The Fastest Way You Can Get Hacked Online
Ironically, one of the most insidious techniques for attacking the security of a system or network is not technological at all, but psychological. Brute-force password guessing can often gain the attacker illicit access to information assets, especially if password management permits the use of weak or easily guessed passwords, but it is infinitely easier to gain access if someone gives it to you.
What is social engineering?
Social engineering is the art of obtaining the information necessary to achieve access by subterfuge, by talking to lawful users or operators of systems and networks and asking for advice, assistance, or other information that reduces the difficulty of penetration. It is difficult to explain to one who has not seen social engineering in action just how powerful a tool it can be
How social engineering works
In one experiment, a team of young hackers was given the main switchboard number for a large organization and asked to see if they could get information to help them penetrate the organization’s worldwide computer network. They were not to access the network; instead, they were merely to see what they could learn that might aid an attempted penetration. By calling the company and requesting to speak to the network help desk they managed, within 24 hours, they planned to have the organization create a new account for them, give them the user ID and password over the phone, describe the login protocols, and ship by overnight courier-at the target organization’s expense and to an unidentifiable address- the software needed to gain access.
Unfortunately, this experiment did not have unexpected results. People whose job it is to help other members of the organization use their computers and networks for the benefit of the organization readily assist and take pride in doing so. Nor are the help desk personnel the only targets. Everyone likes to help others when they can, especially if by helping we can show that we have mastered a complex set of technologies and protocols.
Techniques used by a hacker for hack carrying out social engineering
The attacker may play the role of a neophyte. By playing dumb, the attacker elicits the respondent's natural desire to help. Posing a problem evokes most technically trained people’s love of solving problems. The attacker may subtly challenge the ability of the respondent to handle the system or network, causing the respondent to rise to the challenge. Having the respondent walk through the login protocol and procedures engages the respondent in a procedure accomplished routinely daily or more often, which soothes the respondent’s suspicious inclinations.
Using the wrong words for computer processes or asking the respondent to define technical terms he or she uses (What does boot the system mean?” demonstrates helplessness and reinforces the desire to assist. Profuse thanks at the end of the conversation assuage any residual suspicion.
The converse of the attacker as neophyte is attacker as an expert. The attacker may call an unsuspecting member of the organization and pretend to be from the computer center or even the security department, and explain that the computer system is malfunctioning and offer to assist with correcting the problem over the phone. The attacker then directs the respondent to go through the login procedure while describing each step, including telling the attacker the user ID and password is entered. Such a ploy is especially effective with lower-status members of the organization.
Powerful social engineering attacks
The most successful social engineering attacks follow a period of intense research about the organization and its systems to be attacked. Knowing the organizational structure, names of individuals that work for the organization, and other facts that are easily obtained by research in the public domain lends verisimilitude when interjected into the conversation. For example,“I work for Don Jones in accounting” is more believable than “I work in accounting,” especially if Don Jones is the head of accounting.
Nor is it necessary to obtain the information targeted on the first call or the first day. One case is on record where the attacker spent more than three years talking to an employee of a major company. An intense personal relationship developed, with exchanges of family information and personal information, all made up on the attacker’s side, of course. Eventually, the attacker was able to obtain a great deal of information by exploiting that relationship.
Techniques of social engineering attacks
Social engineering attacks may involve physical visits to the target organization, as well as telephone calls. An attacker may go “Dumpster diving” to sort through the target organization’s trash, knowing full well that a great deal of enormously valuable information ends up there, from Passwords to system and network operating instructions. In one case, an attacker stole a uniform from nearby dry cleaners and used it to pose as part of the janitorial team. During a visit to the organization’s computer facility, the attacker was able to steal over 100 floppy disks and put them in a briefcase. The guards on duty routinely searched the briefcase as the attacker left the facility but let the attacker leave with the disks when no suspicious papers or electronic equipment that might belong to the organization was found during the search. The attacker may pose as a potential client, vendor, or consultant, or seek an interview as a reporter or writer, or even as a student doing a project for class. A common form of social engineering attack involves applying for a Job.
Questions like, “What systems do you use?” or “I’m interested in computer security; how does yours work?” appear more natural in a job interview setting. The attacker may take a job if one is offered, even a low-level job if access will be granted that can be exploited from inside the organization. In one such attack, a sniffer was placed on the organization’s network by a newly employed social engineer, and thousands of credit card numbers were collected as they passed through the network from the organization’s customers as they purchased services online.
You May Read This Also: How Truck Your Way got the perfect mix of interface and user experience
Conclusion About Hack
The defense against such attacks is an awareness and training program that informs employees of the nature of such attacks. Every employee of an organization, from the senior executives to the clerical and administrative staff to the janitors and guards, must be informed that such attacks take place, how to recognize them, and what to do if such an attack is suspected. Training and awareness programs are discussed at length later in this blog.