Is social-engineering an actual threat
You most definitely live in a sense of false security! Social engineering is very prevalent still today, and I doubt that is about to change in decades if ever.
Here are some brief explanations on why social engineering works. It's tough to cover everything because social engineering is a really broad field.
Some reasons why social engineering works (From the book quoted in the bottom):
- Most people have the desire to be polite, especially to strangers
- Professionals want to appear well-informed and intelligent
- If you are praised, you will often talk more and divulge more
- Most people would not lie for the sake of lying
- Most people respond kindly to people who appear concerned about them
Being helpful
Usually humans want to be helpful to each other. We like doing nice things!
I run into the reception at a big corporate office with my papers soaked in coffee. I talk to the receptionist and explain that I have a job interview meeting in 5 minutes, but I just spilled coffee over all my papers. I then ask if the receptionist could be so sweet and print them out again for me with this USB memory stick that I have.
This might lead to an actual infection of the receptionist's PC and may gain me a foothold within the network.
Using fear
The fear of failing or not doing as ordered:
The company's director's (John Smith) facebook page (or whatever other source of information) reveals that he has just left on a cruise for 3 weeks. I call the secretary and with a commanding voice I say "Hi, it's Chris calling. I just got off the phone with John Smith, he's having a very good time on his cruise with his wife Carla and kids. However, we are in the midst of integrating a very important business system and he told me to give you a call so you can help us. He couldn't call himself because they are going on a safari, but this is really urgent. All you need to do is take the USB stick that is addressed to him in the mail and plug it in, start the computer and we are all done. The project survives!
Thank you very much! You have been a great help! I am sure John Smith will recognize you for this act of helpfulness. "
Playing on reciprocation
The tailgate. I hold the entry door for you, and I quickly walk behind you. When you open the next door, which is security enabled, I head in the same direction and most people will try and repay the helpful action by holding the door for you again, thus allowing you into a place where you should not be. Worried about getting caught? Nah.. You just say you're sorry and that you went the wrong way.
The target would almost feel obliged to hold the door for you!
Exploiting the curiosity
Try dropping 10 USB sticks in various locations in your organization. You don't have to place them in too obvious places. The USB should have an auto-run phone home program so you can see when someone connects the USB stick and should theoretically be exploited.
Another version of this is to drop USB sticks with a single PDF document that is called e.g. "John Smith - Norway.pdf". The PDf document contains a Adobe Acrobat Reader exploit (there is tons of them) and once the user clicks the document he will be owned. Of course, you have made sure that the exploit is tailored to the target organization's specific version of Adobe. It will feel natural for most people to open the document so that they can try return the USB stick to its owner.
- Another example of curiosity (maybe another term explains this better) is all these SPAM mails or bad Internet ads that you have won something or a Nigerian prince is offering you a whole lot of money if you can help him. I am sure you are familiar with these already, but these are also social engineering attacks, and the reason they haven't stopped is that they still work!
That's just a few examples. Of course there are tons more!
We can also take a look at historic social engineering events:
HBGary
Full story can be read here (Page 3 contains the social engineering part)
Last year HBGary was hacked. This attack involved many different steps but also a social engineering aspect as well. Long story short, the hacker compromised the email account of a VIP in the company and sent an email to an administrator of the target system saying something like this: "Hi John, I am currently in Europe and I'm bouncing between airports. Can you open up SSH on a high numbered port for me coming from any IP? I need to get some work done". When the administrator gets this email he feels it is natural to comply with this, seeing as the email is coming from a trusted source.
But that is not it! The attacker had the password for the account, but the login was not working! So he emails back to the administrator "Hey again, it does not seem to be working. The password is still right? What was the user-name again?". Now he has also provided the actual password for the system (the attacker had it from the earlier compromise of another system in the same hack), giving the attacker a whole lot more trust from the administrator. So of course the administrator complies and tells the attacker his user-name.
The list at the top comes from the book "Social Engineering: The Art of Human Hacking" and I can very highly recommend it!
Yes, any system is just as weak as the weakest member, and that is the human being, and it always will be.
You may be 'immune' for some of these most obvious techniques now, but does that equally apply to the stressed secretary who gets a phone call from the 'IT department' to quickly lookup some important information on her bosses computer which can not wait until after the upcoming weekend, oh and that strange window that might popup and ask some unimportant question, she shall just click Accept. Of course she will do it ... everyone will do it in the wrong situation ...
Social engineering (SE) is not only about exploiting information which attacker has, but also about exploiting patterns of (human) behavior.
To explain this, let's do a little exercise - say out loud the color, not the word.
Can you see the "exploit" here? The use in real life situation of this "exploit" is very questionable, but it very clearly shows us how our brain can be manipulated even if we have the valid information (we all learnt colors when we were babies).
The real life example could be something like this - let's say you want secretary to put your USB into her machine. Going to her and polite asking her to do so might be rejected, especially if there are policies which forbids this. But you could suit up, spill coffee on your shirt / trousers and on your papers and then come to her, holding those papers and saying - "I'm so late to the meeting and while I was driving to here, cat ran out in front of my car and I started breaking really hard. The cat did survive, but my papers didn't. I know this is strange request, but please, could you print it for me? I'm really late and your boss might be really angry at me!"
This is called pretext and basically, it's a role played by SEr. What are we doing in this pretext? We are exploiting emotions. If this is played well, and your microexpressions are genuine, most likely she'll do what you want. Why? Because we, humans, are codded like this. Yes, she might know that putting unknown device in her PC might be harmful; yes, she might be educated about it, but let's be serious, you tried not to hit the cat, you didn't drink your coffee, you ruined your suit, you're late on meeting, boss will be angry on you, and now some policy asks her to be rude to you. Come on... However, key part here is to set her in the right mood - to feel sorry for you. To do so, your microexpressions must be interpreted as true (genuine) by her. If you played your cards right, you have the same effects as with colors. She knows it's something she shouldn't do it (color of words), but emotions are telling her otherwise (meaning of words).
Another trick which SEr can pull on target is, so called, Pavlov's dog experiment. So, what does the drooling dog has to do with ITSec? Let's say I want to know about physical security at your workplace. You know you shouldn't share that information with me. I also know that after work, you always come to local pub for a drink. One day I introduce myself and we start small-talk. At first it was just about your cool car. Then we started to talk about women in bar, then about our exes, about last year vacations and so on... All in all, something what is not unusual to talk about, but it's from private life. When we met, you noticed that every time I ask question I hit table with the cigarette. At first it might be even annoying habit, but then you just ignored it. After few days / weeks when you started to feel comfortable around me, I started to ask about your work and work environment. And bit by bit, you told me what I wanted to know about physical security in your company.
So what did I do here? By casual talking to you, I trained your brain to give me answers every time I hit table with cigarette. While this is not brain-washing, and by just doing so you wouldn't tell me your darkest secrets, imagine this as - peeling one layer of onion. The second layer was trust I gained with time spent with you in bar. And so on and on... I did manipulated you and this simple trick helped me to not raise any red flags when I asked you sensitive questions. Again, it wasn't about information you have (do not tell that to strangers), but about your behavior and reaction to outside world.
What I'm trying to say here is - no matter what you know, if you are placed in right situation, you'll do what is asked from you. Why? Because it's in our genetics.
Just to give one or two "out-of-IT-sector" examples how information / knowledge which target has can be meaningless if he/she is attacked by skillful SEr. In court, evidences are pure cold facts, yet, good lawyer can, no matter in how bad position his client is, turn those facts in his favor using SE.
Before you are buying car, you'll go and inform yourself which is the best for you. When you arrive at shop to buy one, seller can convince you that you should buy more expensive car, again, using SE.
Also, check this video. How he did it? By just acting normal. Nothing more.