Social Engineering, short summary

This is a short summary of a social engineering study by Lauri Pesonen and Teddy Grenman.

The term "social engineering" is used here to describe attempts to engineer a trust relationship between people and attempts to gain unauthorized access or to reveal some secret. A typical social engineering attack could be to phone a random user and ask for a valid account and password or a credit card PIN. Social engineering isn't exactly a new thing, although it is sometimes presented as one. Various forms of deception have been around for ages.

Some reasons why social engineering is effective are:

a) Misconceptions. There is a strong misconception that security through obscurity works well against social engineering.

b) Ignorance and attitudes. People tend to ignore threats thinking that "it won't happen to us".

c) Human factor. Humans are lazy. Good security policy and protocols do not help if they are not followed. Social engineering also exploits the fact that people usually are honest. Abusing a friendly and helpful administrator or helpdesk is easy because of the idea that the client is always right.

Social engineering is always based on human interaction and depends very largely on psychological factors. The attacker tries to get the target person to do something against his will. Usually people are aware that they should not give their password to people they do not know and they should not tell company secrets to anyone, but with a little manipulation they can become surprisingly cooperative.

Effective ways to affect the decision making of the target is trying to convince him that he is not solely responsible for his actions meaning that if something goes wrong, he won't be the only one blamed. Other ways include convincing the target person that someone will be indebted to them if they conform and they might get future benefits that may. And last, but not least, there is the moral duty. If a target person sees it as his moral duty to help the attacker, he is very likely to conform to the wishes of the attacker. People do not like to feel guilty, thus they rather do something doubtful than make themselves feel guilty.

As in all cases of lying, it is very important for a social engineer to stick to the truth as much as he can. Thus the target person that the attacker contacts has to be very alert in order to spot the one sentence that isn't true and is the key to the whole attack. Unfortunately people aren't usually that alert especially if some stranger calls them on the phone and they are busy. Usually people try to get rid of the stranger as quickly as possible in order to be able to continue with their work.

Some test attacks were described in the study. All the attacks were targeted at different organizations. The following is a short description of the attacks and their success.

  1. Gaining physical access to computer equipment. The attackers made up a story why they would need to get in a server hall. An operator let them in without asking any identification document. They were left alone in the server hall.
  2. Gaining physical access to network equipment. The attackers asked a cleaning lady to open the door into a closet that contained network equipment. The door was opened for them.
  3. Changing the password of an account. The attackers borrowed an ID card with a blurry photograph and tried to change the password of the card owner's account. The attack was successful: the sysadmin was about to type a new password when he was told about the test.
  4. Creating a new account. The attackers tried to create a new account at a university computer environment. They filled a form with their real names and student numbers and forged the signature of a professor (with the consent of the person). They got an account.
  5. Getting an account's password from a legitimate user. The attackers sent an e-mail to 140 computer experts, in which they asked for a valid password. They made up a story to "prove" the need for the password and faked the headers so that the e-mail seemed to come from a system administrator but the reply address was the attacker's. They received 28 answers of which 11 contained a valid password. The administration received 13 reports of misuse.

The study concludes that there is still a lot of work to do in the area of computer security. Strong cryptographic verification is needed, and should be possible without identification if required.