Basic Social Engineering Defense 101 by Isreal

17 Nov 2004 Social Engineering (SE) is a form of hacking that focuses on gaining information from 'people' rather than gaining it by hacking into a computer. The following article explains a few of the means by which that happens. No matter how secure your computers are, your personal and business's information is still accessible by other means. One of them being social engineering (SE). Social engineering is best described by Kevin Mitnick as: "...using persuasion and influence and deception to gain information from people...". There are various ways a social engineer can gain access to your information and I will cover a few of them in this article. These means include but are not limited to: information scavaging, phone call deception, and intrusion. Information Scavenging This is also refered to as 'dumpster diving' and that term eloquently defines exactly what is happening. An individual will choose an opportune time (least likely time that anyone will be around to catch them) to pilfer through your garbage for any type of information that could possibly be useful to them. Too many times, a person will write valuable information on scrap paper and then toss it in the garbage when they no longer have a use for it. This information can include passwords, phone numbers, addresses, etc... and will usually be found on post-it notes, company letterhead, and various internal hardcopies of memos, emails, etc... These are the main things a scavenger will look for when rifling through your refuse. Not disposing of these items in a more secure fashion could result in a social engineer or 'hacker' gaining access to more of your information than you would want them to have. Document shredders are one of the more effective (not foolproof) ways to secure information before disposing of it. Phone call deception The telephone is one of the main tools of a social engineer. The following is an example of phone call deception that I did to the personnel manager of a major retail company. Mary: "Personnel, this is Mary. How can I help you?" She sounded as thought she could be an older woman. Isreal: "Hi Mary, this is Mark in home office. How are you today?" Mary: "Hi Mark, I'm doing great. We have a warm sunny day for a change so it's pretty nice. What's it like down your way?" Isreal: "Well, the weathers pretty good today, but things here in the office are not in good shape at all. I'm gonna need your help for a few minutes." Mary: "What's wrong?" Isreal: "The guys that take care of the computers are saying that we got one of those viruses that tears up your computer." Mary: (sounding worried) "OH NO" Isreal: "I don't really know much about computer viruses, but I do know that some of the words coming out of that office would make a sailor blush." I laughed and she joined in Mary: "That sounds awful. I don't know anything about viruses either, but I hear about them on the news all the time. They sound terrible. So how can I help with it?" Isreal: "Well from what the computer guys are telling me, the virus got in our personnel computers and erased some of the information we had on company employees. They gave me a list of names, and I have to call all these stores and get the information back in our computers. So I'm gonna need you to pull up a Jackie McGeath's information and get ready to answer a few questions. OK?" Mary: "Sure Mark, anything I can do to help. Is her information still gonna be in my computer or will I need to get out her file?" Isreal: "I don't have any idea, but just to be safe, you'd better go ahead and get her file to save some time. I still have to call 146 other stores today so my time is a bit limited." Mary: "OK, I'll put you on hold and hurry up and get the file. I'll be right back." As you can tell, a talented social engineer can access your information from any location as long as they have a telephone. Even information that you thought was safe (i.e. personnel records) is available to someone using phone call deception techniques. It is vital to teach your employees the importance of verifying who they are speaking with on the telephone if that person is requesting any type of personal information reguarding themselves or any other employee. Setting up some sort of 'keyword' or 'pass-phrase' could be an effective (not foolproof) way of verification. Intrusion This version of social engineering is somewhat self explanitory. In basic terms, intrusion is when a social engineer works a face-to-face con job on his/her intended target. Gaining information by means of intrusion is something that most companies/businesses do not expect and are usually not prepared for. The following example is an intrusion 'job' that I worked on the manager of a fast food restaurant. Prep work has given me the name and description of the store manager. His name is 'Jeff' and he will be the only one there this morning wearing a button-up, blue(manager) shirt. I go in full of confidence and walk straight behind the counter and around to a back office that I could see from the registers. I don't slow down until I reach the office, but I do greet crew members along my path by their names. (supplied by name badges) Once I get to the office I look inside and then turn around to greet Jeff who is closing in fast with a puzzled look on his face. I point at Jeff and say his name. Not as a question but as a statement of fact. Jeff: (stops) "Yes,,,(still looking puzzled and eyeing me up and down) how can I help you?" Isreal: (pulling a business card from my shirt pocket and handing it to him) "I'm Aaron Roper. I just took over for Mark Fisher (that name only took 2 phone calls to get) as Regional Personnel Manager and I'm out to do a bit of a meet and greet with managers in my area this week. (I look over his shoulder to the busy store behind him) It looks like your pretty busy this morning, and i've got 4 more stores to visit today, so I wont tell too many war stories ok?" (smiling at my own humor as I point and nod in the direction of the hard working crew behind him) Jeff: (glances as the business card and then laughs a bit) "Ok, you want to sit in here?" (he points to the small office) Isreal: "I'll tell you what, (putting my arm on his shoulders to turn him around I move back to the front of the store) you grab us a quick bite to eat and I'll make the coffee. How do you take yours?" This was going so smoothly I had to go for a free breakfast. I was now in the zone. I was in full control of the game. Jeff: "Three packs of sugar. Do you want me to key this into your corporate account?" *insert doctors voice* We're losing him....Get a crash cart in here STAT!!! Brain juices fire as the shock hits me. I try to recover with the only option I can think of. Isreal: (turning and reaching for my wallet I try to keep my voice clear) "No,,, when they keyed in my transfer, everything got messed up. They terminated me instead of transferring me. They are working on making me an employee again even as we speak." (I laugh a little too loudly) Jeff: (seeing the humor in the situation) "That has to be the mistake of the century. Firing the guy who does the hiring. (he laughs right along with me. My laughter is causing me pain as he glances at my wallet) Don't worry about it, (he waves off my money) you can buy next time." My heart pumps much needed blood to my head for the first time in an agonizing minute and a half. I get the coffee and try to remember how he takes it as I look around for an empty booth. Three packs of sugar later I give myself some positive re-enforcement "You can't kill a legend" I mutter as I go to the booth. (ego stroking helps me tremendously) Jeff sits down with breakfast and I open my briefcase in the seat beside me taking care to keep it turned so he cant see inside. I keep the conversation casual as we begin to eat. "Are you married?" "Children?" "How old?" People love to talk about their kids and I am still recovering from partial brain damage. While Jeff is talking about 'Susie' I reach into my briefcase and grab a form that was printed on a sheet with an official looking "company letterhead". I slide it over to Jeff while he is mid-bite and explain to him that this form is for my personal records. Isreal: "I key all the information into my laptop at home, and it saves me the trouble of driving all the way back to the office every time I need it." The document has lines for: Name, Birthdate, Employee ID Number (I tell him that his social will do if he doesn't know his ID), address, contact phone numbers, etc... I hand him the pen out of my pocket. Jeff gladly fills out his VITAL INFORMATION and slides paper and pen back over to me. A quick reference checking phone call from the manager to his local district office would have stopped this intrusion job dead in it's tracks. Knowing who works for you and who you work for is something that should be on top of the security priority list. Verifying whether or not a person is who they say they are is a fairly simple task, especially if the social engineer is trying to be someone you work for or with. Setting up simple security measures with your employees isn't a time consuming process and will help to protect your personal information. If you have any questions regarding information security/social engineering please feel free to contact me.