Social Engineering


Social Engineering.  In general, social engineering refers to using lies and misrepresentations to gain access to a system or network.  The following list describes a few approaches.
  •  through an authorized user
    • obtain passwords
    • obtain useful information
  • via some sort of hardware source
    • gain access to a wiring closet
    • gain access to a server
    • gain access to some lines into the network

 users that implement these are very unlikely to implement adequate security.

While these scams are not the only ones possible I want to start describing some examples I know of.

The Knowledgeable Expert.  Sometimes it seems that I am the only person I know that finds certain Holiday Inn commercials very disturbing ... the ones where people end up pretending they can do things that are way beyond their actual capabilities.   The knowledgeable expert scams occur in all kinds of ways.  For example,

When I first became a professor at Quinnipiac University in 1999-2000 I ran into any number of these.

  • The campus had about 6000 students on one campus.  At one vendor meeting I was constantly told by one self professed expert that represented one of the main vendors QU used something like the following

"We can make use of your bell tower and put a single wireless device up there that will cover the entire campus.  You won't need any other wireless devices on your campus.  Students will be able to make use of wireless anyplace on the campus indoors or out."

So I tried with much difficulty to point out a number of difficulties with this approach

  • wireless signals weren't going to get through very many walls into the interior classrooms
  • how would they secure such a system back in those days
  • how much bandwidth was actually available
  • how many users could this system handle and where was the evidence for this
  • how was one device, that this vendor said existed, going to actually handle all this traffic

Not at all surprisingly, this vendor's approach relied on little more than claiming I didn't know what I was talking about!  I hope you have learned enough about wireless to realize that all of these were major problems, especially back then.

  • I have  .

Friends, Relatives and Loved Ones.  This sort of social engineering can take on a large variety of forms.  People might be quite good at hiding essential information from strangers but not be at all good at it when dealing with friends and/or relatives.  Some examples follow.

  • University campuses usually have a number of relatives of students working on their campuses.  One scam that I have heard of relies on some someone gaining access to some administrative level passwords.  This is often done through the children of someone of sufficient power within the administration.

One particular system that has been quite widespread is to have students selling change of grades to other students on a campus.  They are able to surreptitiously change these grades due to having gained appropriate login information.  As you can likely tell, this sort of scam can be VERY lucrative.

  • As I've mentioned elsewhere in this website I have seen little boxes (sniffers) attached to the backs or bottoms of administrative staff's desks on university campuses.  These were likely connected and attached after hours so that these devices can be used to sniff packets.  These are going to be much more easily installed by someone who is at least somewhat connected to the staff.

This sort of approach does not rely on gaining login information.  In fact, it can be used to sniff out someone's login information among other things.

Impersonations.  These sorts of gambits can be quite difficult stop.  Attackers can impersonate a huge variety of others to try and gain illicit access to an organization's computing systems.  Some examples follow.

  • Some of the most prevalent arise from phone calls trying to glean information about things.  Some can be quite blatant in their approaches, particularly when the internal users have certain naiveties.
  • An attacker might contact some administrator while pretending to be an authorized user trying to get a password reset.
  • An attacker might pose as some sort of vendor or emergency maintenance provider to gain access to internal components
    • wiring closets
    • switches, routers and hubs
    • network lines
  • An attacker can even pose as a flower or pizza delivery person or a repair person in order to gain physical access to a location
    • the validity of repair people can often be very difficult to ferret out
    • anyone with unsupervised access to a group of desks will be able to go through drawers and look for places where usernames, passwords and other personal information might be recorded

Employees.  Much of what we've focused on arises from people from outside an organization.  The truth is, employees and others with authorized access have much more potential to be the sources of intrusions than outsiders.  Even though they may not have anywhere near as much attack expertise, they have certain inside information and access that can be misused intentionally and/or unintentionally.

Some of the biggest difficulties relating to employees develop when employees take things out of the office or configure things so they can access them personally from outside the organization.  Employees can copy and distribute things physically that are very difficult or nearly impossible to corral or trace.

Security Employees.  When teaching I try to take the time to get in discussions about the following statements.

In any organization, the biggest threats to security come from the people working on security

In any organization, the next biggest threats to security come from the systems, hardware and software, being used for security

I get disturbed because so many of my students consider these statements to be totally false.  It is also too often the case that they seem to have considerable attachments to needs for illusions about what security employees can actually be doing.

There are a number of different ways that this statement can be at least generally true.

  • particular security employees and/or systems really aren't up to date
  • security employees are among the likeliest to be able to fool others in the organization that they have certain experience and expertise when they really don't
  • security employees are among the likeliest to have clearances and authorizations to be able to get to more valuable and sensitive information
  • security employees are among the likeliest to have the expertise to be able to penetrate and/or attack systems they are not authorized to access
  • people developing security systems, hardware and software, are among the likeliest to be able to penetrate and/or attack systems they are not authorized to access

More will be added over time.