Part of a continuing series on Internet Safety.
The topics and techniques discussed here are for the purposes of defending yourself against them. At no time should you ever try some of these, as accessing a person's online account without consent is illegal in just about every jurisdiction.
Social Engineering - it sounds like some fake new-school jargon that only upper management uses, right? Wrong - it's a very real thing, and it targets the weakest part of any network and infrastructure: people.
The scariest part? It not only affects large enterprises, it can happen to you without you even realizing it. Read on to find out more on this, and how you can recognize these patterns, to enable you to defend against them.
What is Social Engineering?
In the plainest terms, "Social Engineering" is the art of gaining access to buildings, systems or data by using psychological tactics, rather than technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer trying to gain entry to a building might pose as a co-worker, smoking with the crew outside, and then piggyback inside through a less secure door when his "co-workers" are done smoking. Or, one might pose as a Microsoft tech, calling someone inside to try to get their password.
To say that this is an "up-and-coming" concept in the Information Security world would be incorrect; it's actually a field that has been covered and even formalized in detail by authors and experts such as Chris Hadnagy, and the famed (or infamous, depending on your view) hacker Kevin Mitnick.
Catch Me If You Can!
If you've seen the movie "Catch Me If You Can" with Leonardo DiCaprio and Tom Hanks (great movie, by the way), Frank Abagnale Jr. schmoozes his way to being a multimillionaire before he's even old enough to drink. Most of Abagnale's techniques were rooted in social engineering - he'd build a rapport with someone so that he could get something that would otherwise be against the rules or illegal; he visited 26 countries on PanAm's dime before the age of 19 while posing as a pilot - he told them he was a pilot (with a forged ID) who lost his uniform. You get the picture
A real-life example would be this one from AOL:
AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL’s tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.
It was easy for that attacker - he built a rapport with the tech, chatted about something that most people would be into (cars), and it went from there.
That's the beauty of social engineering - you're getting someone else to do the dirty work for you, and your "victim" actually becomes an unwitting accomplice.
How Would This Affect Me?
What happens when you forget a password? Well, you can click the "forgot your password?" link on most decent websites these days, and you'll get a password reset link to your mailbox. What if you lose your username? Usually you'll have security questions like, "When is your birthday?" "What's your favorite pet's name?" "What was your first car?"
"Well, only people who know me can find information like that."
Think so, huh? That's adorable.
Let's say I'm trying to get your bank password. Because I've been profiling you, either by chatting you up randomly or by someone who has given me information on you, I know I can start with two things:
- Your name
- Where you work
1) A quick google search would bring up a ton of stuff that I need to weed through and filter out, but right away I can get some juicy information - I can find your LinkedIn profile, your Facebook (and your photo), and the best ones - old work-related items that have your name and company on it, and even better, an old resume that might be floating around somewhere.
The crown jewel of my discovery mission though is a blog of yours that I found. Blogs (like this one) are ubiquitous on the Internet, and that's born out of our society's love for social networking and telling everyone exactly what we think about, well, everything. This blog is a treasure trove of information, and you'll see how I can use it later on.
From that old resume, and your blog, I now have an e-mail address for you, along with some other goodies that might come in handy, like your work history.
2) So now I want to get into your e-mail. I click on the Reset Password link, and now it asks me some security questions, like "What is your birthday?" You might think you're in the clear, I mean, how would I ever guess your birthday?
A quick search of your blog reveals mentions of the word "birthday" around July 13th. It never says the year, but in one post dated July 13th, 2011, you mention "I'm beginning the last year of my 20's!" So I now have a reasonable guess that your birthday is on July 13th, 1982. Uh oh!
3) Other information like "What's your dad's first name?" I can also easily find on your blog. I answer a few questions, and voila! I've weaseled my way into your e-mail, without even asking you a single question about your password.
Now I have access to all sorts of fun stuff - and the best part, is that most of your password reset links are going to be sent to that particular e-mail, assuming you've signed up for services with that address -- of course, the best way to find out is to run a search!
Worse yet, if I'm actually sitting at your computer, I can look through your browser history to find out where you bank. Usernames for online banking are somewhat predictable, and again, I can use the "forgot my username" link if there is one... chances are, there's a way to get in, and I'm now armed with the means to do so.
Okay, I admit it, I got owned. What can I do to prevent this?
- NEVER, EVER, EVER! give out your password to anyone you don't know. If someone calls you, or e-mails you asking for your password, it is 10000% malicious. Nobody should ever ask you for that, not even your IT guys.
- Be increasingly mindful of what information is available about you on the Internet. Remember what I said a few articles ago? The Internet is basically a worldwide public bulletin board. Stuff isn't as private as you think it is. Blogs, social networking sites, photo sharing sites, local sites - be smart, be aware of what you're sharing, and who you're sharing it with.
- Never be afraid to ask for ID. This goes for both work and home. Service organizations are glad to show you credentials - if you ever encounter resistance, ask for a supervisor.
Bottom line: Social Engineering is frightening, and it can have disastrous effects on your business, your credit, and your life in general. You might never realize you're helping your adversary until it's too late. Remember the old adage: Loose Lips Sink Ships - be mindful of what you share, and who you share it with, because someone might be watching and listening.
Stay safe out there, folks.
HAVE A QUESTION YOU'D LIKE ME TO ANSWER? Sent it on over to "info at forestdaleinfosystems dot com" - I'll post your question here and answer it to the best of my ability!