Monday, October 09, 2006

Social Engineering, Part 1

What is Social Engineering

Day to day in our life, we talk to peoples whether it is face to face, on the phone, or some other form of communication. We talk to peoples whether they are people who we know or strangers. In all our interaction with peoples, we have been giving out information to third party, whether it is intended or unintended.
We as a human being has the natural tendency to be helpful, have sympathy for those unfortunate and always try to be a team player.

Social engineering played on these attributes to break through human defense. Social engineer take advantage of these human natures to get people into complies with them.

Social engineering is 'The art and science of getting people to comply with your wishes'. It makes use of human intelligence to manipulate human in giving out their secret information. It is a psychological trick. The attacker's goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. It could be a computer information system or private information of someone else.

During the course of launching a social engineering attack, the attacker may use little or no technology aids at all in accomplishing his goal. Social engineering methods depend on people skills rather than technical skills, since they exploit human nature rather than software or hardware vulnerabilities.

Common ploys include pretending to be an organization executive or member of the IT staff, a fellow worker, or a member of an outside organization, such as a company vendor, supplier or consultant.

Why Social engineering

As security technologies evolve to become more sophisticated, making it increasingly more difficult to exploit technical vulnerabilities, attackers will turn to exploiting the human element. Cracking the human firewall is often easier and involves lower risk if done carefully. For example, password encryption algorithm today is sophisticated enough that it is almost practically infeasible to crack a password using a brute force attack. Even with the fastest computer we can get today, it might take hundreds or more years to break a password. It is just much simpler for the attacker to pose as a helpdesk or IT employee and asking for it.

Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. How many times have we given out personal information such as credit card number, account number, billing information to party who claim they are from credit card company, phone company, your insurance agent and so on. How many times when you give out this information, you spend even a second to think through whether the caller is really who they claim to be, what are the value of information that you are giving out and why those people need those information. Do you ever bother to verify their identity?

Human factor is always the security's weakest link. This is due to our uneducated, ignorance and misconception of security. We have never been taught in school how to protect our self from information theft, how we should value information and how to protect privacy.

We could have installed the most sophisticated door lock in our house. But if we do not know how to use the lock properly, if we do not know how to deal with a stranger who knocks on our door, if we do not ensure our surrounding is safe when we open the door, we are still vulnerable of letting the stranger into our house. Human factor is often the most overlook element in the security chain. Social engineer understands this gap in security chain. They have always take advantage of our desire to be helpful, friendly, sympathy and ignorance to accomplish their goal. Thus, social engineering is the most difficult form of attack to defend against.

Social engineering is not just limited to computer crime. It is generally a technique used by people who are interested to gain access to information which normally they cannot get access to or what most peoples think is impossible to obtain.

For example, private investigator may use social engineering technique to obtain private information such as financial status about his target under investigation. He could pretend to be his target under investigation, call the bank, tell the bank he need a bank statement to apply for credit card and ask the bank to fax over his bank statement.

Another example is commercial spy who want to steal confidential product information from his competitor. The spy could pretend to be consultant or someone in the partner company who help in the development of the product and convince the employees in the target company to reveal important information about the competing product under development. By doing so, the commercial spy would gain a step ahead of his competition and well prepared to counter the competition.

How Social Engineering Work

It is often no surprise that even after a victim has been lulled into giving out sensitive information to the attacker, he still has no idea he had felled into a social engineering attack. A successful social engineering attack will always leave their victim unsurprised and unaware of what happen.

Social engineering attack is well organized, planned and thought through. A professional social engineer will always plan out his attack well before he launches it. He always knows his stuff well.

Here are the general cycles of a typical social engineering attacks:

1. Setting the Stage
The attacker will identify what he wants to accomplish and how he want to accomplish it.

2. Research
The attacker will start by doing his home work to find out key information such as:

  • Name of some key persons who he can use and pretend to be. It is even more useful if he can find out the name of person who has high authority in the setup.

  • Jargon or technical terms which are used in the specific industry or the company he planned to attack. Ability to use context specific term in conversation will make people to believe that the attacker does come from the same background or is part of them.

  • Company background and product information, policy and business process. Understanding the company operation and policy will help the attacker to identify the target weakness and how to exploit it. The knowledge is also useful in helping the attacker to convince their victim that he is part of that environment.

  • Victim background and habits. Understanding the victim's background will give the attacker an effective way to engage the victim in a seemly comfortable and enjoyable conversation and paving a better way to develop and gain trust.

Knowing all these information is important at a later stage to develop trust relationship with the victim. We always implicitly trust someone who can mention specific terms which we always use in our job, know about our background or mention some of the names that we know of.

3. Developing Trust
After gathering useful information, the attacker will approach the victim. The attacker will start a conversation and using the information he gathered, he will attempt to develop trust relationship with his target. The attacker could have get right into the point and ask for the relevant information that he need. However, doing so will be too suspicious and could ring the alarm bell on the victim. Instead, the attacker will start the conversation in a casual manner, pretend to be friendly and gradually progress. Along the conversation, the attacker will pick up different sign such as the victim hesitation in respond to the conversation or the victim appears to be cooperative, helpful or courteous.

It is human nature that we will implicitly trust someone who claims to be from authority, someone who seems to know a lot of us, about our environment, what we are doing and perhaps share the same interest. We also tend to trust someone who sounds to be helpful, friendly and courteous. Social engineer knows this well and his research in the previous stage is very important for his success. At this stage, his goal is to gain trust, convince his victim and make the victim feel comfortable with him.

4. Exploiting Trust
Once the trust is established, the attacker will ask questions which will gain him valuable information, or he could have asked the victim to perform an action on his behalf. Using a more advance techniques, the attacker could even setup a situation where the victim will ask him for help. This technique is call reverse social engineering.

When the attacker feels that the victim is comfortable with him and is ready to reveal information, he will proceed to ask for information he is interested in. A good social engineer knows that if he moves in too fast, he might be caught suspicious. He knows he needs a lot of patience. He continues his conversation with seemingly innocent subjects, and in between, he will ask question which will gain him the information he need. He then gauges the respond of the victim. If the victim still sounds cooperative, he will continue with other questions he has in his list. If the victim demonstrates hesitation, the attacker might divert the conversation to some other topics before coming back again with his next question, or he might gracefully stop the conversation and move on with his next victim.

A good social engineer understands that in gaining the information that he need, patience and timing is very important. If he gets in with the question too early in the conversation before the victim is ready, the victim will be hesitate to answer and his action could be suspicious. If he end the conversation right after he obtain the information, the victim will always remember what he has ask for and might also raise suspicious. A smart social engineer is always sensitive to his victim and knows when he should slot in his question in the conversation. Once he has got all the information he need, he will follow with a couple more casual topics and questions before he end the conversation. This step is important because most of the time, people only remember what happen at the start and at the end. They might not remember well what happen in between. By using this technique, the victim might not remember well what the attacker has asked him for.

The process of developing trust, exploiting trust and obtaining the information could be as simple as a few minutes of conversation with a single victim. Or it could also be a situation where the attacker has to establish contact with a few victims to extract bits and pieces of information from each of them individually. The situation is largely depends on what actually happen during the contact and how cooperative the victim is. It also depends on the type of information to be obtained.

5. Utilize Information
Once the information is obtained, the attacker will use the information he obtained to accomplish his final goal. If the information obtain is only to help to get one step closer to the final goal, the attacker will return to the earlier cycle until he reach his final goal.

In this part one of the article, we have introduce ourselves to what is social engineering, why hack choose to use such as attack approach, and what is the typical life cycle of social engineering attack.

In the next article, we will look into why social engineering attack work after all, what are the other means of social engineering attack and how to identify and combat against them.



Post a Comment

<< Home