82-10-43 Social Engineering and Reverse SocialEngineering

Ira S. Winkler

PayoffSocial engineering is the term that hackers use to describe attempts to obtain informationabout computer systems through nontechnical means. In most cases, hackers telephoneunsuspecting system users and use a series of ruses to get the users to divulge their useridentifiers and passwords. Although these techniques may seem ridiculous, hackers usethem to obtain extremely valuable information. This article proposes that organizationsbenefit from these attacks by making them an integral part of a vulnerability analysis,especially where security awareness is poor. It also discusses typical attacks and describesmethods for preventing them.

IntroductionSocial engineering, or a hacker's attempt to obtain information about computer systems bynontechnical means, comes in many guises. Techniques include telephoning unsuspectingsystem users and, using a series of ruses, getting users to divulge their user identifiers andpasswords, going through trash dumpsters for information, and obtaining a job within thetargeted organization. Many people find these techniques ridiculous, but they can provide ahacker with extremely valuable information. Social engineering might seem like a fancyword for lying. It is, but it is also extremely effective.

Social engineering specifically targets weaknesses in information systems securityplans and procedures, as well as poor security awareness. These weaknesses are onlydetected after an attack has occurred, if the attack is detected at all. In addition, an attackmay comprise several small attacks, each of which might be inconsequential.Unfortunately, the whole social engineering attack is greater than the sum of its parts.Small attacks probably go unnoticed, possibly occurring over several months.

What is at stake in these attacks can be enormous. Many organizations have valuableinformation that justifies expensive protection mechanisms. This information may includecorporate financial data, electronic funds transfers, access to financial assets, patientrecords, and personal information about clients or employees. Any compromise of thiscritical information can have serious consequences, including the loss of customers, filingof criminal charges or civil law cases against the organization, loss of funds, loss of trust inthe organization, and the organization's collapse.

Organizations respond to social engineering threats by implementing information-security plans that establish control of information assets by specifying protectionmechanisms. The plans usually rely heavily on technical security mechanisms, such asfirewalls, user passwords, closed networks, and operating system protection mechanisms.In addition, physical protection mechanisms and other operational security issues are oftendiscussed. The computer and information-security profession apparently believes that theiremployees understand the operational security requirements for protecting information.Unfortunately, this is not the case, except in defense-related organizations. Most employeesactually have a low level of security awareness. In spite of this, most organizations funneltheir information-security funding to technical mechanisms. Little revenue, if any, isdesignated for security awareness and operational security training.

The disclosure of information through nontechnical means can and will occur. Thistype of disclosure can bypass millions of dollars of technical protection mechanisms. Inmany cases, if impending attackers want to gain access to a computer system, all they haveto do is ask. Although this might seem ridiculous, vulnerability analyses performed for

Previous screen

large commercial organizations confirm that many people with computer access do notunderstand the value of the information to which they have access. Users have disclosed avariety of sensitive information, including the names of employees, organizational costinginformation, telephone numbers to organizational modems, and customer data.Surprisingly, user identifiers and passwords are extremely easy to obtain. When they areused in combination with the telephone numbers of the modems, passwords can be usedwith other technical intrusion methods to give attackers access to all of a company'sinformation.

Techniques Used in Social EngineeringTo hackers, social engineering usually means calling people up within a targetedorganization and using a variety of ruses to obtain information from them. Hackers mayclaim to be from the computer support staff. They would say that they need a user'spassword to correct a problem with the computer system.

In another type of social engineering, a hacker would obtain a job at the targetedorganization. This technique might give the hacker access to the information that he desires.Even if direct access to the information is not acquired, the hacker might learn enoughinformation to get additional access. A job as a janitor could be extremely valuable to ahacker because a janitor is usually given entry to areas of a building that an averageemployee do not have access to. Janitors can take their time to go through the garbage toobtain potentially valuable information and they can go through a person's desk orbelongings after he or she leaves for the day. A recent edition of 2600: The Hackers'Quarterly includes an article on how to obtain a job as a janitor.

Social engineering attacks may also involve going through trash dumpsters, referred toas “dumpster diving.” The Masters of Deception, who infiltrated the U.S.telecommunications system to the point that they could have crashed the system, were onlyable to access the system after obtaining user passwords from the garbage of the New YorkTelephone Company. Again, the tactic may seem to be almost comical, but it provides ahacker with very valuable information. It is well known that there are destructionprocedures for classified materials in the defense community. Burn bags and shredders arecommon throughout the U.S. government. However, these procedures are almost unheardof in private industry.

Other forms of social engineering include criminal actions. In several cases, foreigncompanies have hired former intelligence operatives to engage in industrial espionage bygathering economic intelligence. Such operatives steal equipment and break into corporatefacilities. In addition, actions that thieves use to collect credit card numbers (e.g., “shouldersurfing,” in which someone eavesdrops on someone else entering a password) are beingused to collect computer passwords.

Social engineering gives an outside attacker the knowledge and abilities of internalemployees. It can also give internal attackers more knowledge and abilities than they shouldhave. Social engineering can bypass all technical security mechanisms to allow an attackerto obtain the information of their choosing. In some cases, an attacker can get all thedesired information through a social engineering attack without having to resort to technicalmeans. This is an extremely important concept. It indicates that a person who intends toobtain computer-based information does not need to know anything about computers.

Liability ConsiderationsThe issue of liability is an additional element of social engineering that must be considered.A hacker who breaks into a computer system and obtains information is probablycommitting a crime. However, when a social engineer uses the telephone and askssomeone for information, then there is definitely doubt as to whether a crime has occurred.

Previous screen

The person who gives out the information might be the person who is legally liable,possibly subjecting the organization to criminal or civil charges.

If, for example, a person calls up a hospital, implies that he is from the Board ofHealth, and asks for and obtains the name of all patients diagnosed with AIDS, the patientswhose lives were damaged by the disclosure of the information could sue the hospital.Essentially, social engineering attacks weaknesses in what is considered to be commonsense.

Weaknesses that Allow Social Engineering to OccurBecause social engineers attack nontechnical weaknesses in security, these weaknessesmust be discussed.

Basically, two types of weaknesses allow social engineering to occur. A lack ofsecurity awareness facilitates most social engineering attacks. In other words, people donot know how to respond appropriately to compromising situations. Attacks are alsofacilitated by poor plans and procedures. In many cases, even though an organizationdesigns plans and procedures to thwart a would-be attacker, they are not tested by anindependent source to determine their adequacy.

Poor Security AwarenessOrganizational information security plans usually address basic issues in computer

security. These issues may include nondisclosure of passwords and not giving outsensitive data unless the identity of a caller is confirmed. However, most plans do notinclude realistic procedures for making employees aware of the security procedures. Manysecurity experts assume that the general population understands basic security issues, suchas the importance of a password. Computer and security personnel consider these issues tobe common sense. However, before there can be common sense, there must be commonknowledge.

There is very little common knowledge when it comes to issues related to computersecurity. One such issue is the dissemination of computer passwords. An extremely largepercentage of users do not understand the importance of a password for authentication andaccess to a computer system. They do not realize that their account can be accessed fromanywhere in the world, given the proper access point.

Users also do not understand the lengths that people will go to obtain the informationthat the users have access to on a daily basis. They also do not realize that throwingsomething in the garbage does not mean that the information is destroyed. What is garbageto a user might be extremely valuable to a hacker.

Human WeaknessesPeople give out information for many reasons. In most cases, they just want to be

helpful, because that is their job and/or nature. People can also be intimidated to releaseinformation, either by being made to believe that a superior wants the information or by justtrying to make an annoying person go away. Corporate spies and many hackers understandwhat can be described as simultaneous good and bad personal attributes in a user, and theyknow how to exploit these attributes.

Untested Plans and ProceduresAlthough an organization might understand its vulnerabilities and the potential threats

that hackers pose, and it may try to address these problems through proper operationalprocedures, it is difficult to determine if these procedures are adequate unless they are

Previous screen

tested. A good example of an untested procedure is the reliance on internal identifiers,which many organizations establish to authenticate an employee to another employee. Manyorganizations depend on Social Security numbers to identify people. However, an outsideattacker can obtain a Social Security number with very little effort and then proceed toattempt to obtain desired information.

Organizational procedures that require an authenticating mechanism must carry withthem additional procedures that protect the mechanism. This is where a large number ofsecurity plans fail. Many organizations test a specific part of a security plan or procedure,but these plans and procedures must be tested as a whole.

Preventing Social Engineering AttacksBecause social engineering attacks can bypass even the most sophisticated technicalprotection mechanisms, it is probably impossible to prevent all forms of social engineeringattacks. Many private organizations cannot go to the lengths that the U.S. intelligencecommunity can to screen potential applicants, but they can establish a significant amount ofprevention. The preventative methods described in this section are general to mostorganizations. However, specific industries and organizations have vulnerabilities that canonly be identified when these entities experience a social engineering attack.

Using Separate Internal IdentifiersMany social engineering attackers are asked to authenticate themselves as real

employees by providing their employee numbers. Fortunately for the attackers, theemployee numbers are commonly used and easily obtained from real employees. Attackerscan develop a list of employee numbers and are ready for any challenge. Companies shouldhave a separate identifier for their computer-support activities. This procedure wouldseparate personnel functions from support functions and provide additional security to bothpersonnel and computer activities.

Implementing Call-Back ProceduresMany social engineering attacks can be prevented if company employees verify a

caller's identity by calling him back at his proper telephone number, as listed in thecompany telephone directory. This procedure creates a minimal inconvenience to legitimateactivities, but when compared with the scope of the potential losses, the inconvenience isgreatly justified. If employees are required to call back anyone asking for personal orproprietary information, compromises of all natures can be minimized.

Establishing a Security-Awareness ProgramAlthough it might appear ridiculous to think that a computer user would give out a

password to a stranger, many users would find this innocuous. Companies spend millionsof dollars to acquire state of the art hardware and software security devices, but they ignoregeneral awareness programs. Computer professionals cannot assume that basic securitypractices are basic to noncomputer professionals. A good security-awareness program canbe implemented for minimal cost and can save a company millions of dollars of losses.

The commercial sector can learn a great deal about these techniques from the defensecommunity, whose techniques include security-awareness briefings during employeeindoctrinations, security-awareness weeks, and periodic newsletters. The ComputerSecurity Institute (CSI) provides a service in which a company's name and logo can beplaced on a monthly newsletter that CSI develops for the company. A company can also

Previous screen

use daily reminders, such as security-awareness posters and security warnings that are puton the message of the day and displayed when a user logs into a computer system.

Identifying Direct Computer Support AnalystsEvery employee of a company must be personally familiar with a computer analyst.

There should be one analyst for no more than 60 users. The analysts should be a focalpoint for all computer support, and should be the only computer support people whodirectly contact users. Users should be instructed to contact their analyst immediately ifthey are contacted by someone else claiming to be from computer support.

Using Technical Security FeaturesOperating systems come with many technical capabilities that can minimize the effects

of social engineering. These security features can tell users when their account was lastaccessed and from where, or they can provide for the automatic expiration of passwords.Unfortunately, system administrators generally do not activate many of these securityfeatures. Although these functions can significantly minimize many threats to computersecurity, many users consider them annoying.

System administrators should consider one-time password mechanisms, which canminimize the threats to computer security. In addition to combating social engineeringattacks effectively, one-time passwords can prevent the exploitation of passwords thatnetwork sniffers gather.

Creating a Security Alert SystemAttackers realize that even if their social engineering attack is detected, an employee

usually has no method to alert other employees that an attack is occurring. This indicatesthat even if an attack is compromised, it can continue with minimal changes. Essentially, acompromise may only improve an attack by allowing the attackers learn what does notwork.

Employees should have some way to rapidly alert a computer security official that theymight have been the target of an information-security-related attack. The informationsecurity staff should then evaluate the attack and be able to alert the entire organization thatan attack may have occurred and to be aware of the potential for other types of attacks.Obviously, employees should be encouraged to report attacks that are both technical andnontechnical in nature.

Having the Organization Attack ItselfA company that wants to fully determine its vulnerabilities with regard to social

engineering should attack itself just as an outsider would. This is particularly true of largeorganizations, where identifying the major vulnerabilities is difficult. This is the onlymethod for determining how social engineers might infiltrate an organization, as well asseeing how far attackers might get and the level of damage they can do.

Reverse Social EngineeringReverse social engineering is a very unique form of social engineering. In most socialengineering attacks, the attacker goes to the victim to obtain information. In reverse socialengineering, however, the victim unwittingly goes to the attacker.

This statement may seem to be ridiculous. Why would anyone go to an attacker andhand him information? The trick is for the attacker to first use a traditional social

Previous screen

engineering attack to make victims believe that the attacker is a part of a legitimateorganization, such as a support service, that is providing help for the victims. The problemis that the victims do not know that the person they call for assistance is an attacker insteadof the person he claims to be.

Because of the nature of reverse attacks, the hacker can receive much more informationin these cases than they would from normal social engineering attacks. The attacker hasimmediate legitimacy because the victim is going to the attacker. This differs from atraditional social engineering attack, where the most difficult aspect for an attacker isattaining legitimacy in the victim's eyes. Obviously, the rewards of reverse socialengineering can be great. Fortunately for potential victims, reverse attacks are much moredifficult to complete successfully.

How Reverse Social Engineering Is AccomplishedIn an example of reverse social engineering, the attacker physically intrudes into the

targeted organization and posts signs stating who to contact for technical support. The signcarries the attacker's telephone number. In some cases, the attacker replaces a validtechnical support telephone number with his own. Frequently, users do not know who tocontact if there is a computer problem, and they welcome any offer of assistance.Obviously, these attacks require the victim to need technical support in order for theattacker to be contacted. Attackers can use a variety of methods to create this need.

Creating a False Need for Technical SupportTo increase the likelihood of being contacted by their victims, attackers occasionally

create the need for assistance through sabotage. By deleting a critical file or resettingsystem parameters during a physical intrusion, attackers create an immediate need for theirservices. Proper placement of the offers for help provides welcome relief for people whoare panicking because they believe their system is destroyed.

When such physical intrusions are not possible, an attacker might mail offers oftechnical support to the targeted organization. The book Secrets of a Super Hackerdescribes an incident where an attacker went through the garbage of a foreign embassy andfound packaging for a modem. The attacker mailed the embassy a letter and a disk. Theletter stated that there was a problem with one of the embassy's modem files and that theenclosed disk contained a file that would fix the problem. The letter provided a telephonenumber offering technical support that, of course, was actually the attacker's number.Naturally, the file on the disk sabotaged the computer system. Inevitably, embassypersonnel called the attacker, and the attacker had the embassy staff manipulate their systemin a way that permitted a future attack. Although this attack required an extreme amount ofluck and planning, the rewards for the attacker were large.

Attackers also use electronic versions of reverse social engineering attacks. Internetsearch tools allow potential attackers to search USENET Newsgroups for people that havemailing addresses from a specific organization. The Newsgroups also indicate the interestsof the people posting the messages. After gathering names of employees and their interests,an attacker could mail the victims information about interesting Web sites or programs. Ifthe victims obtain the advertised programs, which contain harmful software, the attack issuccessful. Again, the victim is going to the attacker or using the attacker's sabotagedtools, rather than the attacker going to the victim. This sort of reverse social engineeringcan work well for attackers with poor interpersonal skills, because there is no direct contactwith the potential victims.

Previous screen

Preventing Reverse Social EngineeringThe factors that enable reverse social engineering to take place are very similar to those

of social engineering. Basically, poor awareness and poor operational procedures causeindividuals to respond incorrectly to compromising situations. As with social engineering,simple countermeasures such as the following can prevent the most sophisticated reverseattacks:

· Identifying direct computer support analysts. If users know who to go to fortechnical support, they would not likely respond to anonymous letters or postings.Users would also probably alert their support analysts if there were an unusualoccurrence. A diligent analyst could then alert the rest of the organization of a possibleattack. As part of this vigilance, computer support analysts should use due diligencewhen software updates are obtained.

· Preventing employees from retrieving programs off electronic forums.Many organizations have policies that prohibit the use of outside disks in organizationalcomputer systems. These policies are important, but they must be updated to accountfor worldwide telecommunication systems, such as the Internet. People retrieveinformation from all over the world. Software inevitably gets retrieved as well. Acompany's policy should call for a ban on any utilities that do not come from thecomputer services organization.

· Other prevention mechanisms. This section only identifies two mechanisms toprevent reverse social engineering attacks. That actually is all that a company shouldneed. Reverse social engineering requires that the victim perceive that the attacker isproviding a critical service. If potential victims already have experts to consult, thenthey will not be vulnerable to false offers for help.

ConclusionAlthough common sense would seem to be the best prevention for social engineeringattacks, common sense is not the same for all computer users within an organization. Socialengineering exploits operational security weaknesses that are often overlooked byinformation-security experts when plans and procedures are being written. Theseweaknesses have led to serious compromises of major computer systems that could nothave been prevented through any technical protection.

Security personnel must consider the limited common knowledge of the company'semployees when they are developing plans and procedures. These plans and procedures areineffective if no one is aware of them, and are useless if they do not address a coordinatedattack on the system, which social engineering can present. Social engineering allows aperson that is weak in computer skills to access information that people think that only a“superhacker” could obtain. Many more people are social engineers rather thansuperhackers, and the financial rewards or other desired results that social engineers areafter can be just as great. Unfortunately, few people are addressing this area, which is justas significant as any technical attack.

Author BiographiesIra S. WinklerIra S. Winkler, CISSP, Chief Internet Security Strategist, National Computer Security

Association, is one of the world's leading authorities on incident response and industrialespionage. His book, Corporate Espionage, discusses similar subjects.

Previous screen