Social Engineering Fundamentals, Part I: Hacker Tactics
by Sarah Granger ([email protected])
A True Story
One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO’s voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
In this case, the strangers were network consultants performing a security audit for the CFO without any other employees’ knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering. (This story was recounted by Kapil Raina, currently a security expert at Verisign and co-author of mCommerce Security: A Beginner’s Guide, based on an actual workplace experience with a previous employer.)
Most articles I’ve read on the topic of social engineering begin with some sort of definition like “the art and science of getting people to comply to your wishes” (Bernz 2), “an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system” (Palumbo), or “getting needed information (for example, a password) from a person rather than breaking into a system” (Berg). In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.
Security is all about trust. Trust in protection and authenticity. Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. Many experienced security experts emphasize this fact. No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much… and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured.
Target and Attack
The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.
Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized (after all, to admit a fundamental security breach is not only embarrassing, it may damaging to the organization’s reputation) and/or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not.
As for why organizations are targeted through social engineering