Social Engineering and Sending Letters for Free

Posted Monday, April 12, 2010 - 20:42 by Gabriel Haythor...

So what is Social Engineering?

Quoting for Webopedia.com:

"In the realm of computers, the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful…"

Social engineering is not difficult.  It requires little more than confidence, a warped mind and a little rat cunning.

More often than not, it is the easiest way of breaking into a system.  Quoting Bruce Schneier:

“Only amateurs attack machines; professionals target people”

www.schneier.com/crypto-gram-0010.html

A case in point

One client of ours had invested an enormous amount of money in locks, bars and IT security systems and controls.  They’d been audited, and their systems pen tested.  They were confident that their systems were just about bullet proof and defied me to prove otherwise.  I do so love a challenge!

All I had to do[1] was:

  • follow someone into their building (a courteous gentleman held the door open for me)
  • ask if there was a spare desk I could sit at – I was directed to John’s desk as “he’s away on holiday”
  • locate a second empty desk and work out who sat at it (let’s call him Pete)
  • attempt to log in to John’s machine until his password retry limit was exceeded – in doing so I obtained his username
  • call the help desk claiming I was John needing a password reset, and
  • take the call to Pete from the help desk (in my best Irish accent) confirming John’s identity.

 

If I’d been really devious, I could have asked the Help Desk to set up remote access on my account – so I could “work from home”.

I hope your systems and processes are more secure.  But you’d be surprised at how many aren’t.  Even highly security conscious organisations such as the Australian Customs Service[2] have very publicly fallen victim to social engineering attacks – in this case by a former (and disgruntled) employee of their outsourcer:

http://www.smh.com.au/articles/2003/09/12/1063341768995.html?from=storyrhs

 

So why is preventing Social Engineering attacks so difficult?

There are several reasons why preventing social engineering attacks is difficult:

  • Social Norms - All have us have it drilled into us from an early age that we should be polite, hold the door open for others, give up our seat to an old person on the bus, smile and be helpful.  Anything else is interpreted as discourteous, anti-social or rude.  It’s hard to train staff to:

-        close the door in a colleague’s face

-        refuse an (apparently) innocent request made politely

-        confront a manager or colleague for breaking a minor rule (like not wearing their ID pass)

-        challenge a visitor (they might be an important customer after all), and

-        learn to trust no one

…but that’s exactly what’s required!

  • Organisational Culture – Most staff take their lead from the top.  So if they see a manager or director flaunting a rule, they will feel safe to flaunt the same rule themselves.  But often it’s the older managers and board members whose habits it is hardest to challenge, and will be most resistant to change.
  • Technical Controls don’t work – Turnstile and swipe card systems might work to prevent unauthorised entry but are very costly, create huge headaches when passes are left at home, and require a manual override - so that visitors can visit and staff can escape in a fire, for instance.  And it’s impossible to prevent every form of social engineering attack with technical controls.  The fact is that it is only through structural and procedural controls, and cultural change that attacks can be prevented.

So what can you do?

Train your staff:

  • to always ask others for identification, positively identify individuals and confirm their right to be doing what they’re doing
  • to not be embarrassed to ask dumb questions if you they’re not sure
  • in what the company policies and procedures are – and the consequences of not complying, and
  • in what to do if they have a concern.

But training isn’t in itself enough, you also need to:

  • publicly reward those that do raise concerns – even if they’re ill-founded
  • routinely check that people are complying
  • enforce penalties for those that are not, and
  • repeat training regularly – because people can and do forget.

But above all – remember that social engineers are devious and inventive people – so there’s no substitute for eternal vigilance.

So how do I send a letter for free[3]?

I’ll give you a hint…

In Australia the post office doesn’t charge for returning wrongly addressed letters to the sender.

 

 

 

 

(You can email me if you’re getting desperate.)

 

[1]      With their permission of course!

[2]      Customs were not our customer in the road test we carried out above

[3]      Castelain does not advocate that you ever do this!

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are human.
Image CAPTCHA
Enter the characters shown in the image.
By submitting this form, you accept the Mollom privacy policy.