Social Engineering: Why hack a computer when a person is easier?

10 09 2011

So what is social engineering? Merriam-Webster defines social engineering as the “management of human beings in accordance with their place and function in society”[1]. In terms of information security, I would define a social engineer as someone who modifies human behavior to extract useful information and to achieve a desired result. Because social engineering is quickly becoming more and more popular, it is essential to learn both how social engineering is performed and the methods that are used to prevent these attacks.

Earlier this year, I read a review praising the book Social Engineering: The Art of Human Hacking[2]. The review led me to purchase the book and find out more information on the subject. I can tell you that the information on social engineering in the book is worth reading. The author, Christopher Hadnagy, covers everything from the basics of social engineering (information gathering and elicitation) to the tools and techniques of a social engineer.  Along the way, many real life examples and case studies are presented to show the methods that social engineers use.  More information, along with the social engineering framework developed by Hadnagy, is available on the website[3]. I would strongly recommend that you look at this website if you are unfamiliar with the concept of social engineering.

The book walks through using a social engineering toolkit that comes standard in BackTrack linux[4]. The tool kit can be easily used to set up a spear phishing attack. I say “easily” because it only requires going through a few menus before the whole attack is produced for you, no code required. This method of attack could be used for many different reasons, including taking control of another’s computer or wiping the memory.

One of the reasons that social engineering is so interesting is that it can be adapted to nearly any situation. In his blog post called “Classroom Ethics 101”, behavioral economist Dan Ariely discusses an experiment where a fake copy of a past exam was sent out to members of his class.[5] The email came from a fake classmate, and he found that about 69% of students accessed the document. If he included an honor code, that number dropped to 41%.  That makes a great way to infect 69% of your peers’ computers during finals week (and to get kicked out of the program yourself).

It is definitely worth knowing that these types of attacks can easily happen and the ways to prevent them. A great real world example comes from something that happened at my former employer. One day, people were walking around installing Microsoft Office upgrades. These people were allowed to plug flash drives into computers without question, and everyone in the company who received the upgrade typed in their password to allow the software to install. While the install was occurring, people would leave and go get coffee.  People trusted them because they had name tags and wore uniforms.

I’m sure that with a little research and practice that you could walk into a company, say that you’re there for the upgrade, and use a flash drive on multiple computers.  From that point, there are easy ways to get passwords[6]. You were just the upgrade guy wearing a fake nametag and uniform. Now imagine that you actually work for a company and have regular physical access to machines.

As security professionals, we will have to deal with these types of attacks. What policies would you put in place to stop something like this from happening?