Security: Social Engineering

Author: George Pauwels

May 2008

Social engineering has gotten a bad rap lately. The question is, does it deserve the reputation? Social engineering is defined by the all wise and knowing Wikipedia as “a collection of techniques used to manipulate people into performing actions or divulging confidential information.”

In order for someone to perform social engineering they must take advantage of a victim’s needs. These needs can be inherent or implanted. Inherent needs are those vulnerabilities that almost all humans possess including: the desire to help, the need to feel important, demonstration of expertise, or being too busy to be bothered, to name only a few. Social engineers typically lie or stretch the truth in order to take advantage of their targets vulnerabilities.

For those who didn’t get the chance to see the recent movie Live Free or Die Hard, Bruce Willis’s character is responsible for protecting the life of a young hacker played by Justin Long, known for his role of the Mac in Apple Computer’s famous PC vs Mac commercials. While trying to escape the bad guys, Bruce and Justin try to steal a car. While Bruce plies his talents for hotwiring, finding they are no longer applicable, Justin reaches up and presses the OnStar button. When the OnStar lady answers, Justin goes into his best social engineering act. He claims his father is having a heart attack and they cannot find the keys to the car. He tells her it is important that he get his dad to the hospital and could she start the car for him. Justin’s character plays on the woman’s vulnerability of needing to be of assistance and of not wanting to be responsible for someone’s death. Although this example is extreme, it is typical of the way many people get what they want in our society.

The other option to introduce social engineering into a situation is to implant the need. If a hacker can bring down a network or a computer and then introduce themselves as an expert who can fix the issue, they can extract valuable information from the victim or get the victim to perform a certain act that will aid the hacker’s cause.  How about the new Web based exploit that sends a pop-up window to your computer indicating your systems has been infected with a virus or has in some way been compromised? If you will just download their product, you will be able to scan and remove this problem. While you think you are downloading some excellent antivirus product, you are actually installing their malware on your system.

But aren’t we being socially engineered every day? Aren’t there people in our world who are manipulating us into “performing actions or divulging confidential information”? It happens all of the time. Watch any television program these days and you will see social engineering every 10 minutes. Drug companies invent diseases by presenting common symptoms as a new “syndrome” and then in classic social engineering style inform you that if you come to them, they can cure you of your wretched illness. Are you not cool enough? Is your laundry not clean enough? Is your house not big enough? Will you have money for retirement? Are you getting all that life has to offer? Then come to me and I’ll set you free! You, my friend, have been socially engineered (ask your doctor for advice).

The other day my lovely wife and I were patronizing a book store in the Dayton area. We had made our selections and were standing in line at the checkout counter. A gentleman ahead of us was purchasing several security related magazines. The sales clerk asked if he had his membership card, and he said that it had expired. She indicated that she could renew his membership if he wanted and he agreed. She then asked him a number of personal questions which he happily answered for her (and our!) benefit: name, address, phone number, date of birth, etc. And one wonders how identity theft seems to be so prevalent in our society! Or is that fear, too, a social engineering ploy?

But the question remains, is social engineering given a bad rap? Could this power be used for good and not evil? It is my belief that it can. Education is the key to the successful defense against this vulnerability. There are several ways in which the user community can be made aware of the potential pitfalls and motivated to avoid them:

• At hiring time, make sure all individuals read and sign the company security policy.  If you do not have one, shame on you! Drop everything and put one together immediately.
• Hold mandatory monthly training sessions where a different security topic is explained in detail. Providing a free lunch ensures the best attendance.
• Create an internal website which contains more information where employees can read the newest case studies of social engineering attacks in the corporate community. This is a much better source than depending on a FW: FW: FW: FW from Aunt Deloris.
• Perform weekly penetration testing and advertise the results. It may be prudent to change the names to protect the innocent.

In the same way that hackers, advertisers and salespeople use social engineering to encourage individuals to do their bidding, we as security professionals can use it too. Take the time to feed into your user community’s vulnerabilities and to demonstrate how important it is to use reason and procedures to protect themselves from manipulation. Then you too can have the whitest teeth and the brightest smile!