Social Engineering

Many people do not realize it, but social engineering is a tool which
many intruders use to gain access to computer systems. The general
impression that people have of computer break-ins is that they are
the result of technical flaws in computer systems which the intruders
have exploited. People also tend to think that break-ins are purely
technical. However, the truth is that social engineering plays a big
part in helping an attacker slip through security barriers. This
often proves to be an easy stepping-stone onto the protected system
if the attacker has no authorized access to the system at all.

Social engineering may be defined, in this context, as the act of
gaining the trust of legitimate computer users to the point where
they reveal system secrets or help someone, unintentionally, to gain
unauthorized access to their system(s). Using social engineering, an
attacker may gain valuable information and/or assistance that could
help break through security barriers with ease. Skillful social
engineers can appear to be genuine but are really full of deceit.

Most of the time, attackers using social enginering work via
telephone. This not only provides a shield for the attacker by
protecting his or her identity, it also makes the job easier because
the attacker can claim to be a particular someone with more chances
of getting away with it.

There are several types of social engineering. Here are a few
examples of the more commonly-used ones:

– An attacker may pretend to be a legitimate end-user who is new to
the system or is simply not very good with computers. This
attacker may approach systems administrators and other end-users
for help. This “user” may have lost his password, or simply can’t
get logged into the system and needs to access the system
urgently. Attackers have also been known to identify themselves
as some VIP in the company, screaming at administrators to get
what they want. In such cases, the administrator (or it could be
an end-user) may feel threatened by the caller’s authority and
give in to the demands.

– Attackers who operate via telephone calls may never even have seen
the screen display on your system before. In such cases, the
trick attackers use is to make details vague, and get the user to
reveal more information on the system. The attacker may sound
really lost so as to make the user feel that he is helping a
damsel in distress. Often, this makes people go out their way to
help. The user may then reveal secrets when he is off-guard.

– An attacker may also take advantage of system problems that have
come to his attention. Offering help to a user is an effective
way to gain the user’s trust. A user who is frustrated with
problems he is facing will be more than happy when someone comes
to offer some help. The attacker may come disguised as the
systems administrator or maintenance technician. This attacker
will often gain valuable information because the user thinks that
it is alright to reveal secrets to technicians. Site visits may
pose a greater risk to the attacker as he may not be able to make
an easy and quick get-away, but the risk may bring fruitful
returns if the attacker is allowed direct access to the system by
the naive user.

– Sometimes, attackers can gain access into a system without prior
knowledge of any system secret nor terminal access. In the same way
that one should not carry someone else’s bags through Customs, no user
should key in commands on someone’s behalf. Beware of attackers who
use users as their own remotely-controlled fingers to type commands on
the user’s keyboard that the user does not understand, commands which
may harm the system. These attackers will exploit system software
bugs and loopholes even without direct access to the system. The
commands keyed in by the end-user may bring harm to the system, open
his own account up for access to the attacker or create a hole to
allow the attacker entry (at some later time) into the system. If you
are not sure of the commands you have been asked to key in, do not
simply follow instructions. You never know what and where these could
lead to…

To guard against becoming a victim of social engineering, one
important thing to remember is that passwords are secret. A password
for your personal account should be known ONLY to you. The systems
administrators who need to do something to your account will not
require your password. As administrators, the privileges they have
will allow them to carry out work on your account without the need
for you to reveal your password. An administrator should not have to
ask you for your password.

Users should guard the use of their accounts, and keep them for their
own use. Accounts should not be shared, not even temporarily with
systems administrators or systems maintenance techinicians. Most
maintenance work will require special privileges which end-users are
not given. Systems administrators will have their own accounts to
work with and will not need to access computer systems via an
end-user’s account.

Systems maintenance technicians who come on site should be
accompanied by the local site administrator (who should be known to
you). If the site administrator is not familiar to you, or if the
technician comes alone, it is wise to give a call to your known site
administrator to check if the technician should be there. Yet, many
people will not do this because it makes them look paranoid and it is
embarrassing to show that they have no, or little trust in these
visitors.

Unless you are very sure that the person you are speaking to is who he
or she claims to be, no secret information should ever be revealed to
such people. Sometimes, attackers may even be good enough to make
themselves sound like someone whose voice you know over the phone. It
is always good to double check the identity of the person. If you are
unable to do so, the wisest thing to do is not to reveal any secrets.
If you are a systems administrator, there should be security
procedures for assignment and reassignment of passwords to users, and
you should follow such procedures. If you are an end-user, there
should not be any need for you to have to reveal system secrets to
anyone else. Some companies assign a common account to multiple
users. If you happen to be in such a group, make sure you know
everyone in that group so you can tell if someone who claims to be in
the group is genuine.

Part Three: End-users self administering a networked computer

The home user or the user who administers his own network has many of
the same concerns as a centrally-administered user. The following is
a summary of additional advice given in Part Three: