Inside the mind of a social engineer

gallery

Not all social engineers need to exploit out curious nature, some just exploit technological loopholes instead. Such as the common use of Called-ID spoofing from mobile phones, for example, which is as easily accomplished as it is widely exploited.

"Called-ID spoofing can be used to place calls while pretending to be someone else, for example a customer or another employee, in order to obtain information from a victim," explained Ron Gula, CEO of Tenable.

"Additionally, many mobile phones are shipped with voicemail boxes that don't have a password so a social engineer making use of called ID spoofing can listen to a voicemail and gain sensitive information."

Impersonation is the highest form of hacking

Sometimes though, the social engineers don't have to use any technology at all.

The concept of the 'silent cleaner' applies to any hacker visiting the premises in person. This takes a lot of chutzpah, but it can pay huge dividends as Pete Wood, a member of the ISACA Security Advisory Group and CEO at First Base Technologies, knows from first hand experience.

He tells me that by using the silent cleaner technique, he was able to "walk around every floor without challenge, read personnel information and customer contracts in unlocked cabinets, steal the contents of post trays and obtain a staff list containing names, job titles, e-mail addresses and phone numbers."

The really savvy social engineer will also take particular note of the contents of any bins marked 'For Shredding' or even 'For Recycling' as these can often contain network diagrams and personnel information.

Even simple shoulder surfing while in silent cleaner mode is profitable, looking over someone’s shoulder to see door entry codes, passwords and the like.

Combating the con-men

"Curiosity and Schadenfreude are the elements that make us human," said Ed Rowley from M86 Security. They are also the weak points exploited by your average social engineer.

This applies just as much in the workplace as it does at home, and Rowley argues it is unrealistic to try and separate employees from consumers in this regard.

"Whilst inside the corporate network, many employees may let their guards down assuming that corporate safeguards are protecting them," he said.

So how can the enterprise best protect itself from this modern-day con artist?

Obviously the implementation of security technology is a given, but without end user training and education as well as an enforceable acceptable use policy it cannot stop the social engineer.

"Training doesn't need to be complicated or expensive," Rowley concluded. "A simple guide to best practices and an overview of how the criminals try to trick their victims into opening an email or an attachment or visiting a website should help reduce the problem considerably."

Interview with a hacker

Neil O’Neil is a certified ethical hacker, and qualified forensics investigator, with secure payment specialist The Logic Group. As an ethical hacker he employs social engineering techniques to extract the information he needs during penetration testing exercises.

"The method I personally use is to understand the animal I am dealing with, which will be based on their dominant human traits of fear (dog), lethargy (slug) and accommodation (sheep)," said O'Neil.

He defined these as follows:

The Dog: In business, especially the highly-wired corporate treadmill, people fear that their performance is always being observed. This means they will make every effort to show-off their knowledge, experience and opinions. Which makes it easy, with some ego stroking and sycophantism, to get a vast amount of data out of them as they fear failure or criticism.

Email to a friend

Print this page