Sunday, December 2, 2012

The Art of Social Engineering

Social Engineering is simply getting people to give up information. It can be something as simple as smiling at someone, or creating a false event to get people to voluntarily give up whatever the perpetrator is seeking. I'll start off by talking about who uses social engineering in the technology world. The best part, or worst part of social engineering, depending on the side that you are on, is that most people think hackers are the only ones who use this technique. Sure, hackers use it, but there are people who do it for financial gain. Let's say I am approached by someone who works for a technology company seeking information on a competitors' next "big thing". I tell them that I will help them by posing as a painter and offer my services to paint the employee lounge. People are usually relaxed while on break or lunch, so I'm sure they'll talk about all kinds of things. Before I start my job, I do my homework, just so I can find something in common to talk about. As I'm painting, I begin to listen to some conversations and find out that a new project is being developed and should begin the test phase in a few weeks. I add my two cents to the conversation to find out more. At the end of the day I report to the people who hired me, give them the information they wanted, take my money, and leave. It can happen that easy. So who can become a victim of a social engineering attack? Almost anyone, especially if the person works in a position where being friendly is a requirement.

Take another example of the receptionist. Let's say a guy is trying to gain access to a companies' network and is having a hard time getting inside. He poses as a delivery person and delivers a package to the company he seeks information from. As he stands at the receptionist desk, he notices that she is having a rough day and decides to smile and tell her how pretty she looks today. Now what woman wouldn't like that? Now that he's broken the ice, he decides to start asking questions about the computer she is using, such as "what operating system are you using?", or "who is your technical support guy?". The answers to those questions can help the delivery person gain access to the company network.

Another common form of social engineering is shoulder surfing. Shoulder surfing is when someone walks past a computer and glances at the screen to see what is on it. It's a common way to obtain passwords, PIN's, and other information. This form of social engineering is very effective in crowded places, mainly because nobody is paying attention to what you are doing. Watching someone dial a phone number at a public phone, punch a keypad for a rented locker in an airport, or any other activity done in public are all possibilities of obtaining information. Even looking at license plate numbers can be considered social engineering. I'm not saying you need to be paranoid and always looking over your shoulder. I'm simply saying that the opportunity for someone to get information from you is always there.

Most social engineers are pretty slick with their charms and language. If they have good looks, they will use that too. If they feel that a person may be willing to give up some information, they will continue with the conversation. If not, they will end it quickly and try another day.

A list of some common ways social engineering is used is below. It is not a complete list of course, just some common ways.

TelephonePhishing ScamsTail GatingSocial Networking SitesRoleplayShoulder Surfing

The rule of thumb is pretty simple, but not as easy to follow. Never give out information that someone doesn't need. Why would a delivery person need to know what kind of operating system you are using? The answer is simple: they don't! When someone starts asking questions about personnel or company information, politely tell them you are not allowed to provide the information. You would not be rude by doing this. You would just be following company policy.


View the original article here

0 nhận xét:

Post a Comment