right in front of him.

How can I do that, someone might say?It needs a plan, is the answer, as all things in real life. An engineer needs to evaluate first the targeted person and explore his weak and strong points. Make his "victim", feel secure, in order to bring down his defenses, as to manage the “entry point” to his behavior and psychological personality. Most people are quite easy to handle if you are able to access their “ego” through vanity. For example , a question like “ I never had any problems with your account , since it seems you are a good user and all, so I really need you to …blah…blah” is pointing to his “ego” and making him feel “superior”. Easier for him to make mistakes like this, as his vanity takes over and “clouds” his reason. It is the same way as most of us guys, try to compliment women, in order to bring down their defenses, in order to approach them, more.

So “ego” is the magical word for a social engineer. Manipulating that area of the mind is able to give, him the right reaction and trigger a sequence of questions and actions, to his benefit. Applying now psychological force is the opposite of boosting the target’s ego. Setting a question of such a nature, could “put in the corner” your targeted person, with a fake threat of a “management report” to possible “letting you go, for this mistake or unauthorized access”. Putting the “subject” in that hard position is most of the times, providing results, although it could backfire, especially if the engineer is talking to a “bad-tempered” person. Leading things into a fight is never, good for the guy who wants to manipulate situations. “Anger is the worst mind general” is stated at “Art of War” by Sun Tzu and that is more than true. Reason and arguments with "deep meanings" are always useless in tough situations, so fights or quarrels, always lead to the failure of an engineer’s effort to gain data.



How now, can I understand if my actions with the person, I am talking to ,can lead to successful attempt and avoid a possible exposure of my intentions, someone might say? Experience and Intelligence, is the answer. People are always different and it is very rare, to run into a type of personality, that you have “tricked” before with the same method. I do not have to mention here, that repeating methods is always a dangerous thing, as you never know, who the other person is, or if he is a friend of a previous target.

Over the phone, is true, that it is hard to understand who the other person really is, on the other end of the line, and how will he react to your questions or psychological tricks. There are though some tricks that could guide you, if you really know how to use your voice’s volume and tone. For example if you are sure that you are , talking to a lower level employee , a tone with authority , would provide you with an advantage over the other person , and give you the ability to “demand” more straight and direct answers.(tip. Do not apply that on Manager’s secretaries as they are trained to avoid “not-wanted” people).

Impersonating an IT asst. admin (the description of the imaginary title also plays a role here, as the more complicated it sounds the more influence has on their minds) and demanding in a strict voice his assistance, in solving a problem, could give you unexpected gains.

If now you are talking to a manager (not IT manager) then you should really try to exploit their wish for showing themselves as “grant employees” to their bosses, by implying that their help to solve that problem will be mentioned or that you will provide some “benefits” to him/her, after their provided assistance.

Depending to their reaction, you can now proceed to a more sophisticated way of removing data from them, in a way that will leave them satisfied for doing their part of the job.



Speaking now, for the technical area of social engineering, you have to think of the greater picture. Social Engineering is only a branch that is associated to the so called Security Area in IT fields. Footprinting, Forensics are just few of the other security techniques that can provide you with proper data, in order to arrange your plan. All of them should run or executed simultaneously in order to provide wished results for the engineer.



Movies show Social engineers, trying to steal data, by trash-diving, speaking over the phone, sending phony messages or even steal paper bills from the victim’s mailbox , at home. But what happens when personal confrontation is in order? Is there any method to extract, data as “painless” and as fast as possible? The answer is negative here, but there are ways to “smooth” this job a bit. Those ways are reflected and based, mostly upon , how the human body moves and reacts to external stimulations , caused by words or just by another person’s appearance. We all tend to react in some sort of way, when we do not want to participate in something that repulses us, despite if that is a conversation or just a glance at someone’s face. This is the weak spot, where an experienced social engineer should take advantage of.

Every person is totally different, when it comes on speaking for his own personality. In fact, no one is similar to the person next to him, but we all tend to react by using some actions (defined and classified by our society behavior), which could be described in some stereotypes.

For instance a person who is “closed” to others, he tends to stand or sit, with his hands, placed near his body or even crossed in front of his chest, something that shows, defenses are up, towards anyone who will try to get close or even tries to talk to him. His chin is usually close to his chest, and pointing to the ground. Similar to the way a fighter is protecting it during a boxing round. He, then, really needs to feel that the other person is somehow “harmless” to him. This could be achieved with a joke or even a fake impersonation, of being sympathetic to a problem of his. His sense for security lack, then will be reduced and it is up to the engineer to handle, further discussion. Defensive persons are always easy to break down, especially if the “cracker” is equipped with social skills, like nice smiles and of course the ability to “break the ice” in a company, full of strangers.

Quite the opposite is happening, when the opposing person is an “aggressive” type. They are easy to be spotted, as they tend to brag and have neurotic and sudden, sharp moves of their bodies. Hands and legs are noticed ,to always, being occupied with something or just moving in a rhythmical movement.(like knees going up and down while sitting on a chair) This is usually, a sign of stress or anxiety about something, which most of the times has nothing to do with the engineer. They like to hear themselves talking all the time and really try to be the centre of the world’s attention. Maybe in not such obvious ways, as described here, but they really feel this need and if they feel somehow satisfied by the presence of the other person, it is quite easy to gain data from them.

Aggressive types do have though a small “handicap” when trying to break their defense. They could be unpredictable, if they are handled the wrong way and feel “threatened” and I really suggest, that possible failure, should trigger the immediate stop, of any activity towards a “social engineering” attack. Unless, of course, the “cracker” is very sure of himself.

The most dangerous type, I think, is the one that seems to sit, at the other chair, doing absolutely nothing and having limited expressions while listening to the “cracker”. It shows that, this person is either equipped with a lot of experience to this kind of talks, or he is just not interested to listen. In both cases, any attempt to proceed, with that attack, will lead to certain failure and of course to the exposure of the attacker.



The above, mentioned types, are nothing more than a simple explanation of a person’s visual appearance and certainly not a step-by-step guide to follow. In real life, Social engineering attacks are usually ending up in failures, as there are no real experts in human psychology, running around in the IT area, trying to hack-crack-search sites or data storages. Professional pen-testers or IT marketing consultants who are trained to evaluate and apply psychology techniques are paid, with great amounts of money to provide services. They certainly would not do it, for a laugh or out of fun. Keep in mind though that, even them, could be driven to mistakes.



Talking about mistakes and learning from them, I think that the best school, about social engineering, exists only in very few places, called…… Parliaments. The “houses” of diplomacy, where the “science” of speech and arguments are exercised in full. Watching some of their sessions, could give magnificent examples on how to drive a person to the expected result, by manipulating senses, words and phrases and by using his weaknesses as your own weapons. The “art” of locating the right word or essence, in order to confront his words and use your own intelligence ,as to gain. A really “hard-ball” game, where losses are a great defeat and not just a failed attempt. So, it is definitely a great school, for those who want to use their speech as the ultimate weapon in gaining data and control over others.

Fortunately or unfortunately, the “art” of speech is something that would not be gained over a month or a year. It takes a lot of practice along with studying every kind of script or document regarding politics, diplomacy, psychology, and in general what is relating to sophisticated expressions of the human mind. So I suggest that all, ambitious, future social engineers, take under serious consideration, how to talk and how to use the “art of speech”.



In conclusion, Social Engineering is something more than a simple, fraud or other scam technique, in order to deceive someone. It is a mix of intelligence and the ways of using logical arguments, as to gain the wished result or the advantage to get one step closer to your target. Based upon the most ancient science, or better described as skill, of the human nature. The “Art of speech”.





Gandalf

Author: njanLocation: Scotland, UK PostPosted: Sun May 08, 2005 12:07 am    Post subject:
    ----
Quote:
Workers were asked a series of questions which included: What is your password? Three in four (75 per cent) of people immediately gave their password.

If they initially refused they were asked which category their password fell into and then asked a further question to find out the password.

Another 15 per cent were then prepared to give over their passwords, after the most rudimentary of social engineering tricks were applied.

One interviewee said, "I am the CEO, I will not give you my password - it could compromise my company's information".

A good start, but then the company boss blew it. He later said that his password was his daughter's name.

What is your daughters name, the interviewer cheekily asked.

He replied without thinking: "Tasmin".


http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/

This is from a Survey done in 2003 by/at InfoSecurity Europe - there was a similar survey done earlier this (or late last) year which el reg reported on, which actually targeted Information Security professionals - a group of unidentified survey-takers approached InfoSec professionals at an event and asked them for a variety of pieces of information purporting to be doing a survey, telling people that by participating they could win a prize; the information collected included information about maiden names, pets, and family, which no legitimate survey would have any use for - and shockingly, the vast majority of the target audience gave enough information away to enable identity fraud. One participant even commented on this, saying that she worked at a bank, and that the information they were asking her for would let them open a bank account in her name. She gave them the information.

Thankyou for your post, Gandalf.. you've made many extremely interesting points! One which I don't quite agree with you on (or which if we do agree, deserves clarification), however, is the following:

Quote:
Social Engineering is focusing on the weakest chain of the IT security. Humans and their psychology. way of exploiting all weakness of a person’s character, based upon simple lies to applying psychological, brutal violence upon the “subject”.


This is true - Social Engineering generally is the weakest portion of an organisation's security; however, I would argue that the job of IT Security professionals is to reduce the risk of this 'weakest chain' - biometric authentication and minimum privilege are two examples of this - although you can never prevent an attacker from gaining information through a staff member or user which that staff member or user has access to, by enforcing secure authentication and giving staff/users access strictly to the data they need, you can create a system which makes Social Engineering difficult and restricts the results solely to information that the employee themself has access to, hopefully making it more likely that a would-be intruder will have to resort to SE'ing more employees, or breaking in in other ways, in order to fully break into a company's sytems, increasing the risk of detection.

Unfortunately, most organisations don't even get steps such as these right, and few back it up with the training required to provide extra protection against this form of intrusion.

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Sun May 08, 2005 11:51 am    Post subject:
    ----
Actually biometrics and limmited privilleges are increasing the level of security , but it also increases the level of "user unfriendly" procedures for an employee of yours which will need to go through certain "channels" and time to do his/her job.
An IT pro will find enough company managers , disagree with that , as this will cost companies more time and of course more money. It will be easier to educate them how to confront any Social Engineering attempts with certain sentences , like "Please wait a minute to confirm this with my supervisor" or " i will get back to you leave me , your phone nymber". They are quite effective in a typical "speech social attack". Of course this is only a sample what could you achieve with such an education. There are many more things to learn , like how to erase and protect sensitive data (shredding, password wallets and so on). Education-training is the ultimate weapon to this kind of attacks , which also provide security to those people in their every day life. We all hear of people who are giving away their PINs in a simpel mail request , used in piscing techiniques...

Today , an announcement was made in EU , stating that biometric passports are going to be published at 1/1/2006 for all E.U. members. This chip is going to contain all personal data and it would be scanned from a 10cm distance , i f i remember right.
The question is following...
How many people are familiar with that passport and the data that will contain in it? There will be some serious attempts to steal or missues it , by malicious persons with several social engineering techniques. Like impersonating an airport employee and scan it with a mobile reader.

Training is A-Z importance , as our technology is improving. If we wont follow this advancement , then we will find ourselves in a whole lot of problems. And that includes companies.

Gandalf

Author: MattALocation: Eastbourne + London PostPosted: Sun May 08, 2005 12:27 pm    Post subject:
    ----
The_Real_Gandalf wrote:
It will be easier to educate them how to confront any Social Engineering attempts with certain sentences , like "Please wait a minute to confirm this with my supervisor" or " i will get back to you leave me , your phone nymber". They are quite effective in a typical "speech social attack".


Some good phrases to introduce would be give me your name phone number and I'll get back to you.
This is a good one as you can confirm that someone is from the organisation they claim to be.
Also things such as password resets should only be carried out if it can be confirmed by speaking to the persons manager to confirm they are who they say they are and you phone them back.
Password resets are a big risk and need to be controlled.

Author: ThePsykoLocation: California PostPosted: Mon May 09, 2005 6:11 pm    Post subject:
    ----
"according to a new survey. Two out three three people (180 of 272)
approached in a downtown San Francisco street by researchers were happy
to provide their password in exchange for a coffee gift card. Of those
respondents that declined offering their actual password, 51 provided a
clue about their password in exchange for a $3 Starbucks gift voucher."

Wink

http://www.theregister.co.uk/2005/05/06/verisign_password_survey/

Author: replicator PostPosted: Fri Jul 08, 2005 11:46 am    Post subject:
    ----
"In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. A social engineer runs what used to be called a "con game". For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. They might call the authorized employee with some kind of urgent problem; social engineers often rely on the natural helpfulness of people as well as on their weaknesses. Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques.



Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed. Security experts propose that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness"

Author: karkrazy PostPosted: Mon Oct 17, 2005 6:00 am    Post subject: Social Engineering X-plained
    ----
Hi guys,

Social engineering is a form of security attack in which the attacker tries to acquire information about the computer systems. network, passwords etc by talking to the employees of an organization. Thus, a social engineering attack may occur over the phone, via chat rooms, message boards, talking etc. The main purpose is to get access related information which can be later on used to gain access to confidential and critical organizational information systems.

Hope this helps.

Regards

Karkrazy

http://www.big4guy.com

Author: comrade PostPosted: Mon Oct 17, 2005 9:09 am    Post subject:
    ----
Perhaps one of the more ingenius examples of social engineering is the following:
Quote:
I love you lets make love.

Author: Jiffycornbreadman PostPosted: Sun Jul 16, 2006 8:33 am    Post subject:
    ----
Social enginering is the way to manipulate weaker minds. Many people seem to think social engineering is only to do with computers.. Social enginering is like the human version of a computer trojan...

Author: SkaldGrimnirLocation: Arlington, TX PostPosted: Mon Jul 17, 2006 8:44 pm    Post subject: Re: Social Engineering
    ----
dogsitterz wrote:
WeeBit wrote:
To me using Social Engineering to gather sensitive information from a business or even a home user is nothing more than a "con artist" at work hurting businesses or home users. I don't understand why when you discuss Social Engineering why you don't call it a con artist at work to do harm?


Simplifying Social Engineering as just "con artist" is a over simplification of a very deep area of professional studies. It uses any and all tools discovered in psychology, sociology, technology and is ever evolving in each area of study which all lead to tools and techniques.

Moderator note: edited to fix quote (enabled BBCode) - capi


I disagree completely.

The root of Con Artist, is Confidence Artist. It is the art of getting someone to display confidence in you, to believe you, and to do what you say to do.

Social Engineering is pretty much an updated phrase to represent Con Artist. The problem is, most people think of Confidence Men as petty crooks, or guys who swindle old floridians out of retirement funds.

Confidence Men were often well educated, or if not, learned how people reacted to a great degree, and learned quickly. They also thought quickly on their feet. And a Con Man today is likely to know as much or more about computers as the next guy.

Author: stingray6w9 PostPosted: Sat Nov 04, 2006 7:43 pm    Post subject: Social Engineering
    ----
I would tend to agree with liquidz. As security gets better only the best of hackers will be able to get into systems the old fashioned way. However, there will always be people willing to give information away if they feel it is needed for an important purpose. No matter how many times you tell people never to give out personal information over the phone, if you can convince them you need the information for a legitimate purpose they won't be the wiser, until they get burned. It takes at least some in depth knowledge to hack into a system, just about anyone can use social engineering to get into a system.

Author: polaris PostPosted: Wed Sep 09, 2009 12:32 pm    Post subject:
    ----
just read the book 'the art of deception' ,you'll automatically know what social engeneering is!

Author: AdamVLocation: Leeds, UK PostPosted: Wed Sep 09, 2009 8:58 pm    Post subject:
    ----
You will also underatdn the terms "egomaniac" and "self agrandisement" as well.
Some good bits of information in the book but it is a little bit too "look at me, I'm really clever, and I'm going to explain this very slowly and carefully for you because I know you are a bit dumber than me". Sorry, but the style of the book just grates on me.



Networking/Security Forums -> Physical Security and Social Engineering


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group