104274037 pc security final essay social engineering

7/28/2019 104274037 PC Security Final Essay Social Engineering

http://slidepdf.com/reader/full/104274037-pc-security-final-essay-social-engineering 1/15

PC Security Final Essay

Social Engineering

Contents



Introduction 1

What is Social Engineering? 2

Social Engineering Techniques 3

Social Engineering for Beginners 6

Well known Social Engineers 8

Ways to prevent a Engineering Attack 9

Conclusion 12

References 13

Introduction:



Social Engineering is a way of manipulating a person into giving you important data. In PC

security terms it’s a way of hacking a system without being in front of an actual PC. There

are so many examples of social engineering in the world today and people just aren’t being

vigilant enough.

Social engineering can take the form of a phone call, an email, a letter and if the person is

really daring, they might actually go so far as to pose as someone else face to face.

There has been many stories go around about social engineering and how people manage to

trick others. One of the most popular instances is a woman in America who rang a bank and

posed as the Bank Presidents daughter. She demanded the account numbers of the banks

biggest client. The member of staff wasn’t inclined to give her the information; however this

fraudster said that if she did not receive the account numbers and information that she was

looking for, that her father would not be pleased and in turn he would fire that member of

staff. Of course the member of staff was so afraid of losing their job that they eventuallycomplied only to find a few days later that this major clients bank account had been cleaned

out and that they had indeed been fooled.

You would think that after a story like that, that people would be more on the look out.

However, clever hackers these days are coming up with new and unsuspecting ways to trick

the public and steal their identities and lives.

In this essay I will outline the different types of social engineering i.e the many different

ways and examples of how someone can be a social engineer, as well as giving pointers on

how to be vigilant and stop yourself from being hacked.

What is Social Engineering?



“Social engineering is the act of manipulating people into performing actions or divulging

confidential information” i

Some social engineering can be considered the simplest form of fraud and in most cases the

victim never see's the person who has tricked them.

“All social engineering techniques are based on specific attributes of human decision-

making known as cognitive biases. These biases, sometimes called "bugs in the human

hardware," are exploited in various combinations to create attack techniques.”ii

Basically what the above is saying, is that all of this fraud is based on decisions made by the

hacker or person trying to exploit the information. What they extract depends entirely on the

following:

The questions they choose to ask

The route they chose i.e. phone, email, person to person contact (very rare)

The amount of time they are willing to spend digging for information. Patience. A hacker can't afford to get frustrated when trying to extract information as

it may essentially blow his/her cover.

Manners. The more they sweet-talk and the more innocent they claim to be, the higher

the chance that they will be told what they want to hear. Often people are eager to

help those that they think are helpless, so if the hacker calls up and acts like they are

completely lost or confused, often they will pick up little bits of information.

Social Engineering Techniques:



The main technique and often the most simplest that is used in Social Engineering is

Pretexting. This is the technique that I have mentioned above in the introduction. Someone

tells a simple lie to extract information. They invent a scenario in which they impersonate

someone else or say that they are speaking on behalf of someone very important to get what

they need.

People may impersonate someone else to get valuable information about a company.More often than not this type of attack is aimed at large businesses, either by someone who is

looking to cash in on a weak link in the company, or the company's competition looking to

see how they can up their own game.

Phishing is another technique that can be used in social engineering. These days it is really

easy to create a website and manipulate html code and people can get caught.

Scammers set up a fake website that looks like something more legitimate and popular that

people would use regularly, for example eBay. Then they send you an email from that website

looking for some personal details to verify an account with a bad link. When you click this

link, they fake website logs your details (credit card number and whatever you have entered)along with your password for your email account. They can then use these details to steal

your identity and things can become quite serious.

The most well known phishing scam was in 2003, when hackers sent emails to people

pretending to be from eBay, as above, people were told that their accounts would be

suspended if they did not enter in their credit card details. They were given a link which

redirected them to a site similar to the format of eBay and when they entered in their details

they were phished.

iii

Diagram 1. The above diagram shows a print screen of the email that was sent around in 2003.

Spear Phishing is similar to pretexting; however it normally appears internally within a

company. An email will be sent to someone in a company and it will look like an official

company email. They may pose as someone from human resources, and normally what they

would look for is the details for one specific member of staff.



Not only will they look for details, but often they will also ask you to download some sort of

software claiming that it’s relevant to your everyday work. This software will contain a

Trojan or other malware that will spread rapidly from computer to computer in the network.

The “spear” in the title indicates that they want to target one specific person within acompany rather than the company itself, however when they have the details of one member

of staff then it could lead to something much bigger eventually.

The following extract is an example of Spear Phishing from a blog I found online. iv

“The Forrester analyst, Paul Stamp, describes a recent spear phishing attack on a medi-

um sized enterprise. He described how the enterprise had issued a press release announ-

cing the hire of a new COO. A few days later, the new COO received a email pur-

portedly from the firm that does the enterprise's travel bookings. He was requested to

click on the link and make sure his details were accurate.

The executive did and ended up at a official looking website for the travel agency. There he

found that the travel agency already had all his personal details in the database, so it looked

good. He was then requested to download some software that would link his Outlook email to

the travel agency's booking systems. The COO did this. Unbeknownst to the COO he was ac-

tually downloading Trojan horse malware which then rapidly spread through his new enter-

prise.”

Phone Phishing.

This technique is often more complicated than it sounds and isn’t just as simple as one phone

call. The attacker starts out by sending an email to the victim posing as a bank. This email

might say something such as

“Dear Sir

There has been some unusual activity on your account lately.

You will need to contact the bank to verify your details.

The following is a number for you to call and you will be put straight through to one of our customer service representatives [Insert Number]

We look forward to hearing from you soon.

[Insert Name]

Manager of tsb Permanent.”

When the victim will call that number, they might be put through to a fancy automated

system or voice recording. These days’ attackers have to get more sophisticated with their

means of attacking so that their victims will not be able to tell the difference between what’s

real and what’s fake, so hearing an automated voice system is not uncommon. Then thevictim may be put directly through to their attacker who may be posing as a customer service



representative where they will be asked for their details. By the time the phone call ends the

attacker should have everything that they needed.

Trojans and Malware

This technique often requires the use of a computer. A Trojan or malware may be transmitted

to the victims computer through a lost form of external media, (People are often curious whenthey see a usb key on the ground in the parking lot of their company and don’t often stop to

think of the consequences) or more commonly attachments in an email.

They will be sent an email asking them to download a report or file and when they do, they

will automatically get a Trojan, malware or keylogger. Every stroke they type on the

computer may be monitored and every piece of personal information that they will enter will

be kept.

Shoulder surfing.

This technique is possible the easiest thing you could do if you wanted to find out

information quickly, however it is often overlooked as being too unreliable and amateurish.

This can range between anything from looking over the shoulder of someone in an airport to

standing really close to someone as they are entering the pin at an ATM.

There are pros and cons. Pros being that if a place is crowded you are nearly sure to get away

with this technique, unless you are looking really shifty. The cons however are that this is

only a good technique if an attacker is looking to just steal from a random person. If they

were looking to target someone in particular, it would be a lot of work having to first find out

where they are travelling to so that you can follow them around and look for information and

then if you are following the same person from place to place then you are going to start to

look a bit creepy eventually!

I would say this technique is more for the beginner in Social Engineering rather than the Pro’s

who would only target big companies and businesses.

Social Engineering for Beginners!

Social Engineering is ALWAYS closer than you think. Just the other day I was surfing a local



forum and I saw something that I believe to be a form of social engineering. Now of course

this thread that I am about to show you may be perfectly innocent, but it seems to me that this

person is digging for specific information from a specific person. After all, I know some

people on this local forum as Cork is a small place, so it seems to me that he already knows

the user he is hoping will reply. This person has made their thread so pointless and harmless

looking that no one would suspect them.

v

There is a possibility that this user is trying to find out the answer to a password reset

question.

With most email accounts, there is an option to reset your password if you can provide 2

pieces of information together such as an answer to a secret question and a location.

A lot of people would choose an easy answer to their password reset question as they don’t

want to forget the answer. They may think that this is the most convenient route to take but it

is also leaving them wide open to attacks from hackers.

If a hacker can guess a password reset question, this indeed is another form of social

engineering. So the best way to stop yourself from being left open to attack is to make your

password a mixture of:

• Upper Case Letters

• Lower Case Letters

• Numbers

• An underscore if possible

• Words which are not easy to decipher.



I will also stress that it is a possibility that the above thread was totally innocent, however it

is always important to be on your guard.

Internet forums can be a place of great discussion and may pass the time, however on local

forums you need to be more aware of the consequences if a debate or a flame war breaks out.

“Flaming is hostile and insulting interaction between Internet users. Flaming usually

occurs in the social context of a discussion board, Internet Relay Chat (IRC), by e-mail

or on Video-sharing websites. It is usually the result of the discussion of heated real-

world issues like politics, religion, and philosophy, or of issues that polarise

subpopulations (for example, the perennial debating between Xbox 360 and PlayStation

3 owners). Internet trolls frequently set out to incite flame wars for the sole purpose of

offending or irritating other posters.” vi

Flaming can lead to a more serious situation where someone may become a victim of cyber

bullying. You may wonder how this ties in with Social Engineering.

Cyber bullying and flaming could lead to a social engineering attack from someonewho may be looking to “get their own back” or just be spiteful. They may try to compromise

your account to teach you a lesson. Don’t get me wrong, I’m not anti-forums and when

properly moderated they can be a wonderful place to chat to like-minded people, however it

is just as important to be picky about what information you give on an internet forum as it is

to be careful about what phishing links you click on!

Well Known Social Engineers.

The most well known social engineer in the World is Kevin Mitnick.



Kevin started social engineering at a very young age when a bus driver told him that he could

buy his own ticket stubbing machine. He bought this machine and then went searching for

transfer tickets which he could use. He continued this on for years until he found the world of

technology and hacking where he became the most well known social engineer.

He used to tap phone lines to listen to peoples conversations and also speaker systems indrive through’s and restaurants.vii

viii

Mitnick in the centre with some friends.

Frank Abengale

This man is another example of another famous social engineer.

This man was well known for his bank fraud. He spent his life on the run and claimed

to have no fewer than 8 identities. He started at the age of 16 and committed a long list of

crimes including fraud.

He is well known in popular culture as the movie “Catch me if you can” is based on

his life.

Similarly to Mitnick, Abengale is now a security consultant.

Ways to prevent a Social Engineering Attack

There are many things you can do to prevent a social engineering attack.



• Do not click on suspicious links in emails

• Do not give out details over the phone unless you are 100% confident that you are

speaking to an official body that you trust.

• Do not give out your credit card details to any links that may appear in emails. Your

bank is sure to contact you by letter or phone to arrange an appointment to discuss

your finances, they would never actively send out an email to ask you to verify your account or change your details online.

• If you find a piece of external media, do not take the chance that it isn’t infected.

Leave it where you find it and do not insert it into your computer.

• Do not download attachments from websites that you do not trust.

• If you receive an internal email asking you for your details within the company you

are working for, speak to your supervisor to verify that this email was legitimate

before entering any details. After all, there may not be any “Jane” working in human

resources!

• Have multiple passwords! Do not use the same password for all accounts as it will be

too predictable, and if someone happens to crack it then they are in a position to stealyour entire identity.

The majority of these are common sense, however good hackers are coming out with new

pieces of technology every day which make it more difficult for you to be on your guard

when it comes to these attacks.

Protecting your email

I cannot stress enough the importance of making your password hard to crack. As mentionedabove there are ways of doing this.



If will demonstrate creating a password for hotmail. Most other email websites will be the

same so this will apply across the board.

1. Here I entered a name as the password. All in lowercase letters “stephen”. This was

the message that I received.

ix

2. I decided to backtrack and delete that password. I retyped it this time using one

uppercase letter, a mixture of lowercase letters and two digits which I will remember.

I would not recommend using your age as your two digits as this will make your

password easier to crack for anyone that may know you personally. The password I

typed was “Stephen48586878”. This password may be hard to remember because of

all the digits, but this was only a personal preference anyway. Some people prefer to

play around with it and manipulate the cases rather than the digits to make their

passwords stronger. This was the message that I was shown.

x

I was told that the password was strong. In fact the box on the right gave a very clear indication of the type of password that they are looking for. This is designed to help you out.

The next part of the email address that I will show you how to protect is your password reset

question. Every email account either needs a password reset question or a linked email

address to automatically send the password to. I much prefer the password reset question, as

it stops an attacker from automatically obtaining your details if they have the password to thelinked account also.



Again I’ll use Hotmail as the primary example. This type of question is exactly the type of

question you should not use because anyone who knows you well will know this straight

away.

xi

If possible, you should choose your own question, as some email websites give you the

option to write your own, however in this case you don’t have that option. The next best

option on that list is “Favourite Historical Person”. You can make this an actor or a writer

even and to make the answer stronger, I suggest putting a memorable number at the end of

the question, as well as the number of spaces in the question.

xii

This is just a simple way that you can stop yourself from being a victim of social engineering.

However, no password or reset question is foolproof so you have to be vigilant against the

phising scams.

Conclusion

Social engineering is a much bigger part of our lives than we sometimes realise. A con artistmay not necessarily jump out at you. He mightn’t be wearing tatty clothes or look suspicious,



he could just as well be wearing an Armani suit and have a wife and kids.

Social engineering will always be the number one way to extract information. Regardless of

what new technology people will come up with over the next few years. The art of the lie will

never change.

References



i Taken from http://en.wikipedia.org/wiki/Social_engineering_(security)

ii Taken from http://en.wikipedia.org/wiki/Social_engineering_(security)#Social_engineering_techniques_and_terms

iii Found at: http://www.fileguru.com/images/b/scam_sensor_for_outlook_utilities_security-11581.png

iv Taken from http://www.authenticationworld.com/blog/2006/12/targeted_spear_phishing_exampl.html

v Taken from http://www.peoplesrepublicofcork.com/~peoplesr/forums/showthread.php?t=163752

vi Taken from http://en.wikipedia.org/wiki/Flaming_(Internet)

vii Taken from http://en.wikipedia.org/wiki/Mitnick#Early_life

viii Found at http://upload.wikimedia.org/wikipedia/en/f/fa/Lamo-Mitnick-Poulsen.png

ix

x

xi xii (References ix, x, xi, xii all taken from the hotmail sign in page:https://signup.live.com/signup.aspx?ru=http://mail.live.com/%3frru

%3dinbox&wa=wsignin1.0&rpsnv=11&ct=1259635165&rver=6.0.5285.0&wp=MBI&wreply=http://mail.live.com/def ault.aspx&lc=1033&id=64855&mkt=en-us&bk=1259635166&rollrs=12&lic=1)

http://en.wikipedia.org/wiki/Social_engineering_(security)

http://en.wikipedia.org/wiki/Social_engineering_(security)#Social_engineering_techniques_and_terms

http://www.fileguru.com/images/b/scam_sensor_for_outlook_utilities_security-11581.png

http://www.authenticationworld.com/blog/2006/12/targeted_spear_phishing_exampl.html

http://www.peoplesrepublicofcork.com/~peoplesr/forums/showthread.php?t=163752

http://en.wikipedia.org/wiki/Flaming_(Internet)

http://en.wikipedia.org/wiki/Mitnick#Early_life

http://upload.wikimedia.org/wikipedia/en/f/fa/Lamo-Mitnick-Poulsen.png


https://signup.live.com/signup.aspx?ru=http://mail.live.com/%3Frru%3Dinbox&wa=wsignin1.0&rpsnv=11&ct=1259635165&rver=6.0.5285.0&wp=MBI&wreply=http://mail.live.com/default.aspx&lc=1033&id=64855&mkt=en-us&bk=1259635166&rollrs=12&lic=1



http://en.wikipedia.org/wiki/Social_engineering_(security)

http://en.wikipedia.org/wiki/Social_engineering_(security)#Social_engineering_techniques_and_terms

http://www.fileguru.com/images/b/scam_sensor_for_outlook_utilities_security-11581.png

http://www.authenticationworld.com/blog/2006/12/targeted_spear_phishing_exampl.html

http://www.peoplesrepublicofcork.com/~peoplesr/forums/showthread.php?t=163752

http://en.wikipedia.org/wiki/Flaming_(Internet)

http://en.wikipedia.org/wiki/Mitnick#Early_life





104274037 pc security final essay social engineering

Documents