INFO SECURITY: Social Engineering 101, or how to get ANYTHING you want…

Hi, This Is Bob From IT

To help demonstrate what exactly Social Engineering is, let me play out a scenario for you…

Mr Jones works for a large corporation.  He’s not very tech savvy and out of the blue one day, he gets a phone call.

‘Mr Jones’
Hello, Mr Jones, Acquisitions…

‘Helpdesk Bob’
Hey, Mr Jones, it’s Bob from the Help Desk. We’re having an issue with your account, it seems as though someone’s been calling down trying to get your password changed. We need to verify that you are the one who wants to change it. Have you tried calling us to change it?

‘Mr Jones’
Hey Bob, no, it’s not me; I’m in my account fine right now. They were trying to get my password changed?

‘Helpdesk Bob’
Yeah, they had your company ID and everything. At least I think it was your company ID.

‘Mr Jones’
Well, here, let me verify my ID for you.  It’s 1234567.

‘HDB’
Yup, that’s what we have; I wonder how they got that.

‘Mr Jones’
I don’t know, I’m pretty safe with that kind of stuff. Is my account safe? I don’t want to lose anything.

‘HDB’
Hmmm, just to be sure, let’s go ahead and change your password.

‘Mr Jones’
Ok, how do I do that?

‘HDB’
Ok, that’s easy, have you been migrated to Vista yet?

‘Mr Jones’
Um, what’s that?

‘HDB’
When the computer starts up, does it say Windows Vista with a circle in the middle of the screen?

‘Mr Jones’
Yeah, it just changed; they were doing something to my computer last week. They always do stuff to my computer when I go away; I’m tempted to have them give me a laptop so I can take it home with me so they stop messing with my computer.

‘HDB’
Ok, do this, do that, now do you see where it says password? Go ahead and put it in there.

‘Mr Jones’
Ok, it’s done. Now what

‘HDB’
Go ahead and read it back to me so I can verify it for you…

After the call, Mr Jones hangs up and feels MUCH more secure knowing that the Help Desk alerted him of an issue.  He felt SO confident in fact that he had the ‘Helpdesk’ call a few of his co-workers to make sure they were safe. Mr Jones also asks if he can call Bob back if he has any problems.

Bob now has an ‘inside’ source to get any information he wants.  Even if he has to actually fix an issue here or there.  and he doesn’t have to worry about Mr. Jones calling the real helpdesk because he gave him the special on-call cell phone number. (in reality, this is a disposable paid for in cash phone that can be dumped when he’s done with it).

What Mr Jones DIDN’T realize was that Help Desk Bob was sitting in a bombed out building in the middle of nowhere with a satellite connection and a recording of an office setting playing.  Mr Jones just gave out the keys to company. With a little more social engineering, he can call the real help desk, get them to allow him privileges to download a VPN client to his laptop and remote in and do whatever he wants.

It’s easy to scare people into giving you their information.  It’s even easier to get people to help you because they want to try and keep you from getting into trouble.

Social Engineering is defined by Webster’s as:

The management of human beings in accordance with their place and function in society. This definition was created in 1899.

The definition still holds true. You are ‘managing’ people according to their function.  You’re getting them to do things that they probably shouldn’t.  Using either scare tactics, tricky wording, making them think they’re helping you or themselves.

When you put someone at ease, or when you put someone into a situation they think they’re going to be in trouble for, you make them more susceptible to giving something up.

Let’s see what information was received by the above scenario:

  • Mr Jones works in acquisitions
    He’s still a valid employee (maybe not for long)
    He was just recently migrated to Vista
    He isn’t very tech savvy
    He doesn’t call the help desk very often (because he doesn’t know the procedures)
    Bob knows his company ID and password
    He knows that Mr Jones doesn’t have a laptop
    He knows Bob travels
    He also now knows the same information for a number of Mr Jones’s co-workers.

He is able to start mapping out the company’s internal structure as well.

All of this from a simple phone call and a little bit of prodding and lying.

The same thing is done pretty much with every Phishing e-mail that someone receives.  A phishing e-mail is one in which it is designed to look identical to the information one may receive from their financial institution, cell phone company, cable company, etc.  But instead of a good link to their site, it leads to a site that is ready to steal all of your information at the drop of a hat. Phishing or Spear-Phishing (targeting specific individuals or group of people) is yet another form of Social Engineering.

You really need to be careful what you say to whom, you need to watch what’s going on and question EVERYTHING. If you owe money, this is a great way to socially engineer your credit card number, social security number, etc.  A company may call you up.

It may look like the phone number from your credit institution, but with today’s ability to use Voice Over Internet Protocol (VOIP) and have a VOIP server on a thumb drive, they can make it look like it’s coming from your own phone number.  it takes 15 minutes to set up a quick down and dirty VOIP server and they’ve got tons of stuff they can do with it.

Bob is now able to (if he wanted to) get a few of Mr. Jones’s customers and drop in to see how they’re doing.  He can get a suit, find out when Mr. Jones’s contacts are going to be out of the office and pay a visit asking to see that person.  When that person isn’t there, he can say, wow, I thought for sure we set up the time to meet today.  Then weasel his way into getting access to the network to shoot off an e-mail to Mr Red and reschedule.  All the while, mapping out the network and laying his back door programs to do the hard part for him.

Social engineering can also be done on the phone system or on computers. The phone system can be ‘phreaked’ or ‘hacked’ and can provide tons of information.  Let’s say Bob our hacker from above, is trying to gather additional information from customers of Mr Jones.  Bob calls at strange hours to Mr Jones number, he obviously get’s his voice mail and finds out that Mr Jones is going to Las Vegas for a weeklong vacation.

There are many things Bob can do with this information.  If he’s in the area, he can get a picture of Mr Jones, find out his interests, and study up on him and socially engineer his way into dinner, drinks and partying with Mr Jones.  Get tons of information from him under false pretense and be on his way.  The other way Bob could go with this is visiting Mr Jones’s customers, like he did above.

He may also want to ‘pay a visit’ as a ‘service guy’ to Mr Jones’s house.  Mr Jones is the type of guy that would most likely leave a key laying around and as a ‘service guy’, Bob could roll up in a non-descript white van with some kind of magnetic sticker on the door, let himself in and take what he wants.

Dumpster diving is yet another form of Social Engineering.  Be careful of what you throw out.  Shred anything that has your name, address, any information on you whatsoever.  Anything that is in a trash can (unless posted otherwise) is garbage and is available freely for anyone to take.  If you have a trash can outside, bring it in to the garage, but DON’T leave it outside.  Once you put your trash down on the curb, it’s fair game.

Dumpsters at corporations are usually not guarded or usually don’t have signs stating that they are private property, if they don’t, they’re also fair game and anything taken from them is taken legally.  This is how police get a lot of information without a warrant. This is also a way for police to get probable cause to get a warrant.  This is also a way police can get DNA from someone, if they spit gum into a trash can, throw out a coffee or soda can or cup, that can lead to fingerprints, DNA samples, the works.

Yes, social engineering is many things and it is scary.  There was a point in my time that I wouldn’t talk to any business over the phone if I didn’t have to and in fact have told many companies that I wouldn’t speak to them unless I called them from a known good number.  I still to this day though, do shred anything with any personally identifiable information (PII) on it before burning it, then wait till the morning of to put my trash down for the garbage collector.  But, then again, I’m a bit more paranoid than most.

Social engineering can be used for both good and evil, it’s all the way that it’s used.  Either way, both criminals and ‘cops’ use it.  I’m even sure that there are CIA, NSA, Military personnel overseas that use it while interrogating prisoners or questioning people to get what they want.

The biggest thing to remember is that social engineering works on these factors;

  • People want to help
    People don’t want to get in trouble
    People want to think people have good intentions
    People are stupid.

Yes, this does also work on kids (getting them to do what they’re supposed to) and women (getting a date, etc, use your imagination).

My favorite quote that I live by is the following;

I am a social engineer because there is no patch for human stupidity.

Have you ever used social engineering?

Have you ever been the victim of social engineering?

Was this article helpful?

Let me know in the comments.

And again, thanks for taking the time to read this.  I know it’s a long one, but it’s something that needs to be brought to light.

—————————————————————————————

~Norm W.
Information Security Correspondent

Norm W. is an information security engineer currently employed as a CONUS civilian contractor. He has worked in the computer industry for the past 20 years and holds several security and non-security related IT certifications. Norm has worked with multiple agencies in the private and public sector as well as foreign companies and agencies to resolve information security issues.

Be Sociable, Share!

23 thoughts on “INFO SECURITY: Social Engineering 101, or how to get ANYTHING you want…”

  1. As someone doing infosec this is a huge concern for me. One of the biggest mistakes I see companies make is assuming IT people don’t need to be trained on what social engineering is. It is our helpdesk however that is the most vulnerable. I have received passwords from them with out them ever verifying who I am. They know my name so I must be who I am right? And even though I explain this to management, it falls on deaf ears. I would like to hear if others have this problem and if/how they sold it to the bosses to be fixed.

      (Quote This Comment)

  2. Great article! Think twice about what information you give out- once it’s out of your hands, you have no control over what happens to it…

      (Quote This Comment)

  3. Norm this is a great article that is relevant to everyone not just military and security specialists. Maybe you should publish this in a few major newspapers just to see what kind of response you get. I imagine that the horror stories in response would fill a book.

      (Quote This Comment)

  4. I would like to hear if others have this problem and if/how they sold it to the bosses to be fixed.  

    You have no idea how many times I’ve brought up the subject to multiple employers. At least my current one has made some training mandatory for it. Only problem is, there’s some GREAT social engineers out there and they’ll get by just about anything you throw at them. As a matter of fact, how do you think most politicians get their jobs???

    Great article!Think twice about what information you give out-once it’s out of your hands, you have no control over what happens to it…  

    Amen to that…

    Norm this is a great article that is relevant to everyone not just military and security specialists. Maybe you should publish this in a few major newspapers just to see what kind of response you get. I imagine that the horror stories in response would fill a book.  

    Oh, the horror stories I have just from incidents in the past would fill a book. I’ve even for fun, just tried a bit of social engineering when I’m out and find that most times, I usually can get what I’m after with almost no trouble. Sure, I’ve got to do a bit of acting, some quick thinking and pulling some shit out of my ass, but let me tell you. It’s interesting to see how easy it is to pull a gig.

    I may also just take your advice on the newspaper thing. I’ll think about it, maybe clean the article up a bit more and see what happens. I’ll let y’all know if I do decide to do it. Either that or submit to a magazine.

      (Quote This Comment)

  5. Great article, thought provoking and entertaining! In many places, dumpster diving is illegal (not that it matters for this purpose) because you’re not just leaving the trash on the curb, you’re transferring it to a company to retrieve. The chain of custody of your garbage isn’t broken until it gets to the landfill, which is usually restricted property. This is why you can’t (legally) get cool stuff that has been discarded by retail stores or your neighbor down the street.

      (Quote This Comment)

  6. Great article Norm, that was a real eye-opener! I haven’t been familiar with the concept of social engineering up until this article but I’ll definitely be doing some more research on it.

    ~Alex S

      (Quote This Comment)

  7. Yep – Norm writes great stuff

    We are trying to do our own 2600 thing here on DVM

    ~James G

      (Quote This Comment)

  8. One of my pet peaves is when companies use employee usernames/network ID’s as email addresses as well (i.e. my network ID is “CSenor” and my email address is “[email protected]”). Another one is out of office replies that are allowed to external recipients. “I’m out of the office until 05/31, but if you need immediate assistance please call Anita Hanchob in Finance at 804-555-1212″, followed by a detailed signature file with name, title, phone, fax, address, etc.

      (Quote This Comment)

  9. The chain of custody of your garbage isn’t broken until it gets to the landfill, which is usually restricted property.

    Actually, unless it’s posted as private property, dumpsters are still fair game as far as the law is concerned. Most waste companies are starting to realize this and are marking them as property of, no trespassing, etc. That helps them get around the fair game deal. And yeah, dumpster diving would be fun at some of the places I shop. ;)

    Great article Norm, that was a real eye-opener!I haven’t been familiar with the concept of social engineering up until this article but I’ll definitely be doing some more research on it.~Alex S  

    Remember, social engineering can be used in more than just information security, I’ve known cops and soldiers to do some of their own for evidence and intelligence gathering for the field. As a matter of fact, the military has special departments within the branches for it, it’s called Psychological Operations. They’re not specifically designed for SE work, but a great deal of it is included with their job.

    As an experiment, next time you’re looking to pick a chick up, try a little social engineering on her, I’ll bet you get farther. :)

    Yep – Norm writes great stuff
    We are trying to do our own 2600 thing here on DVM
    ~James G  

    That means a lot coming from you James. Thanks, I appreciate it.

    One of my pet peaves is when companies use employee usernames/network ID’s as email addresses

    That is one of the biggest threats to the safety of the network, e-mail addresses, signature blocks, auto-replies, outgoing voice mail messages, all of it. It makes me cringe every time I see something like that. Especially to external responses. Most telephone PBX and voicemail systems now allow you to set different voice mail greetings for both internal and external calls. The one way around it though is to call the operator (best if there’s an automated operator) and have them transfer you. Sometimes the external number carries with it and sometimes it doesn’t, so it’s the luck of the draw there.

    Oh, and I just realized what you did with the name of the chick in Finance…NICE play on words there. ;) Kind of like Amanda Hugnkiss.

      (Quote This Comment)

  10. This is great, awesome info here!

      (Quote This Comment)

  11. Another great one Norm. I attempt to tell people some of this. But they don’t really get it. It all comes down to effort. And thinking, a lot of people just refuse to just think about stuff like this. But this can be applied to physical security as well as IT. I bluffed my way up to my current employers office with nothing but a suit a smile and some good manners.

      (Quote This Comment)

  12. This very tactic is how 90% of criminals are caught by Bail Agents, Marshals and the like

      (Quote This Comment)

  13. I just saw this happen (though oddly enough I had the best intentions), but say I was just trying for information.
    In one day, I ran into two different little bartender girls and we got to talking. Of course they were both looking for a “better” job. I tell them that my company is hiring and can they fill out an application for employment. Now they don’t know me from shit. My proof was my actual company business card but I could have made that up at quickprint. I go out to the truck, get applications, they fill them out and hand them to me. Address, SSN, birthdate, you name it. People just are sheep.

    (Yes, we were hiring, looking for local kids to work in the warehouse, so I had a big stack of apps — but like I said, how would they know I was who I said I was???)

    Great article because it is so true.

      (Quote This Comment)

  14. The other best way to do this …is a Brown Shirt or a company polo. We did a Red team Test a few months back for a mid size company. wore my phone company polo carried my laptop bag with an Airsoft G36K inside. Security let me in …even lead me to the Demarc trunk and left me alone. My Photo id badge that no one looked at …Name Ima Sudonem job bringer of havoc. no bag search. i signed in as O kenobi. it was the most fun i’ve had in a long time …the prox card they gave me and my buddy was all access.

      (Quote This Comment)

  15. thanks for taking the time to write this Norm, great, useful article!

      (Quote This Comment)

  16. Great article. Keep ‘em coming. Do you have anywhere else you write?

      (Quote This Comment)

    1. Just my personal blog like James mentioned;
      http://www.normanomicon.com

      Other than that, I do a lot of report and review writing for work (I do sit behind a desk a good portion of the day).

      I’ve written an article here or there but nothing serious other than here. I am looking to expand my writing though as I’ve got a book in the works on information security for general use. I’ve started it and gotten a ton of topics to cover and a bit on each topic, but nothing solid yet. Definitely nothing ready to go to print.

        (Quote This Comment)

  17. Norm has his own blog also:

    http://www.normanomicon.com/

    ~James G

      (Quote This Comment)

  18. I’m becoming very intrigued by social engineering. When I learned the term for it I realized I’d been doing some caveman-simple social engineering since I was a kid.

    Want to sneak into a movie theatre to see an R-rated when you’re 14? Buy a ticket to something else, then move like you’ve got a purpose across the theatre into whichever screening you like.

    Alot of venues near major construction sites you can get into with a clipboard, and a hardhat.

    Now I just need to pick up a few good books, and do some (generally) harmless practice.

      (Quote This Comment)

  19. Great article.

      (Quote This Comment)

  20. Anyone interested in learning more about Social Engineering, should read “The Art of Deception” by Kevin Mitnick. I’ve had the pleasure of seeing him do a live demo, and he is one of the best.

      (Quote This Comment)

  21. Some of these techniques are similar to the ‘psychics’ old Cold Reading set of methods for making it appear that they somehow have knowledge about their sitters. In fact one of the main books on the subject has a chapter about how it might apply to sales and other non-paranormal-fraud applications.

      (Quote This Comment)

  22. You skipped over Phishing ‘websites’.

      (Quote This Comment)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Upload Files

You can include images or files in your comment by selecting them below. Once you select a file, it will be uploaded and a link to it added to your comment. You can upload as many images or files as you like and they will all be added to your comment.