Social Engineering

SOCIAL ENGINEERING

last updated 2008 March27
see also www.witiger.com/ecommerce/hackersvideo.htm

This page used in the following courses taught by Prof. Richardson
.

BIT 801
BCS 555

MGD 415
FSM 620

University of Toronto (UTM) students Wyann L. and Sol. L in MGD 415 in March 2008 created a kewl video in which they describe several components of how Social Engineering tricks can lead to an Identity Theft situation. If you watch the video carefully, you can pick up on several tricky (but convincing) lies that are told. And,,, what makes it even trickier is that the tricky lines come from a friend - which makes it less likely the "victim" will be suspicious.
http://youtube.com/watch?v=9qKfrnXjqjc
While it is sensational to talk about Identity theft happening by strangers hacking you. it is far more common for it to be committed by someone you actually know.

http://www.course.com/catalog/product.cfm?category=Security&subcategory=Security&isbn=0-619-06318-1

Whitman explains in Principles of Information Security, Chpt 2, p. 69

"... the process of using social skills to convince people to reveal access credentials"

TR adds, usually done under stress and with the threat of an implied time limitation

"... I need this in 7 minutes before our V.P. logs in before the board meeting....he's be very appreciative of your co-operation... how do you spell your name again...."

..
.
.

Kevin Mitnick
http://www.mitnicksecurity.com
on Kevin's site he has a link to a video clip about his interview with 60 minutes in which he specifically talks about hsi social engineering skills

Black Hats
Tricks

Social
Engineering

Black Hats
Tricks

Social
Engineering

In the video http://www.witiger.com/ecommerce/hackersvideo.htm
it mentioned how a person is hired to break in to the company's system. This person then makes phone calls to company employees [pretending to be from the IT dept.,] and solicits them to reveal confidential information through trickery.

Many hackers use "social engineering", instead of technical methods, to determine the userids and passwords from which they can then penetrate a network. Social Engineering is an expression used to simply mean tricking people, through lies, into giving you secret information under false pretenses.

.
"Social engineering is hacker jargon for getting needed information (for example, a password) from a person rather than breaking into a system. Psychological subversion is Thunder's term for using social engineering over an extended period of time to maintain a continuing stream of information and help from unsuspecting users."

This link below explains at length the variations on social engineering techniques
http://packetstorm.decepticons.org/docs/social-engineering/soc_eng2.html

Black Hats
Tricks

Social
Engineering

Black Hats
Tricks

Social
Engineering

Social Engineering, as a term, has broadened to also include the process where an attacking entity promises to give out free things [porn site passwords, anti-virus software, etc.] and in the process of obtaining the free password, you are tricked in to loading a virus on your computer, or a dialer program that will log you into a phonecall long distance, etc.

CERT has been making people aware that social engineering is now used to compromise IRC

.
"The enticements of pornography, free software and security -- otherwise known as "social engineering" -- that have been common among e-mail-borne computer viruses now have spread to instant messaging (IM) and Internet Relay Chat (IRC), according to CERT, a federally funded security center based at the Software Engineering Institute of Carnegie Mellon University. CERT said it has received reports that "tens of thousands of systems have recently been compromised" using "social engineering attacks" via IRC or instant messaging.

The attacks attempt to trick Internet chat users into downloading what purports to be antivirus protection, improved music downloads or pornography but is actually malicious code, the center reported. While use of social engineering among virus writers and hackers is nothing new, the IRC and IM tricks have allowed thousands of computers to be taken over and used in distributed denial-of-service (DDoS) attacks or infected with Trojan horse or backdoor programs, according to CERT."

"... another trend in social engineering with IRC networks involves picking out individuals, spamming them with unsolicited messages, then offering a bogus spam solution that is actually malicious code."

Social
Engineering

an example

An example of a "social engineering" attempt on one of your fellow students.

Social Engineering

In the 4th week of January 2006, I received the following email from one of my UTM students in MGD415.

She said
"On Friday, I received a phone call from an employment company that I know of. The representative on the phone kept asking me questions like where you live, what is your occupation and asked me for my SIN #. I gave her my number, but didn’t know the exact order of the numbers. I responded, “I don’t know the numbers” and she was like “well go check please.” Then, I thought, why is she asking me all this, when I have a file with them! I hung up.

This company probably didn’t exist, but just used a popular name. Such things like this are scary because you think you’re talking to the right person, but then things get a bit fishy later. Information needs to be confidential and secured. Isn’t this an example of information intelligence? – trying to steal peoples information!"

Yes, it is a good example, you should always be circumspect and suspicious when people ask you to clarify information they are already supposed to have on file.

Social
Engineering

an
example
of
obtaining
passwords

An example of a "social engineering" done with corporate employees

Social Engineering

Anielyn emailed to say

In the 1st week of February 2007, I received the following email from one of my UTM students in MGD415, Anielyn B.

Hello Professor,
After last week's last, I became curious about the idea of social engineering. I ended up talking about it with one of my friend's, and he mentioned an excellent example where office workers gave away their passwords for pens. I looked it up on Google and found the article - I was both surprised and amused. Basically, a survey was distributed by the organizers of Infosecurity Europe 2003. They wanted to find out the security conscious levels of workers with regards to computer-stored company information. So, office workers where asked a series of questions, such as what their password was. 75% of the them immediately gave it! Even the CEO, after a bit of convincing, gave his password as well. It just goes to show how far a little sweet-talking and cheap pens will go. The full article can be [was] found here: http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Hope that helps,

WTGR replies
Yes, it is an interesting example of how sometimes you can obtain things simply by asking !! I read the article and it suggests thatone of the ways you could get passwords is to ask colleagues.

The article explains
"Of the 152 office workers surveyed many explained the origin of their passwords.
The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent). Two thirds of workers have given their password to a colleague and three quarters knew their co-workers passwords. In addition to using their password to gain access to their company information two thirds of workers use the same password for everything, including their personal banking, website access, etc."

Social
Engineering

an
example
of exploiting curiosity

An example of a "social engineering" done to exploit curiosity

Social Engineering

Sean emailed to say

In the 2nd week of February 2008, I received the following email from one of my UTM students in MGD415, Sean C.

Hello Professor,

I read an article on Social Engineering and found it very interesting because it talked about social engineering and the use of USB keys.

The article talks about a study that was conducted inside a bank. They wanted to exploit the banks security with a focus on social engineering. The security company placed usb drives around the parking lots and smoking areas for people to pick up at their leisure.

The drives were embedded with a virus to take all of the users information from their computer once it was plugged in. The study found that people are are always going to be curious and want to pick up those usb drives and see what is on them. The article proves that "All the technology and filtering and scanning in the world won?t address human nature. But it remains the single biggest open door to any company?s secrets". I found this article interesting and showed how social engineering is a very powerful tool for breaking through security.

WTGR replies
Yes, it is an interesting example of how sometimes you can trick people simply by placing something in their path and replying on human curiosity. The principle of this technique you describe is similar ot how Trojan Horse viruses get launched.

Social
Engineering

an
example
of exploiting people's
trust of
"men in uniform"

An example of a "social engineering" done to obtain cash deposits

Social Engineering

In the 4th week of March 2008, I received the following email from one of my UTM students in MGD415, Betty Wantzu C.

.
Betty emailed to say
"Dear Professor Richardson,

A British documentary TV show called, "The Real Hustle" demonstrates social engineering techniques like confidence tricks, distraction scams performed on the general public. I remembered during the class for this topic, you mentioned about a character in a movie easily gets through security doors by wearing the security uniform. An episode I found from the show demonstrates how a woman intends to go to a Manhatten bank's night deposit drop box and ends up giving money to the two phony security guards."

http://www.trutv.com/shows/real_hustle/index.html?pid=HhThzrgEy_ZJHAD5_LiKszdjBn8lhGFh

this is a screen capture from the video that Betty found, showing the "fake" bank guards standing outside the "out of order" night deposit box, with their own cash box below.

As "victims" come to make deposits, the security guys tell them to put the envelope in the strong box on the pavement.

Social
Engineering

an
example
of exploiting people's
trust of
"men in uniform"

Betty explains
"The video is found at: www.trutv.com/shows/real_hustle/index.html?pid=HhThzrgEy_ZJHAD5_LiKszdjBn8lhGFh

The trick is done first (1960s) by social engineering icon, Frank Abagnale. At an interview, he suggests that especially with today's technology and with some companies' lack of training, it is not that much harder to surpass security compared to 40 years ago.

He said, "Today banks don’t want to pay benefits, so they don’t hire full time employees, they hire part time help, and there’s very little training. So if a bank teller can’t tell me the difference between a good bill and a bad bill, then what can they tell me in the hotel lobby, or in the retail store? And because of lack of training and the ability to make the document look so good, it’s very simple to do today."

Abagnale also comments "when does it become a matter of you’re giving away way too much information." People are giving too much information to banks including social security number, and in the near future, your fingerprint.

For e-commerce, Abagnale suggests that it is just another form of payment, and it’s as dangerous as cash, credit card or over the phone because every system is not foolproof. He used a quote from Sherlock Holmes, ‘What one invents, one will discover.’ "

witiger.com	CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE
	.
	MISTAKES I TEXTS USED I IMAGES I RANK I DISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I PUBLICATIONS I
	.