Exploit the possiblities


Posted Aug 17, 1999

Social Engineering Just a new twist on an old con game. From the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) Information Bulletin

tags | paper
MD5 | 82bf2c98c0b417bdafbae792655f3917


Change Mirror Download
<HEAD><TITLE>"Social Engineering" just a new twist on an old
con game </TITLE></HEAD>
<body text = "#000000" link = "#0000ff" vlink = "#ff0000" bgcolor = "#ffffff">

<h1>"Social Engineering" just a new twist on an old con game</h1>

<p><i><b>Editor's Note:</b> This article was adapted from one that
appeared in the July 5, 1994 issue of the U.S. Department of Energy's
Computer Incident Advisory Capability (CIAC) Information

<p>In today's world of computer crime, all perpetrators don't have to
come in over the Internet; they may just as easily get information
simply by asking. Beware of the friendly insider or the official
sounding outsider; they may be playing on your good will or naivet&eacute
to get what they need. A few examples should help...</p>

<p>A department secretary answers the telephone, "Josie Bass. May I
help you?"</p>

<p>"Hello. This is Martin White with the computing center. We think
someone may have broken into the file server. Can I talk to the
technical person in charge?"</p>

<p>"It's Friday afternoon. I'm the only one here," Josie

<p>"How're you doing, Josie?"</p>

<p>"Good. And you?"</p>

<p>A deep breath. "Not too bad, except that it's Friday afternoon
and I think we're going to have to wade through a mountain of paper.
Anyway, as I was saying, we think your file server has been

<p>"What makes you think so?"</p>

<p>"Your account name is <i>jbass</i>, isn't it?"</p>


<p>"We've been seeing unusual traffic coming and going on your

<p>"Well, can't you tell for certain what's going on?" Josie
asks. </p>

<p>"Sure, I'm searching now, but it's so much paper." The
sound of a page being flipped. "What scares me is that while I'm
doing this, the bad guys could be downloading or changing information on
your server. Maybe you ought to take your server off the network or
change your system password."</p>

<p>"Jeez, I don't know how to do that."</p>

<p>Martin sighs. "That's too bad. The intruders may not have even
entirely cracked your system." The sound of another page being
flipped and then fingers snapping. "Josie, I just thought of
something. I have all this on line. It would just take a minute to check
if I had your password." A heavy sigh. "Why didn't I think of
this before? It's been a long week - too many hours looking at
numbers." A pause. "Okay, what's your password?"</p>

<p>"I...er," Josie hesitates.</p>

<p>"Oh, yeah, you shouldn't give it out. I understand." The
sound of another page being flipped. "It was such a good idea,
too." Pause. "These guys sure tried a lot of different ways to
break in..." Another page.</p>

<p>"Hey," Josie says, "we could be here all night. Forget
I told you this: my password is <i>Jb2cats</i>."</p>

<p>"Thanks. Great. Hold on." The sound of keys being typed.
"Okay. Let me double check." More typing. "That's it.
Good news, they never got in to your system." Pause. "Thanks a
lot, Josie. We would have been here half the night for a non-event. By
the way, once they pass you by, it's very rare that they'd come back.
You're in good shape. "</p>

<p>"Thanks. You have a good weekend," a relieved Josie

<p>"You too."</p>

<p>"Martin White" and his confederates will have a good
weekend changing the grades of students who are taking classes from that
department - for a fee, of course. </p>

<p>This is one (fictionalized but only too realistic) example of what's
called "social engineering," an ironic characterization of the
nontechnical aspect of Information Technology (IT) crime. In other human
interactions it's called a "con (or confidence) game" where
Martin is the "con artist." The underlying idea is simple:
deceive the victim into revealing secret information or taking
inappropriate action for the attacker's benefit.</p>

<p>Most of us are helpful and trusting - it's human nature. We want to
be good neighbors and have good neighbors. Social engineers exploit
this cooperative inclination. They also employ intimidation and
impersonation as well as plain old fashioned snooping and eavesdropping. </p>

<p>As the theft of information increases, we need to increase our
awareness of the indirect methods used by information pirates. </p>

<p>For example:</p>

<li>A confused and befuddled person will telephone a clerk and ask for
his password to be changed.

<li>An important sounding man identifying himself as an executive will
telephone a new system administrator and demand access to his account NOW!

<li>A person at an airport will look over your shoulder ("shoulder
surfing") as you key in your telephone credit card or ATM PIN (they
even use binoculars and camcorders).

<li>A visitor will watch you type your login-ID and password at your

<li>A confident person will call up a computer operator and ask him or
her to type in a few lines of instruction at the console.

<li>An attacker will sift through your paper trash ("dumpster
diving"), looking for clues to unlock your IT treasures.

<p>Unlike the technology it targets, social engineering is an old
profession with a new name. It succeeds frequently because our culture
has not caught up with its own technology. A social engineer would have
a much more difficult time getting the combination to a safe than getting
a password, or even the combination to a locker at the health club. The
best defense is simple: it's education, training, and awareness.</p>

<p><i>Remember: A password is like a toothbrush. Change it every three
months and never, never let anyone else use it (not even someone
claiming to be from CERT).</i></p>




RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?

Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    11 Files
  • 21
    Feb 21st
    3 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2018 Packet Storm. All rights reserved.

Security Services
Hosting By