Security, now that’s an important thing when dealing with coding, but also with everything else that has contact with the surrounding world. There are a lot of different techniques and ways a systems can be breached by, the majority of them requires you to know a lot about the system you want to access, in addition to that you will have to be good at creating exploits and applying them.
But there is one way that pretty much eliminates all those needs, if successful of course, and is in my opinion one of the most effective ways to get where you want. Unfortunately this technique isn’t that well known by the regular individual and it’s often them who are targeted in such an attack, so here’s my attempt to educate you about the topic social engineering. I’ll be presenting different approaches you can go with, this is purely for education purposes only, I do not recommend any of you to try these techniques for malicious purposes, remember it’s illegal!
I believe that to be able to protect yourself from attacks you need to know how they work; when you know how one thing works you can start taking steps to preventing attacks from happening. If you don’t know how it’s performed, then tell me how can you be able to prevent them? And that’s why I’ll be presenting the techniques here, how you use the knowledge later on is entirely up to yourself.
What is Social engineering?
Social engineering is a term used to describe techniques used to trick and manipulate people to perform tasks the attacker wants. The difference between social engineering and regular fraud is slim, but the term is mostly used when the fraud is done to get information about or get access to a computer or network systems.
The techniques used are based on flaws in the human logic, a chain is only as strong as its weakest link, and in some cases that weak link is you or one of the workers or administrators. If you don’t know about these techniques then you will most likely not see through them before it’s too late.
Some techniques
I have to make one thing clear; there is no list with all the techniques being used, the ones I know about I either have read about or is way I used myself. The goal with these methods is one of two situations, to get the victim to do what you want or tell you what you want. How you get there can be done in many ways, how effective you are is basically determined by your creativity.
Mostly these methods are used as a part of a bigger attack, but sometime it might be the attack itself.
When I hear of social engineering I think of all the cases when people phoned in pretending to be someone to get information or get the individual on the other side of the phone to perform something they want.
Let say a system administrator gets a phone call, the person calling present himself as the IT head administrator from the main office in New York, he tells them about a problem they are having and want to check with the system administrator on a couple of things, whether it is to shut down some systems or login into a machine, could be anything. Now an unsuspicious administrator might follow along not knowing that by performing this he just gave away valuable information or did something that will make it a lot easier job for the attackers to penetrate into the system.
You should always be on the lookout for anything suspicious, if you find something not right ask them to wait and phone back to the head office and confirm. Also if these things happen your boss is most likely to be informed and brief you about it before you get contacted.
But there have been a lot more creative ways in getting information. Imagine this: You work in an office and in the elevator or hall you find a CD and some papers with the headline “this month’s income reports” or something else. So you assume somebody must have dropped it there and you pick it up.
Now what do you do with it? You might take a look what the CD holds, unknowingly getting infected with a Trojan horse or releasing a worm into the network. You might not be tempted with looking at what this is so you hand it over to one of the guys in the economy department or to your boss and someone of them might check the content of the CD. Now how many of you would suspect that as an attack attempt?
Remember that this doesn’t have to be a CD, it could be a memory stick, floppy or something else.
As I said before these attacks can be very creative and hard to see through, especially for anyone who isn’t aware of this. Just phone workers at a company telling them you are calling from the tech-support. Eventually you’ll find someone who reported a problem, so you’ll help that person solving the issue, but in the process you’ll get the victim to type in some commands of which result they are not aware of to help you gain access to their system.
This is a problem; normal non technical persons are the ones that most likely will be targeted with these types of attack. They do not know what the commands do and most of the times they do not suspect anything being not right.
This reminds me of my days when I was nicking hotmail accounts from people, (yes I used to do that, way back though), not knowing what this technique was called back then I was dealing with social engineering to gaining access to people’s accounts.
The attacks were made possible by one thing that I consider being a big security mistake, and that is having a “secret question” option, if you answer it correctly you are in.
So what did I do, I simply added people on msn messenger talked to them for a day or two, just so they trusted me a little, then smoothly popped in a question that was the same as their secret question into the conversation, and most of them answered it without thinking twice about it, and they sure as hell should have thought about answering the question with it being a ticket in into their accounts.
You wouldn’t believe how many people gave away their secret question answers this way!
Personally I think that this is an issue that too little people see; the best option would be to abandon this method all together as it is so unsafe and easily exploitable.
As long as there will be secret questions present on various services people will be hacked not knowing how it happened.
And as a finish to this article, a little video clip of social engineering in practice!
Leave a Reply