Social Engineering

Why should a potential attacker waste their time investigating, searching for vulnerabilities, and attempting to break into a particular system, when they can just ask for the password? Such is the largest motivation for social engineering, a practice which is often nothing more than glorified deception of a group or individual with the goal of extracting information that would not otherwise be divulged. If properly executed, the victim(s) will likely never even know that they have ever been targeted (at least until it's much too late).

The greatest problem with most humans is that they will help anyone who asks them – it's what society and biology have trained and forced us all to do. As such, most people (especially jaded employees) will usually let almost anyone borrow their laptops or mobile phones in order to let someone “quickly check their email”, or “call a friend because their phone's battery died” - try it sometime. From there, it's fairly trivial to steal sensitive documents by sending them to yourself, grant yourself remote access, or perform a whole host of other attacks. More commonly, it's likely you or someone you know has had their Facebook or Twitter account “hacked” in such a manner.

Have you ever given a second thought about a janitor, cleaning crew, or a garbageman past just acknowledging their existence in your environment? If you have, you can probably predict what I'm going to write about in this paragraph – and if not, you've probably already inferred it given the context of this blog post. Janitors and the cleaning crew usually have near complete, unfettered access to an organization's physical location, and often after-hours. It's hard to realize, but you put your implicit trust into men and women who probably would not mind supplementing their salaries by the simple acts of taking photocopies and sticking flash drives into computers. Even supposing all of the employees you hire are saints who would never act against their employer, it isn't too hard for a social engineer (or anyone for that matter) to fill out a job application for a janitorial position. Fine, let's suppose you don't have any cleaning or janitorial staff - you probably still have someone picking up your trash a few times a week (probably someone not even employed by you). As an example from operations security, it isn't very hard to infer how well a company is doing from the contents of their garbage. Filled with pizza boxes every single day? The company has enough money to provide lunch for all of their employees. Lots of cardboard boxes labeled “Dell” or “HP”? Looks like they just installed a bunch of new machines and are probably looking as to how to get rid of their old ones. Various personal items, family photos, and a potted plant or two? Someone was probably just fired, and is likely disgruntled... they shouldn't be too hard to get information from.

It doesn't even have to be that difficult. In many cases, the social engineer doesn't even have to leave their desk – they can simply call a given organization and impersonate their remote IT provider. If it's a large organization, you can easily go so far as to pretend that you're an individual employed at a satellite office, a contractor, or even just a vendor seeking more information about the corporation's needs. Edward Snowden, a former systems administrator at the NSA, claims he just asked for additional access from superiors and co-workers.

Speaking to the security-conscious software developers at Stevens and around the world, I challenge you to create the most secure piece of software you can – there's nothing lines of code can do to stop a human from leaving a piece of paper attached to their monitor with the password. Thinking second factor authentication? Let's be honest - it's really not too hard to get a hold of someone's phone and computer at the same time.

It seems that the weakest link always comes down to the individual person. It's in this conclusion that social engineering thrives, and unfortunately there's not much that can be done (education and the threat of legal action only go so far).

 

TL;DR: http://xkcd.com/538/