Social Engineering
Part of a continuing series on Internet Safety.
The topics and techniques discussed here are for the purposes of defending yourself against them. At no time should you ever try some of these, as accessing a person's online account without consent is illegal in just about every jurisdiction.
Social Engineering - it sounds like some fake new-school jargon that only upper management uses, right? Wrong - it's a very real thing, and it targets the weakest part of any network and infrastructure: people.
The scariest part? It not only affects large enterprises, it can happen to you without you even realizing it. Read on to find out more on this, and how you can recognize these patterns, to enable you to defend against them.
What is Social Engineering?
In the plainest terms, "Social Engineering" is the art of gaining access to buildings, systems or data by using psychological tactics, rather than technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer trying to gain entry to a building might pose as a co-worker, smoking with the crew outside, and then piggyback inside through a less secure door when his "co-workers" are done smoking. Or, one might pose as a Microsoft tech, calling someone inside to try to get their password.
To say that this is an "up-and-coming" concept in the Information Security world would be incorrect; it's actually a field that has been covered and even formalized in detail by authors and experts such as Chris Hadnagy, and the famed (or infamous, depending on your view) hacker Kevin Mitnick.
Catch Me If You Can!
If you've seen the movie "Catch Me If You Can" with Leonardo DiCaprio and Tom Hanks (great movie, by the way), Frank Abagnale Jr. schmoozes his way to being a multimillionaire before he's even old enough to drink. Most of Abagnale's techniques were rooted in social engineering - he'd build a rapport with someone so that he could get something that would otherwise be against the rules or illegal; he visited 26 countries on PanAm's dime before the age of 19 while posing as a pilot - he told them he was a pilot (with a forged ID) who lost his uniform. You get the picture
A real-life example would be this one from AOL:
AOL experienced a social engineering attack that compromised their system and revealed confidential information of more than 200 accounts. In that case the caller contacted AOL’s tech support and spoke with an employee for an hour. During the conversation the caller mentioned that his car was for sale at a great price. The employee was interested, so the caller sent an e-mail attachment with a picture of the car. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall. Through this combination of social engineering and technical exploitation, the caller gained access to the internal network.
It was easy for that attacker - he built a rapport with the tech, chatted about something that most people would be into (cars), and it went from there.
That's the beauty of social engineering - you're getting someone else to do the dirty work for you, and your "victim" actually becomes an unwitting accomplice.
How Would This Affect Me?
What happens when you forget a password? Well, you can click the "forgot your password?" link on most decent websites these days, and you'll get a password reset link to your mailbox. What if you lose your username? Usually you'll have security questions like, "When is your birthday?" "What's your favorite pet's name?" "What was your first car?"
"Well, only people who know me can find information like that."
Think so, huh? That's adorable.
Let's say I'm trying to get your bank password. Because I've been profiling you, either by chatting you up randomly or by someone who has given me information on you, I know I can start with two things:
- Your name
- Where you work
1) A quick google search would bring up a ton of stuff that I need to weed through and filter out, but right away I can get some juicy information - I can find your LinkedIn profile, your Facebook (and your photo), and the best ones - old work-related items that have your name and company on it, and even better, an old resume that might be floating around somewhere.
The crown jewel of my discovery mission though is a blog of yours that I found. Blogs (like this one) are ubiquitous on the Internet, and that's born out of our society's love for social networking and telling everyone exactly what we think about, well, everything. This blog is a treasure trove of information, and you'll see how I can use it later on.
From that old resume, and your blog, I now have an e-mail address for you, along with some other goodies that might come in handy, like your work history.
2) So now I want to get into your e-mail. I click on the Reset Password link, and now it asks me some security questions, like "What is your birthday?" You might think you're in the clear, I mean, how would I ever guess your birthday?
A quick search of your blog reveals mentions of the word "birthday" around July 13th. It never says the year, but in one post dated July 13th, 2011, you mention "I'm beginning the last year of my 20's!" So I now have a reasonable guess that your birthday is on July 13th, 1982. Uh oh!
3) Other information like "What's your dad's first name?" I can also easily find on your blog. I answer a few questions, and voila! I've weaseled my way into your e-mail, without even asking you a single question about your password.
Now I have access to all sorts of fun stuff - and the best part, is that most of your password reset links are going to be sent to that particular e-mail, assuming you've signed up for services with that address -- of course, the best way to find out is to run a search!
Worse yet, if I'm actually sitting at your computer, I can look through your browser history to find out where you bank. Usernames for online banking are somewhat predictable, and again, I can use the "forgot my username" link if there is one... chances are, there's a way to get in, and I'm now armed with the means to do so.
Okay, I admit it, I got owned. What can I do to prevent this?
- NEVER, EVER, EVER! give out your password to anyone you don't know. If someone calls you, or e-mails you asking for your password, it is 10000% malicious. Nobody should ever ask you for that, not even your IT guys.
- Be increasingly mindful of what information is available about you on the Internet. Remember what I said a few articles ago? The Internet is basically a worldwide public bulletin board. Stuff isn't as private as you think it is. Blogs, social networking sites, photo sharing sites, local sites - be smart, be aware of what you're sharing, and who you're sharing it with.
- Never be afraid to ask for ID. This goes for both work and home. Service organizations are glad to show you credentials - if you ever encounter resistance, ask for a supervisor.
Bottom line: Social Engineering is frightening, and it can have disastrous effects on your business, your credit, and your life in general. You might never realize you're helping your adversary until it's too late. Remember the old adage: Loose Lips Sink Ships - be mindful of what you share, and who you share it with, because someone might be watching and listening.
Stay safe out there, folks.
HAVE A QUESTION YOU'D LIKE ME TO ANSWER? Sent it on over to "info at forestdaleinfosystems dot com" - I'll post your question here and answer it to the best of my ability!
Phe
9:54 am on Friday, July 13, 2012
I just did a similar article series for an Information Program at work. Outstanding points, MIchael. And well written too. :)
Mike G.
10:42 am on Friday, July 13, 2012
Thanks!!
Jennifer
10:39 am on Friday, July 13, 2012
Scary how much people put out on the internet and how easy it is to have your information stolen. I have a set standard of lies and misspellings I've conjured up in my mind that stick in my memory. I put those on my security questions so that even if someone KNOWS me they don't KNOW my answers.
Mike G.
10:44 am on Friday, July 13, 2012
Yes, and that's a great point that I forgot to mention (Thanks for bringing it up!)
If you're prompted to create a security challenge, you should put in answers that are nonsensical or otherwise can't be traced back to you, and it's wise to store something like that in a password vault like Password Safe or KeePass or something like that where you can store the question/answer securely.
Thanks for the reminder!
ForestDale
6:51 pm on Saturday, July 14, 2012
Hey Michael, if you are looking for new topics for your blog, I'd love to see an article about HTPCs especially in light of new technologies like Apple's AirPlay, DLNA, Microsoft Glass, the new Google thingy, Roku, etc.
It's something I've wanted to invest in for a while but it always seems like the next big thing is always right around the corner.
Thanks.
Mike G.
12:34 pm on Sunday, July 15, 2012
Hi ForestDale,
Thanks for the tip - I'll do some research on the topic, but I'd like aknow what your thoughts are on HTPCs? What are you looking for in an HT system?
ForestDale
2:41 pm on Sunday, July 15, 2012
Honestly, what I would love is basically a true 7.1 channel AV receiver with a built-in PC. A true all-in-one solution.
Right now the best option seems to be an HTPC plugged into a separate amp/receiver which would require the use of either two different remotes or a 'universal' remote that may or may not be a able to handle all the function of each piece of equipment.
So basically I'm looking for something with a unified interface that can control all A/V elements (DVD, Blu-ray, streaming, CD's, Radio, Cable, etc) and put out 7.1 surround. As far as I can tell, such an option doesn't really exist, though the technology to do so has been around for a while now.
Mike G.
11:40 pm on Sunday, July 15, 2012
I'll do some research on this (I don't have much of a home theater system at home, admittedly), and I'll get something written up with my thoughts. Thanks for the tip!
Mike G.
12:31 am on Wednesday, July 25, 2012
Hi ForestDale -
Sorry it's taken me so long to get back to you. Both jobs have been pretty crazy.
I don't think I have quite enough knowledge on this to write an entire article, but I might not have to...
Check out this article from Gizmodo: http://bit.ly/OzhtpJ
It looks like it was written at the end of last year, but still looks pretty killer.
I think the important thing is that the video card has an HDMI output which *should* give you the Dolby TrueHD sound that you're looking for.
If you're going the route of building your own, some things to keep in mind:
- Ivy Bridge is coming out in the fall. This adds a ton of great features that might be relevant to HTPCs, like multiple 4K video playback and Intel Quick Sync Video - Windows gets the edge here, it's the only OS with support for it.
- Don't skimp on the RAM.
- That sucker's gonna get pretty toasty. Think about how you're going to cool the system.
I might consider taking a look at these resources also:
http://bit.ly/TomsHTPC - Even though this is from 2009, still a great read.
http://hd.engadget.com/tag/HTPC/ - This will give you every enGadget HTPC article that's been tagged as such on their site.
A Google Docs spreadsheet with the various features of HTPC OSes and software: http://bit.ly/NJ2soe
Good luck! Hope this helped.
david mokal
4:17 pm on Wednesday, July 18, 2012
Facebook is unbelievable for people giving out info. Their full name, where they live and then they tell their freinds they are leaving for Maine at 3:00 pm Friday. So just invite yourself to that person's house. LOL I see this so many times. Way too much info.
Mike G.
12:11 am on Thursday, July 19, 2012
You're absolutely right.
I won't give out the site names (I'm sure one can find them) but there are sites out there dedicated to crawling places like Twitter, Foursquare, Facebook, and other social media, to see if they have any public check-ins at places that are not their own home... So for instance David, say you leave your house and check in on Facebook at your local Dunkin's; I can look that info up on this site and say "Oh, David's not home, looks like his house is easy pickins for getting robbed."
It sounds crazy, but it's true. It's out there -- so be careful about what's public!
Mike Noneya
12:51 am on Thursday, July 19, 2012
No need for facebook, all my friends already have my number.
david mokal
6:46 am on Wednesday, July 25, 2012
Good For You Mike same here. Whats funny is Certain People wanted nothin to do with you in the 5th grade now Im 66 yrs old and they want to talk to me now? Even my Old Girlfreinds in high school after they went through 4 or more husbands want to meet me. LOL NO WAY! Like that one liner Mike.
Mike Noneya
9:15 pm on Wednesday, July 25, 2012
Thanks David, and your contribution sewed it up nicely.