|
|
| A Common Compromise - The SE Job |
|
Background
I was planning on turning the Common Compromise into a series.
I had just begun to think about the next angle to cover, when it presented itself to me rather nicely packaged.
The SE job. SE is an abbreviation of Social Engineering. Social Engineering is really just a fancy name for con.
It's a con job, plain and simple.
The con job is not new. It's very successful and has proliferated throughout the ages. Human nature appears to
be one of being susceptible to the con job. Most people are willing to believe something true until it is disproved,
rather than believe something false until it is proven. This is the basis of all cons. All the individual manipulating
the con has to do is reinforce that belief.
The SE job capitalizes on the strongest part of this nature. People are most willing to believe that which is a
common occurrence. For example, if a help desk is used to dealing with login problems (and most help desks see
these regularly), you have a good chance of fitting right into their routine by calling in with a login problem.
The SE is most effective if the person performing it has done their due diligence. Due diligence is gathering the
necessary information. Information is king in the SE job because it is needed for reinforcement. Reinforcement
of the belief that the person performing the SE job really is who they say they are. So the more information that
is known, the more reinforcement that can be given.
Take the helpdesk example, they get login problems every day, but it's not likely that they get login problems
where the person doesn't know their account name, department, boss, network, etc. So the person performing the
SE will also have to know these before calling.
This information can be found many ways and the skilled SE artist knows how to find it. They might get the account
name from the email address, a business card, a company directory. Companies often use common algorithms in determining
account names. The most common is first initial, last name, example sgielda.
Each bit of information is available in some way. Combine enough information to fit into the routine and the SE
job will be successful. Often the person running the SE is able to get the IT department to change the password
for him and they don't note it as anything to alert on.
But SE jobs aren't just played on corporate help desks. They are played on anything and everything. Even home users
on their ISP account are susceptible. Many SE jobs are run for login and passwords to the ISP account, credit card
numbers, and more. The con is right at home on the net due to one added benefit. People are even more likely to
believe what they read.
So, add fitting in as a relatively common occurrence to the additional tendency to believe what is read and it
is a powerful start for a con. It requires the least amount of reinforcement. Sometimes it requires none. For proof
in this look to the proliferation of chain e-mails, help save this child scams, "help I've got billions in
a Nigerian bank and only you can help me get it out" scams, investment scams, pyramid scams, and far more
on the Internet. It trickles all the way down to the home user.
Users are used to clicking on attachments and urls. To the point that they can't help doing it. This is proven
time and time again by the spread of e-mail worms. They are also used to getting prompted for their login and password.
They are used to dialog boxes instructing them on what they need to do.
So a common SE job is to duplicate those pages. Fake a login and password prompt and collect the results. The user
is often never the wiser. E-mail, web, chat, usenet, and other services are perfect for these types of SE jobs.
A home user needs to be vigilant in their security. It isn't just the corporate world that needs to be alert and
aware of the potential SE job.
Don't be taken in
Don't fall for a password prompt that isn't expected. If you
already entered it and get prompted again sometime later. Doubt it. Don't fall into the routine of believing until
disproved when it comes to security. Always suspect it as false until proven. Both in corporate and for home users.
If you doubt it, stop and verify it. Don't just pass it off and continue on.
During the penetration tests that I've been part of, entry was frequently achieved through someone giving us a
login and password. Home users are most likely to be "hacked" by being tricked into giving the "hacker"
the login and password. Most often this will come in the form of an e-mail or web page. Possibly an unexpected
login prompt at a web site, chat room, instant message, or other.
Hacking/Penetration testing is not some super secret science. As touched upon in the previous article, it is a
process. Attempting to trick a user is part of that process. Why work when most of the time you can either walk
in or get someone to give you a login and password? There is nothing magical in that, it's the process of a con.
Stephen K. Gielda
02/01/2002
Edited 03/30/2003 to remove references to an e-mail I used to illustrate a scam I thought a company called Spy
Productions was perpetrating. They had sent a mail about my domains moving to them. My domains were hosted by
DirectNIC and I had no knowledge of Spy Productions so I immediately assumed scam as it has been tried before.
What had happened was that the domains had once been hosted by Tucows and Tucows gave my e-mail to Spy Productions to
mail about the domain transfers. It really was not Spy Productions' fault, Tucows gave them dirty data because
I was no longer a customer. |
| |
|
|
|
 |
|
|
|
Protect yourself from cyberstalkers, identity thieves, and those who would snoop on you.
| |
Stop spam from invading your inbox without losing the mail you want. We give you more control over your e-mail than any other service.
| |
Block popups, ads, and malicious scripts while you surf the net through our anonymous proxies.
| |
Participate in Usenet, host your web files, easily send anonymous messages, and more, much more.
| |
All private, all encrypted, all secure, all in an easy to use service, and all for only $5.95 a month!
|
|
Service Details
|
|
|
|
