Friday, December 31, 2004

Social Engineering

A Social Engineering attack is initiated when a person is tricked into revealing sensitive informtation that s/he knows about. It can either be information about themselves or about something/someone else. The attack is completed when the attacker uses this information to gain unauthorized access to networks, ATM's or systems in order to commit fraud, network intrusion, industrial espionage, identity theft etc. This sensitive information can be anything ranging from credit card numbers, social security number, username, passwords, ATM PIN etc. I consider phishing to be a kind of social engineering attack.

The basis for this type of attack is the trust that the attacker establishes with the user. I'll give you an example. Lets say you received a phone call and this is how the conversation proceeds:

Caller: Good Afternoon. This is Bob calling from the SomeBigName Bank.
You: Okay.
Caller: According to our records you are eligible for an interest-free credit card from our bank.
(Notice how he is baiting you)
You: Okay, what are the terms of your credit card?
Caller: No interest upto first 6 months. Low 8.4% APR after that. No annual fees.
You: Can I apply now?
Caller: Yes. What is your social security number?
You: 000-00-0000 (you tell him your real #)
(You hear some clickety clickety in the background. You visualize him typing out your application for you. )
Caller: May I have your existing bank details? With which bank do your hold you account?
(... and this goes on and on till you have given away most of your sensitive financial information to a complete stranger on the phone)
Caller: Thanks. You credit card should arrive in 2-3 weeks from now. Have a nice day.
You: Thanks, bye.

How did the attacker establish trust? He pretended to be calling from SomeBigName bank. You mentally connected the dots. "If he is calling from a bank and offering me a credit card, then he surely must be their rep".

Take another scenario. If 'Bob' knew that you have an account with a particular bank (by either sifting through you postal mail or otherwise) he could have pretended to be calling from that bank and might have asked you for your ATM PIN to 'reset' you account. Social engineering might even happen at work - in a corporate environment. Lets say you receive a spoofed email asking you to reset your computer password to 'Gr8Us3R'. You believe it to be coming from your IT department and change your password. Now its easy for the attacker to get into your system, because you reset the password to whatever s/he wanted.

One of the best known social engineers in recent history is Kevin Mitnick. There is even a Steven Spielberg movie - Catch Me If You Can (2002) based on a real life con artist (Frank Abagnale Jr).

In cases of social engineering attacks, you are yourself responsible for revealing sensitive information. No amount of sophisticated security, firewalls, strong passwords can protect you from these attacks. The best defense against social engineering for corporates is training users about security policies and asking them to challenge anyone asking them to divulge or reset their passwords or other sensitive information. Next time you receive a phone call or an email, make sure it is infact from the same person or organization that you believe it to be from.

Comments: Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.