Being a network engineer, and having to help people with their firewalls on an almost daily basis, security is a matter I deal with fairly often. However, whenever someone asks me which firewall is the strongest, or what settings they should tweak on theirs to protect their company's network as best as possible, my answer always contain the following: 'Don't forget it starts with the people.'
The user does indeed turn out to be the weakest link in many cases of hacking. Why? Because while systems are secured with strong measures, hardware as well as software, important information to access and bypass those very systems can be coaxed out of people using a specific blend of manipulation called social engineering.
And once people have let the hacker in, the strongest firewall in the world won't help them.
How does social engineering work?
Let it be said first that by no means do I aim at teaching you the art of social engineering itself; still, knowing more about it can and will definitely help protect yourself (and your company) if you happen to find yourself in the crosshairs of a social engineer.
In one form or another, social engineering has probably always been around, since its basic premise is to get information that will let you in. It has become much more prevalent since the advent of computers, though, and more specifically since phreakers started using it to find out information about and from phone companies: by pretending to be in the know about their procedures, they got information that allowed them, in turn, to tap into phone lines and call long-distance at no cost.
Kevin Mitnick, for instance, is well-known for having made much use of this technique before he was finally caught in 1995 (now he advises companies about how to protect themselves from it): in fact, it was his talent for social engineering, rather than his skills with computers, that allowed him to penetrate many organisations.
In reality, penetrating a company's security often starts with the bad guy obtaining some piece of information or some document that seems so innocent, so everyday and unimportant, that most people in the organization wouldn't see any reason why the item should be protected and restricted.
— Kevin Mitnick, in 'The Art of Deception'
In other words, a social engineer will gain the trust of employees, starting with those at lower levels in a company, such as a receptionist, or a customer service representative in a call center—although there are cases when aiming for the CTO or even the CEO can work just as well, depending on what angle one chooses to work. Once the social engineer has their trust, it becomes much easier for him or her to obtain important information, such as passwords or temporary access cards, or plant a malicious file on a computer in order to glean resources.
Have you ever wondered why so many call centres, for instance, ask you to confirm some data, or refuse to provide an order number or serial number? This is a protection measure to avoid accidentally giving the right information to the wrong person. Imagine that you work in a call centre for a company that sells software. Someone calls you with this query:
'We never received the licence key for the software we bought, and the person who placed the order isn't here today, so I don't even have an order number! Could you please provide the key now? We really need this software installed and running today, the CEO's breathing down my neck, and I'm going to be in real trouble if I can't provide results.'
Most of us will naturally want to help, all the more if it's part of our jobs, and/or if we're made to feel as if we're really saving the day for that person. However, even after checking some data such as the company's address, you still can't be sure that you're giving this software key to the right person. Who's to say this isn't part of a more elaborate social engineering scenario? Its continuation could very well be the social engineer then going to that company's premises, and serving the receptionist some story about how 'I'm an IT consultant, I'm here to install that software for your boss, I have the licence key with me. Oh, he's on a business trip today? Weird, he didn't tell me. Well, it's fine, I just need quick access to his office, I'll be done in twenty minutes.' (You'd be surprised how well this may work.)
The video below shows a quick and simple example of social engineering, using a recording of a crying baby to garner sympathy and understanding from the operator on the phone.
Video credits: This is how hackers hack you using simple social engineering by oracle mind via YouTube.com
Scary, isn't it? Scary how easy it is.
The case of Stanley Mark Rifkin
Of course, a successful scenario can involve more than this, and a skilled social engineer will take many other precautions to make sure they've covered every base. Here's the example of Stanley Mark Rifkin, who performed one of the biggest bank heists in American history, when he attacked Security Pacific National Bank:
Rifkin used his position as a consultant at the bank—and his knowledge of computers and bank practices—to rob the institution. In October 1978, he visited Security Pacific, where bank employees easily recognized him as a computer worker. He took an elevator to the D-level, where the bank’s wire transfer room was located. A pleasant and friendly young man, he managed to talk his way into the room where the bank’s secret code-of-the-day was posted on the wall. Rifkin memorized the code and left without arousing suspicion.
Soon, bank employees in the transfer room received a phone call from a man who identified himself as Mike Hansen, an employee of the bank’s international division. The man ordered a routine transfer of funds into an account at the Irving Trust Company in New York—and he provided the secret code numbers to authorize the transaction. Nothing about the transfer appeared to be out of the ordinary, and Security Pacific transferred the money to the New York bank. What bank officials did not know was that the man who called himself Mike Hansen was, in fact, Stanley Rifkin, and he had used the bank’s security code to rob the bank of $10.2 million."
— From https://www.social-engineer.org/wiki/archives/Hackers/hackers-Mark-Rifkin-Social-Engineer-furtherInfo.htm , quoted by Christopher Hadnagy in 'Social Engineering: The Art of Human Hacking'
In this example, Rifkin already had access to the bank's premises through his job. However, even without that, a good social engineer could use other techniques to get inside first, then spy the code.
A few signs that you're perhaps being social engineered
While the following situations may be genuine, they may also hide attempts at social engineering. So be careful!
The appointment story
Someone phones the reception desk and asks to confirm their appointment this week with the boss. The boss's name is easy to find on the company's website. The real aim of this call, though, is to find out if the boss is at the office or not—a CEO, or any person with an important management job, is liable to be out fairly often to meet partners. If they're not in this week, the receptionist will likely mention it, thus giving the social engineer a piece of information they can use later. And if they're in, and the appointment story can't hold water, well, it's just a phone call, and it can be cut short.
How to protect yourself:
Don't give out details. 'What was your name again? Mr [X]? No, I'm sorry, I don't see any appointment. Do you wish to make one?' (So maybe you'll make a bogus appointment for your boss, but at least you won't reveal that s/he isn't here for the next two weeks.)
The unknown document
Someone who's not part of the company walks in under any pretext, such as the aforementioned 'appointment' (they'll pretend they noted down the wrong day). While they're here, they ask if they could quickly print a PDF that they mean to leave with the director of marketing. The document can be just about anything: a CV, a sales agreement, etc. The important part here is that malware may be embedded within that innocuous document, and once the receptionist plugs the USB stick on their computer, then the malware is on the intranet, and able to provide a backdoor later for the social engineer/hacker.
How to protect yourself:
Never accept, no matter what sob story the person is serving you. No unidentified USB stick, file, etc. should be introduced on the corporate network.
The important security update
Someone sends you a message to your corporate address with an .exe file attached, asking you to run it because they're updating security protocols on the company's infrastructure, and need all employees to follow suit. The sender's address is your IT department's, so it must be genuine, right? Well, maybe not. They may have found your e-mail address on the company's website, or perhaps you've used your professional address to sign up on a forum or to a mailing list. Also, it's very easy to spoof an e-mail address to make it look like it's coming from the IT department.
How to protect yourself:
Check with other employees. Have they received the same message? Does anyone from IT know about this 'security update'?
The phishing e-mail
You receive an alarming e-mail from your bank, reaching out to you to warn you that you need to update your login details now, or you may lose access to your bank account. In a panic, you click on the link provided in the e-mail, arrive on a webpage that indeed looks like your bank's, input your credentials, and then... nothing. Except that someone out there now has all the information they need to log in to your actual bank account, and relieve you of your money.
How to protect yourself:
Phishing e-mails almost always present some or all of the following characteristics:
- Grammar and/or spelling mistakes.
- Anonymous greetings: 'Dear Valued Customer'—if I'm such a valued customer, why don't you know my name?
- An alarming tone, making it seem that if you don't act right now, then you're toast. This is meant to make you click the link without thinking first.
- They may have been sent to an e-mail address not associated to your bank or PayPal account.
- While the webpage is a good copy of your bank's website, the URL of the link is wrong. This is very easy to check: always hover your mouse's pointer over the link (without clicking), and you'll see the URL that will be displayed won't be your bank's. For instance: www.barc1ays.co.uk/ instead of https://www.barclays.co.uk/
Check for those points, and you can easily avoid being 'phished'.
You're coming back from lunch break with a bunch of employees, one of you flashes his or her badge at the security portal for the whole group to gain access back into the building, and someone you don't know sticks to your group, getting inside with you. But that person seems to know where they're going, so this must mean they have business inside as well, right?
How to protect yourself:
Make sure you and your fellow employees individually flash your badges, and don't hold doors for people you don't know personally or aren't wearing a company badge of their own.
The social media post
One of your Facebook friends shares a post that asks: 'What's your grandmothers' names? Let's all share, so that we can all discover what kind of names people were given 70 years ago!' Innocuous? Not so much, when you consider that many websites ask you to choose a security question (used in case you need to retrieve your password) when you create your account, such as 'What's the name of your first pet?' or (wait for it) 'What's your maternal grandmother's name?' And there you go: hundreds, thousands of people disclosing a piece of information that, for some of them, might get their e-mail or Facebook accounts hacked later on.
How to protect yourself:
Always ask yourself if you've ever used that kind of information as your answer to a 'security question'. In doubt, don't post in the thread.
There is much more to say when it comes to social engineering—the subject warrants a book of its own (which has been done, see the references below), many scenarios are possible, and odds are that if you're social engineered at some point, this may only be one step in the whole information gathering process, thus making you only a link in the chain, and making it difficult for you to see the big picture for what it is. Nevertheless, some tiny details can still alert you. If you find yourself wary about them, if something doesn't feel right, then in doubt, don't disclose the information you're being asked for.
I'm leaving you with the following video, featuring Chris Hadnagy and Michele Fincher (who both perform social engineering at companies' behest to help test security procedures). It explains social engineering in quite an extensive way.
Video credits: Social Engineering: When the Phone is More Dangerous than Malware by RSA Conference via YouTube.com
- HADNAGY, C. (2011), Social Engineering: The Art of Human Hacking, Wiley Publishing, Inc.
- MITNICK, K. (2002), The Art of Deception: Controlling the Human Element of Security, Wiley Publishing, Inc.