Você está aqui: Página Inicial / Blog / Social Engineering: Why minding?

Social Engineering: Why minding?

Know the numbers, the evils and the countermeasures to this dangerous attack strategy

 

 

This article was originally published by its author on LinkedIn.

The original publication can be read here.



October, 2015. Second half of the month. The New York Post was the first to publish the fact. Several other sources, such as the Guardian, CNN, Forbes and Wired were soon to tell their own versions on the story.

After finding out that John Brennan, CIA director at the time, was a Verizon customer, a group of crackers, some still in high school, was able to deceive the company's employees in order to obtain the man's personal data.

        Soon after, knowing that Brennan's personal email was from AOL, they contacted the company and, using the data stolen from Verizon, they coerced the email provider employees to reset the account password. The damage was done.

        Even though the success of the John Brennan's personal email account invasion is debatable, there are evidences that lead us to believe that the crackers, in fact, were able to do it.

        If the head of the most prominent intelligence agency in the world is susceptible to attacks of this nature, what about us?


Common people


        Unfortunately, social engineering attacks do not reach only occupants of strategic positions in distant countries. The evils are very democratic.

        If we look only for phishing (a very common social engineering attack, which consists in coercing people to click on deceiving links in order to expose inside information) we'll see that, in 2016, according to Kaspersky Lab, 27,61% from the global total of this type of attack occurred in Brazil, being that the Kaspersky customers anti phishing system was activated 155 million times that year.

        If we look only for phishing [...] we'll see that, in 2016, [...] 27,61% from the global total of this type of attack occurred in Brazil. IsYourDataSafe.com attests that the stolen information market moved, in 2013, more than 143 billion dollars. Another source, the Ponemon Institute, claims that, between companies with more than 10 000 employees, the annual average cost to contain phishing attacks, that compromised workers credentials, is 380 000 dollars and above.

        Then, social engineering is a real problem, a full source of financial loss and devious profit.

        But, after all, what exactly is social engineering?


Definitions


        In the book Unmasking the Social Engineer, by Wiley, Christopher Hadnagy defines social engineering as (adapted):

        Any act that influences a person to take an action that may or may not be in their best interest.

        According to this definition, influencing someone directly to execute any action is what defines social engineering. The concept is wide: for example, a big dog, obstinately barking and running in direction of an unfortunate someone, leading the person to desperately run on their own defense, can be classified as a social engineer. In this case, the frightened individual would be coerced to execute an action in their own interest.

        Even a newborn child, through crying, influences their parents to execute actions and is influenced by them in many ways. The social engineering is, then, inborn. It is interesting to notice that this definition admits that the social engineer is an active entity with regard to influencing third-party actions.

        Another possible definition, and less general, is from de book The Basics of Hacking and Penetration Testing, by Patrick Engebretson, that defines social engineering as (adapted):

        It is the process of exploring the "human" weaknesses inherent to all organizations, in order to make an employee share confidential information.

        Here are both human and organization resources concepts. The social engineer would explore the human nature of an organization to get inside information. However, notice that the definition does not explicit the need of an active influence. The social engineer would only benefit from the human weaknesses. Which weaknesses are those? The next definition clears out this aspect.

        This one is from the online course CompTIA Security+ Certification SYO-401, by Udemy (transcribed):

        Exploiting the trusting nature of people to gather information or access.

        This third definition makes it clears that the weakness explored by the social engineer is people's inborn confidence. In addition, it goes further than saying that the social engineer desires to get information, expanding the objective to getting access and, again, it does not explicit the need of active influence.

        Based on the definitions exposed here, I dare to give my own definition on social engineering:

        Coercing people to execute actions or freely taking advantage of executed actions to get access to information or reserved areas, being those physical or virtual.

        With that, I can contemplate attacks based on active influence, as phishing, and also attacks as dumpster diving (information collection from the garbage), of passive nature with respect to the influence above people, and yet, both information and physical or digital access.

        Running from the definition, in which ways can a social engineer act effectively? Unfortunately, the real circumstances of social engineering are diverse.


Attacks


Let's suppose the existence of two characters: John and Mary. Both work at a multinational company. Their profiles are very different. John is always in the middle of all sorts of fraud. He is a swindler and is unsatisfied with the corporation. Mary, on the other hand, is very sweet and an exemplary employee.

        On the peak of his dissatisfaction, John decides to attack the company and, even though he does not have the technical knowledge needed to an electronic attack, he is a chatty person and knows the institution quite well. Following below there are four stories of possible attacks from John. All the attacks described below are based in social engineering.


Tailgating


        John knows that in a determined place in the company there is information that would grant him a few thousand dollars in the black market. The problems is that he does not have the privilege level required to enter the place: his ID do not pass.

Then, he positions himself close to the door and waits for someone who looks foolish. Mary, who works exactly in the said place and had just gone out to get a cup of coffee in the kitchen, approaches John in the corridor and, between a smile, wishes our cheater the most melodic "good morning". The perfect victim.

        John, after answering with an even more melodic "good morning", throws a soft chat on the smiling girl. Between jokes and smiles, he tells her that he forgot his ID and asks Mary if she would gently let him get in with her. Very helpful she says "yes, of course" and does it. A tailgating attack is consummated.

        Tailgating is unduly entering a place where the access is restricted, exploring the good will of people who do have legitimate access. The attacker doesn’t even need to explore the helpfulness of others: they can advance in the fraction of second before the closing of a controlled door and pass through it. Obviously, it would be much more suspicious, if verified.


Dumpster diving


        Tuesday. 5:30 p.m. It is time for Mary to leave. She must go to the bank before 6:00 p.m. to pay a bill. That was the due date. For that reason, she wasted no time grinding the drafts of a confidential document that she wrote earlier. She simply kneaded it before tossing in the trash and going away.

        Wednesday. Mr. Mark, the caretaker, usually takes the trash out around 9:00 a.m., a big bag of used paper, putting it in a bucket that stays beside the company's building. John, very smart, knows about the caretaker's methodic habit. Around 9:15 a.m. he goes down to the entrance and, in a moment that there was no one in the parking lot, he takes the bag and puts it in the spacious trunk of his car.

        Later, already home, searching through the material taken from de trash bag, he finds a portion of kneaded copies of a confidential document, that someone had thrown away without grinding. Examining better the content of the papers, he finds out that they have temporary network credentials (bingo!)  with a high level of privilege, to be available to consultants that would provide a service to the corporation in a few days.

        It couldn't be simpler: dumpster diving consists in searching, in the trash, for inside information disposed incorrectly.


Shoulder surfing


        John knows that Mary has access to a determined system. For hideous reasons, he also wants access to it. The question is that there isn't any reason for the access concession staff to approve that. In addition, accessing the system with other person credentials would make much easier the task of masking the frauds he may want to commit.

        After finding out that Mary is a sweet person, he approaches her in a moment when she does not appear much occupied and, between smiles and lies, he asks her to verify something for him in the system. Not wanting to disappoint the nice interlocutor, Mary immediately nods and stars typing her credentials to log into the system.

        John, incredibly discreet and smart, memorizes the credentials as she types. After she shows what he asked for, he thanks her nicely and goes away. Success. Later, he would use the stolen credentials to authenticate as if he was Mary.

        As the example describes, shoulder surfing attacks consist in getting confidential information by "spying" what the victim is doing on their computer.


Impersonation


        "Good morning, are you Mary?", asks the man in a suit, softly inclined forward, arms resting one on top of the other, as if crossed, on the bay wall. Mary says "yes, it's me". The man identifies himself: he was Joe, the purchasing supervisor. He come to talk directly to Mary because he needed an urgent information. He was closing the necessary documentation to the audit that was going to happen on Monday and some values, exactly the ones Mary had declared, were not matching.

        He asks if Mary could open the SAP to see with him what in fact had to be declared.

Certainly the woman made some mistake. Mary, not wanting to waste the audit, promptly agrees with the cautious supervisor and asks him to seat beside her so they can check the values. Together they do the calculations, the man take notes of the information he needs, he thanks her, drinks the coffee she offers rapidly and then goes away. Success.

        John, our talented social engineer, disguised as Joe, the purchasing supervisor, to get inside information. Impersonation consists in disguising as other to get advantages, often resorting to faking urgent situations or putting pressure in the victim.

        Several other types of attacks compose the arsenal of the social engineer, such as phishing, hoaxing, whaling, water holing, etc. Attacks of this nature are commonly linked to the inborn helpfulness and confidence of the victims and, yet, to some knowledge of internal processes. The social interaction is, almost always, a key element in the conduction of a successful social engineering attack.


Countermeasures


        Even though the countermeasures for physical security being the most evident in the fight against social engineering, the user education, without doubt, is the way to corporative success with respect to information safety. Nowadays it is indispensable that the domestic users also have knowledge on cyber security. The cybercrime is everywhere and its main "competitive advantage" today is the lack of information of the general public.

        Get to know the course "Good practice on Cyber Security", by Perallis IT Innovation on Udemy.


[...] the user education, without doubt, is the way to corporative success with respect to information safety.


        Installing electronic vigilance equipment can inhibit the social interaction required for the conduction of an impersonation and/or shoulder surfing attack, the use of mantraps can be a good choice to prevent tailgating and, similarly, trash grinding equipment put in the departments of a corporation can help to prevent dumpster diving, but none of it will work if the employee isn't prepared to make the correct use of all these tools.

        When we talk about security, more than educating the user a successful corporation in this regard is an organization where the information safety culture exists. This is somethings extremely difficult to achieve, simply because it goes against the inherent confidence we have in one another. Insisting on the them, without doubt, is one of the most important weapons for people whose responsibility is to care for the corporative safety.


Author:

Eduardo Vasconcelos

Cyber Security Expert at Perallis IT Innovation

 

Translator:

Júlia Araújo