SOCIAL ENGINEERING
last updated 2012 March 286 June 17
see also  www.witiger.com/ecommerce/hackersvideo.htm
 
. This page used in the following courses taught by Prof. Richardson
.
BIT 801
BCS 555
FSM 620
MGM 723
MGD 415
MGD 426
 
.
 
http://www.youtube.com/watch?v=Ia5LN0rBgrI YES THIS PAGE IS USEFUL

Nov 2011 - former UTSC student (MGTD06 in 2008) Hasan Shahzad stopped by to talk about his work in Mutual Funds at Royal Bank and mentioned that frequently he references material from this page in order to educate clients as to some risk and threat situations they should be careful about regarding identity theft and hacking.
 youtube.com/watch?v=Ia5LN0rBgrI

Thanks Hasan for mentioning this.
WTGR
 

lll
http://www.youtube.com/watch?v=-GpO5UFG6us University of Toronto (UTM) students Marc N. and Zain - (camera guy) in MGD 415 in March 2012 created a kewl video in which they describe going through a McDonald's drive through and using Social Engineering tricks to scam a free latte (all done for "educational purposes" no doubt. 

Am sure the execs at McDonald's head office know about this but they probably calculate that lost sales that may occur from "challenging" such situations outweigh the cost of complying with such requests ... so they just smile and give you the beverage.

c
http://youtube.com/watch?v=9qKfrnXjqjc University of Toronto (UTM) students Wyann L. and Sol. L in MGD 415 in March 2008 created a kewl video in which they describe several components of how Social Engineering tricks can lead to an Identity Theft situation. If you watch the video carefully, you can pick up on several tricky (but convincing) lies that are told. And,,, what makes it even trickier is that the tricky lines come from a friend - which makes it less likely the "victim" will be suspicious.
 http://youtube.com/watch?v=9qKfrnXjqjc
While it is sensational to talk about Identity theft happening by strangers hacking you. it is far more common for it to be committed by someone you actually know.
cc
http://www.youtube.com/watch?v=DiKOaDRsNDo University of Toronto (UTM) students Kiel D, Teh Yu H. and Ting Po H. (+ help from Gordon L)  in MGD 415 in April 2009 created a kewl video in which they describe several components of how Social Engineering tricks can lead to compromising a RFID access control checkpoint. If you watch the video carefully, you can pick up on several tricky technical things done with a bit of "fakery".

WTGR says "Thanks , I can see it took a bit of time to create the "script" and plan the shoot, I appreciate your efforts"


 
Making 
better
passwords
 
 
 
 
 
 

Protecting 
your 
passwords

.Social Engineering is often used to uncover people's passwords in order to carry out some form of identity theft - here is some "practical-tactical" information on how to make passwords longer and easier to remember.
http://www.thestar.com/living/technology/article/1261464--think-your-passwords-are-secure-think-again One of the obvious aspects of curtailing or even preventing Identity Theft is to block people figuring out your password, among the many online circumstances we all regularly have to log on to during out day2day activities.

Oct 2012 - Richardson was interviewed at length in the Toronto Star for an article focused on making better passwords.

Richardson provided some specific tips as to how to make longer passwords, more challenging to hack, at the same time some techniques to creating passwords which are easier to remember based on Mnemonics.
 http://www.thestar.com/living/technology/
article/1261464--think-your-passwords-
are-secure-think-again

.
http://www.youtube.com/watch?v=3rkY5M6Wzdw Following the article in the Star Oct 9th, Richardson compiled a video explaining in more precise terms some of the techniques for writing longer, AND easier to remember passwords.

Click on the left to see the YouTube video

.
.
 
http://www.course.com/catalog/product.cfm?category=Security&subcategory=Security&isbn=0-619-06318-1 Whitman explains in Principles of Information Security, Chpt 2, p. 69

"... the process of using social skills to convince people to reveal access credentials"

TR adds, usually done under stress and with the threat of an implied time limitation

"... I need this in 7 minutes before our V.P. logs in before the board meeting....he's be very appreciative of your co-operation... how do you spell your name again...."

..
.
.
Kevin Mitnick 
 http://www.mitnicksecurity.com
on Kevin's site he has a link to a video clip about his interview with 60 minutes in which he specifically talks about hsi social engineering skills
.
 
Black Hats
Tricks

Social
Engineering
 
 
 

 

. In the video http://www.witiger.com/ecommerce/hackersvideo.htm
it mentioned how a person is hired to break in to the company's system. This person then makes phone calls to company employees [pretending to be from the IT dept.,] and solicits them to reveal confidential information through trickery.

Many hackers use "social engineering", instead of technical methods, to determine the userids and passwords from which they can then penetrate a network. Social Engineering is an expression used to simply mean tricking people, through lies, into giving you secret information under false pretenses.

.
"Social engineering is hacker jargon for getting needed information (for example, a password) from a person rather than breaking into a system. Psychological subversion is Thunder's term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users."
from http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html
.
 
Black Hats
Tricks

Social
Engineering
 
 
 
 
 
 

Black Hats
Tricks

Social
Engineering

. Social Engineering, as a term, has broadened to also include the process where an attacking entity promises to give out free things [porn site passwords, anti-virus software, etc.] and in the process of obtaining the free password, you are tricked in to loading a virus on your computer, or a dialer program that will log you into a phonecall long distance, etc.

CERT has been making people aware that social engineering is now used to compromise IRC

.
"The enticements of pornography, free software and security -- otherwise known as "social engineering" -- that have been common among  e-mail-borne computer viruses now have spread to instant messaging (IM) and Internet Relay Chat (IRC), according to CERT, a federally  funded security center based at the Software Engineering Institute of Carnegie Mellon University.  CERT said it has received reports that "tens of thousands of systems have recently been compromised" using "social engineering attacks" via IRC or instant messaging.

 The attacks attempt to trick Internet chat users into downloading what purports to be antivirus protection, improved music downloads or  pornography but is actually malicious code, the center reported.   While use of social engineering among virus writers and hackers is nothing new, the IRC and IM tricks have allowed thousands of computers to be taken over and used in distributed denial-of-service (DDoS) attacks or infected with Trojan horse or backdoor programs, according to  CERT."

"... another trend in social engineering with IRC networks involves picking out individuals, spamming them with unsolicited messages, then offering a bogus spam solution that is actually malicious code."

.
 
Social
Engineering

an example

An example of a "social engineering" attempt on one of your fellow students.
Social Engineering
.
In the 4th week of January 2006, I received the following email from one of my UTM students in MGD415.
She said
"On Friday, I received a phone call from an employment company that I know of. The representative on the phone kept asking me questions like where you live, what is your occupation and asked me for my SIN #.  I gave her my number, but didnít know the exact order of the numbers. I responded, ďI donít know the numbersĒ and she was like ďwell go check please.Ē Then, I thought, why is she asking me all this, when I have a file with them! I hung up.

This company probably didnít exist, but just used a popular name.  Such things like this are scary because you think youíre talking to the right person, but then things get a bit fishy later.  Information needs to be confidential and secured.  Isnít this an example of information intelligence? Ė trying to steal peoples information!"

Yes, it is a good example, you should always be circumspect and suspicious when people ask you to clarify information they are already supposed to have on file.

.m
Social
Engineering

an 
example
of 
obtaining
passwords

An example of a "social engineering" done with corporate employees
Social Engineering
.

 
 
 
 

Anielyn emailed to say

In the 1st week of February 2007, I received the following email from one of my UTM students in MGD415, Anielyn B. (who later became the TA for CCT322 in 2009)
Hello Professor,
After last week's last, I became curious about the idea of social engineering. I ended up talking about it with one of my friend's, and he mentioned an excellent example where office workers gave away their passwords for pens. I looked it up on Google and found the article - I was both surprised and amused. Basically, a survey was distributed by the organizers of Infosecurity Europe 2003. They wanted to find out the security conscious levels of workers with regards to computer-stored company information. So, office workers where asked a series of questions, such as what their password was. 75% of the them immediately gave it! Even the CEO, after a bit of convincing, gave his password as well. It just goes to show how far a little sweet-talking and cheap pens will go. The full article can be [was] found here: http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Hope that helps,

WTGR replies
Yes, it is an interesting example of how sometimes you can obtain things simply by asking !! I read the article and it suggests thatone of the ways you could get passwords is to ask colleagues.

The article explains
"Of the 152 office workers surveyed many explained the origin of their passwords. 
The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent). Two thirds of workers have given their password to a colleague and three quarters knew their co-workers passwords. In addition to using their password to gain access to their company information two thirds of workers use the same password for everything, including their personal banking, website access, etc."

.m
Social
Engineering

an 
example
of exploiting curiosity

An example of a "social engineering" done to exploit curiosity
Social Engineering
.

 
 
 
 

Sean emailed to say

In the 2nd week of February 2008, I received the following email from one of my UTM students in MGD415, Sean C.
Hello Professor,

I read an article on Social Engineering and found it very interesting  because it talked about social engineering and the use of USB keys.
The article talks about a study that was conducted inside a bank. They  wanted to exploit the banks security with a focus on social  engineering. The security company placed usb drives around the parking  lots and smoking areas for people to pick up at their leisure. 
The  drives were embedded with a virus to take all of the users information  from their computer once it was plugged in. The study found that people are are always going to be curious and want  to pick up those usb drives and see what is on them. The article  proves that "All the technology and filtering and scanning in the  world won?t address human nature. But it remains the single biggest  open door to any company?s secrets". I found this article interesting and showed how social engineering is  a very powerful tool for breaking through security. 

WTGR replies
Yes, it is an interesting example of how sometimes you can trick people simply by placing something in their path and replying on human curiosity. The principle of this technique you describe is similar ot how Trojan Horse viruses get launched.

.
Social
Engineering

an 
example
of exploiting people's
trust of
"men in uniform"

An example of a "social engineering" done to obtain cash deposits
Social Engineering
.
In the 4th week of March 2008, I received the following email from one of my UTM students in MGD415, Betty Wantzu C.
.
Betty emailed to say
"Dear Professor Richardson,

A British documentary TV show called, "The Real Hustle" demonstrates  social engineering techniques like confidence tricks, distraction  scams performed on the general public. I remembered during the class for this topic, you mentioned about a  character in a movie easily gets through security doors by wearing the  security uniform. An episode I found from the show demonstrates how a  woman intends to go to a Manhatten bank's night deposit drop box and  ends up giving money to the two phony security guards."

.
Social Engineering to obtain a credit card
.
In the 2nd week of March 2011, I received the following email from one of my UTM students in MGD415, M.K.
.
M emailed to say
"I've been meaning to tell you about a little incident I had  recently where I might have been a victim of social engineering. I  wanted to make reservations at a restaurant for valentine's day so I  called this restaurant I found online called "Spunti.....". It looks  quite nice on the website and I liked the food on the menu. When I  called the restaurant they asked me for my credit card number. I asked  why? They said it's because they'll charge $85 per person if I don't  show up. I had until two days before the reservation to cancel, free  of charge. The man on the phone said that this ensures people will  show up to dinner because the last thing they want is an empty  restaurant. I honestly haven't made many restaurant reservations in my  life before this and this particular restaurant was in Yorkville so I  thought maybe things work a little differently there. So I was like  allright, I really want to go to this place. So I gave him my credit  card number. Then he asked for the expiry date and even the  verification number on the back. I gave him everything. Then I hung  up, texted my boyfriend that we better show up on Monday evening or  I'll get charged $170 if we don't. My boyfriend replied absolutely  freaking out at me for what I had just done. He couldn't call me  because he was in class but he sent text after text telling me that  they could be using my credit card number for all kinds of things...  even online gambling. Then he told me to cancel the reservation  immediately and to cancel my credit card immediately. When I called  BMO to cancel my credit card, the lady on the phone said restaurants  don't ask for credit card numbers and it was a good thing I cancelled  my card.
.
Social Engineering to obtain a credit card
M concludes by saying
"Maybe this wasn't a scam or maybe it was. It was better to be safe  than sorry. Maybe the reason why the man on the phone asked me for my  information was because when he said "What is your credit card number"  I was surprised and asked "Why do you need it?" but then after his  explanation, I said, "Well I wouldn't really know how making dinner  reservations works". He saw right there that I was inexperienced and  that he could possibly take advantage of this by not only asking for  my credit card number but the expiry date and verification number.   Whatever the case may be, it is still ridiculous to charge $85 per  person if you don't show up to your dinner reservation.."

WTGR replies, 
it is unfair to generalize, but certain types of "casual low skilled labour", if ya get my meaning, attract people who use those positions to obtain fradulent info like the situation yoiu describe - always be overly cautious when asked for your credit card.

.
http://www.trutv.com/shows/real_hustle/index.html?pid=HhThzrgEy_ZJHAD5_LiKszdjBn8lhGFh this is a screen capture from the video that Betty found, showing the "fake" bank guards standing outside the "out of order" night deposit box, with their own cash box below.

As "victims" come to make deposits, the security guys tell them to put the envelope in the strong box on the pavement.

Social
Engineering

an 
example
of exploiting people's
trust of
"men in uniform"

Betty explains
"The video is found at: www.trutv.com/shows/real_hustle/index.html?pid=HhThzrgEy_ZJHAD5_LiKszdjBn8lhGFh

The trick is done first (1960s) by social engineering icon, Frank  Abagnale. At an interview, he suggests that especially withtoday's  technology and with some companies' lack of training, it is not that  much harder to surpass security compared to 40 years ago.

He said, "Today banks donít want to pay benefits, so they donít hire  full time employees, they hire part time help, and thereís very little  training. So if a bank teller canít tell me the difference between a  good bill and a bad bill, then what can they tell me in the hotel  lobby, or in the retail store? And because of lack of training and the  ability to make the document look so good, itís very simple to do  today."

Abagnale also comments "when does it become a matter of youíre giving  away way too much information." People are giving too much information  to banks including social security number, and in the near future,  your fingerprint.

For e-commerce, Abagnale suggests that it is just another form of  payment, and itís as dangerous as cash, credit card or over the phone  because every system is not foolproof. He used a quote from Sherlock  Holmes, ĎWhat one invents, one will discover.í "

.
Social
Engineering

an 
example of
trickery

An example of a "social engineering" done for tricking people to provide free services
Social Engineering
.

 
 
 
 

Atim emailed to say

In the 3rd week of March 2010 I received the following email from one of my UTM students in MGD415, Atim U.
pic supplied by Atim U.
Hello Prof Richardson,
  After tuesday's class i started researching examples of social  engineering and i came across this video 
http://www.youtube.com/watch?v=cQtQg--PB0k&feature=fvw
  which shows how some young boys deceived mcdonalds and collected  free burgers and fries. [they lie about their order not being completed] It made me realize that social engineering is  a subtle but severe crime. The best way to handle it would be to  protect information, never make any exceptions for verification of  information because in the video if they had not made an exception  they would not have gotten away with it. They should have asked the father to bring the receipt.

WTGR replies
thanks for finding the video, as it is on YouTube, ppl can make comments - some of the comments says "This is not social engineering. This is just lying to get free food.", but other people say this is indeed the type of trickery that is fundamental to convincing people to do something they would not ordinarily do, and is the basics of social engineering.

.m
witiger.com
  CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE
.
  MISTAKES I TEXTS USED I IMAGES I RANK I DISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I PUBLICATIONSfor those On The Level who believe in faith, hope and charity
.
.