Exploit the possiblities

soc_eng.html

soc_eng.html
Posted Aug 17, 1999

Social Engineering Just a new twist on an old con game. From the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) Information Bulletin

tags | paper
MD5 | 82bf2c98c0b417bdafbae792655f3917

soc_eng.html

Change Mirror Download
<html>
<HEAD><TITLE>"Social Engineering" just a new twist on an old
con game </TITLE></HEAD>
<body>
<body text = "#000000" link = "#0000ff" vlink = "#ff0000" bgcolor = "#ffffff">



<p>
<h1>"Social Engineering" just a new twist on an old con game</h1>

<p><i><b>Editor's Note:</b> This article was adapted from one that
appeared in the July 5, 1994 issue of the U.S. Department of Energy's
Computer Incident Advisory Capability (CIAC) Information
Bulletin.</i></p>

<p>In today's world of computer crime, all perpetrators don't have to
come in over the Internet; they may just as easily get information
simply by asking. Beware of the friendly insider or the official
sounding outsider; they may be playing on your good will or naivet&eacute
to get what they need. A few examples should help...</p>

<p>A department secretary answers the telephone, "Josie Bass. May I
help you?"</p>

<p>"Hello. This is Martin White with the computing center. We think
someone may have broken into the file server. Can I talk to the
technical person in charge?"</p>

<p>"It's Friday afternoon. I'm the only one here," Josie
says.</p>

<p>"How're you doing, Josie?"</p>

<p>"Good. And you?"</p>

<p>A deep breath. "Not too bad, except that it's Friday afternoon
and I think we're going to have to wade through a mountain of paper.
Anyway, as I was saying, we think your file server has been
compromised."</p>

<p>"What makes you think so?"</p>

<p>"Your account name is <i>jbass</i>, isn't it?"</p>

<p>"Yeah."</p>

<p>"We've been seeing unusual traffic coming and going on your
server."</p>

<p>"Well, can't you tell for certain what's going on?" Josie
asks. </p>

<p>"Sure, I'm searching now, but it's so much paper." The
sound of a page being flipped. "What scares me is that while I'm
doing this, the bad guys could be downloading or changing information on
your server. Maybe you ought to take your server off the network or
change your system password."</p>

<p>"Jeez, I don't know how to do that."</p>

<p>Martin sighs. "That's too bad. The intruders may not have even
entirely cracked your system." The sound of another page being
flipped and then fingers snapping. "Josie, I just thought of
something. I have all this on line. It would just take a minute to check
if I had your password." A heavy sigh. "Why didn't I think of
this before? It's been a long week - too many hours looking at
numbers." A pause. "Okay, what's your password?"</p>

<p>"I...er," Josie hesitates.</p>

<p>"Oh, yeah, you shouldn't give it out. I understand." The
sound of another page being flipped. "It was such a good idea,
too." Pause. "These guys sure tried a lot of different ways to
break in..." Another page.</p>

<p>"Hey," Josie says, "we could be here all night. Forget
I told you this: my password is <i>Jb2cats</i>."</p>

<p>"Thanks. Great. Hold on." The sound of keys being typed.
"Okay. Let me double check." More typing. "That's it.
Good news, they never got in to your system." Pause. "Thanks a
lot, Josie. We would have been here half the night for a non-event. By
the way, once they pass you by, it's very rare that they'd come back.
You're in good shape. "</p>

<p>"Thanks. You have a good weekend," a relieved Josie
responds.</p>

<p>"You too."</p>

<p>"Martin White" and his confederates will have a good
weekend changing the grades of students who are taking classes from that
department - for a fee, of course. </p>

<p>This is one (fictionalized but only too realistic) example of what's
called "social engineering," an ironic characterization of the
nontechnical aspect of Information Technology (IT) crime. In other human
interactions it's called a "con (or confidence) game" where
Martin is the "con artist." The underlying idea is simple:
deceive the victim into revealing secret information or taking
inappropriate action for the attacker's benefit.</p>

<p>Most of us are helpful and trusting - it's human nature. We want to
be good neighbors and have good neighbors. Social engineers exploit
this cooperative inclination. They also employ intimidation and
impersonation as well as plain old fashioned snooping and eavesdropping. </p>

<p>As the theft of information increases, we need to increase our
awareness of the indirect methods used by information pirates. </p>

<p>For example:</p>

<ul>
<li>A confused and befuddled person will telephone a clerk and ask for
his password to be changed.

<li>An important sounding man identifying himself as an executive will
telephone a new system administrator and demand access to his account NOW!

<li>A person at an airport will look over your shoulder ("shoulder
surfing") as you key in your telephone credit card or ATM PIN (they
even use binoculars and camcorders).

<li>A visitor will watch you type your login-ID and password at your
keyboard.

<li>A confident person will call up a computer operator and ask him or
her to type in a few lines of instruction at the console.

<li>An attacker will sift through your paper trash ("dumpster
diving"), looking for clues to unlock your IT treasures.
</ul>

<p>Unlike the technology it targets, social engineering is an old
profession with a new name. It succeeds frequently because our culture
has not caught up with its own technology. A social engineer would have
a much more difficult time getting the combination to a safe than getting
a password, or even the combination to a locker at the health club. The
best defense is simple: it's education, training, and awareness.</p>

<p><i>Remember: A password is like a toothbrush. Change it every three
months and never, never let anyone else use it (not even someone
claiming to be from CERT).</i></p>

<p>


</body>
</html>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close