###########################################################################################

			Introduction to Social Engineering

		            By: Tal0n of NixSec 05-16-04

###########################################################################################

1. Introduction
2. What is social engineering?
3. Internet Social Engineering
4. Telephone Social Engineering
5. In-person Social Engineering
6. Conclusion

###########################################################################################

1. I am writing this paper to try and shine a light on a art that has been used for years,
but now days, has taken new form, the art of deception, social engineering. Social 
engineering, if used correctly, can go from a few simple favors to international 
espionage. It can also be the most effective kind of "hacking" you can do, and the only 
thing required is the knowledge and understanding of the human mind, people skills, and 
abit of cleverness to achieve almost any job at task.

###########################################################################################

2. What is social engineering? Social engineering is basically making people do what you
need or want them to do or making them give you certain information that you need or want.

Say you want a password to your friends computer. Would it be easier to keylog it or get 
it some other way as such, or to talk it out of him? Probley the second option.

Consider this situation:

Dan: Hi Matt.
Matt: Whats up Dan?
Dan: Not much, just tring to play this game.
Matt: What game?
Dan: Hutt 3D.
Matt: Ah, I heard that game rocks.
Dan: I could sign you up for it.
Matt: Really? That'd be awesome.
Dan: Ya, no problem. I have to go soon thou.
Dan: I'll try to set some of it up before I go. What do you want your password to be?
Matt: Hmm.. try teehee, I use it for everything else anyways.
Dan: Sounds great, ill send you the rest of the information later, see ya!
Matt: Thanks Dan, bye.

In a quick conversation, because of the pressure of picking a quick and easy password, 
Matt has successfully gave Dan access to probley all his other accounts, including email, 
just by not thinking of picking a good password instead of one he uses for most all else.

The social engineering part was good on Dan's part, hence he gave Matt the pressure 
feeling because he had to "go soon" and therefore *didn't* have time to talk with Matt 
completely about the game or the setup information. Matt decided to make it easy so he 
could play his new game as soon as possible and give Dan a vitial key to Matt's everyday 
internet accounts.

When people feel a sign of a rush or feel that they will miss out on a good opportunity if 
they don't hurry and provide information, causing them not to think as much as they 
should.

Now that situation was made possible because there was a certain kind of 'trust' between
Dan and Matt. If the situation was alittle different, and Matt was talking to someone he
didn't know very well, the situation might still be possible, but it would either take 
some smoother talking from the attacker, or some stupidy on the victim.

Trust is a big factor in social engineering. If someone doesn't feel that they trust you,
they probley would be as likey to comfortably go along with whatever you are planning. If
they do trust you, according to how much trust is involved and the mentality of the 
victim, its possible to pull off almost anything.

###########################################################################################

3. Internet social engineering is pretty common now days, and lots of people, companies, 
and even sometimes ISP's fall under the control of a social engineer.

Heres an example situation of an attacker trying to get access to the victim's website.

attacker: hi, how are you?
victim: pretty good, you?
attacker: fine
attacker: i seen you take care of somesite.com?
victim: ya, thats my site
attacker: wow, i love the graphics
attacker: content is nice as well
victim: why thank you :)
attacker: you wouldn't happen to have some extra webspace would you?
attacker: you see, me and a couple friends need somewhere to upload some pictures and 
mp3's
attacker: think you could help us out?
victim: hm.. i dont really know how
attacker: oh, well its pretty easy
attacker: if you want me to, ill set it up, i just need the login info please
victim: ok, just make yourself some space somewhere and please don't mess with any of mine
attacker: of course not ;)
victim: username is somesite, password is whitesoxs
attacker: thanks, we really appreicate it :)
victim: no problem

Now lets analyse that situation...

First, the attacker comes off being really nice and polite, complementing the owner of the 
site for its graphics and content.

Then, he gently asks for some webspace on the account that hosts the victims website.

The victim seems not to know alot about computers or authencation, and has a good feeling 
that nothing bad would happen, hence the attacker's good attitude and niceness.

After that, the victim easily hands over the login information, the username and password, 
giving the attacker full access to the victims website.

"Why?" you ask. Social Engineering.

Now there are other situations like gaining trust of a period of time, days, weeks, or 
yes, even months. Even social engineers can be social engineered, it just mainly takes 
time and research.

Us Humans have a want pattern. If we think someone will give us something, has the ability 
to make us 'famous', or will get us somewhere, we tend to ease up and be 'too friendly'.

For example, who would you trust more with your car, your best friend, or an acquaintance? 
Your best friend of course, unless you know he cannot drive or is very wreckless.

Trust, as I said before, is a key factor in social engineering. If someone doesn't trust 
you, they probley won't let you take advantage of them.

###########################################################################################

4. Telephone social engineering is also a danger as well. Caller ID, as proved in "The Art
of Deception" cannot be used as a fool-proof way of identifing a caller, since it can be
spoofed without much trouble.

Check out this situation out.

victim: Hello, welcome to CompNet Technical Support. Tom Hoff speaking, how may I help you?
attacker: Hi, is this Jeff Bridge from Accouting.
victim: Hi Jeff, how are you doing today?
attacker: Well, not too good. I lost my password yesterday and I haven't been able to 
access the
server. My boss has been on my case since last night and i'm not sure if I can get the pay 
checks
out by Friday.
victim: Oh.. that doesn't sounds too good.
attacker: Could you do me a favor and reset my password for me so I can get back to work?
victim: Sure, whats you ID number?

At this point the attacker looks on the company's website for a listing of a the 
employees. He lucks up and finds a text file with their names and ID numbers.

attacker: 332 i think
victim: Ya, thats it, 332
victim: Hold on just a second and i'll reset the password
attacker: Ok
victim: New password: changeme
victim: You need to change it to whatever you want as soon as you access the server.
attacker: The username is still jbridge, right?
victim: Yep, thats what it says here.
attacker: Thank you! By the way, I have a friend down here from Development that needs to know
what the new server is for his team.
victim: New server? As far as I know its always been dev.compnet.com.
attacker: Hmm.. maybe it was just down last night, we'll try it again later.
victim: Oh ok
attacker: Well, I have to go, thanks so much for your help again.
victim: It was no problem
attacker: bye
victim: bye

Now.. what just happened here?

attacker, impersonating "Jeff Bridge" from accounting, has just successfully done the 
following:

Got information to access the server that has access to the payroll.

Got access to a machine and is probley not secure and attacker may move his privledges to 
root.

Got the name of the server that the company development team uses so attacker can plan 
future attacks on the company and may gain access such as to steal source code or other 
information for the company's new or old product line, or other confidental information.

And the most important thing: Has gained some trust from the victim, that can be used in 
other attacks planned for getting information or getting something done.

He also was able to gain a vitial piece of information to get the password he needed, 
"Jeff Bridge"'s company ID number, which was publically on the company's website, which 
isn't too smart.

###########################################################################################

5. In-person social engineering, although to some people not appearing too smart, will 
have great effectiveness on the victim, and sometimes even more effectiveness then the 
other ways, because the victim can actually see the person they are talking to, making the 
trust factor grow and sometimes making them eaiser to manipulate.

Take this situation into consideration.

A man in a nice suit, tie, fancy hair, walking elgantly up to the ISP technical support 
center.

He says he's in a hurry, and needs to get his username and password he lost while he was 
at a business meeting. He needs them asap because he's working on a project on his laptop 
and it can't wait.

The lady at the counter says she don't think she's allowed to do that.

The attacker politly complements your loyality and askes her to join him for lunch at a 
fancy resturant the next day. He says he thinks shes got real talent and offers her a job 
at his 'firm'.

She feels flattered and thinks she must help the guy out since he was been so nice to her. 
She carefully looks up the username and password for the account name he gives her and 
hands it to him on a piece of paper, whispering not to tell anyone because she might get in 
trouble.

The attacker just successfully got the username and password of any account on the ISP, 
just by using some smoothe words and dressing like a professional.

You see how easy it can be? It happens everyday, 90% of the time people don't even realize 
it.

###########################################################################################

6. My conclusion in writing this paper is to explain how do successfully get anything you 
want from a person by 'just asking for it'. Now that you have read it, hopefully you will 
be more educated in the field and will know howto protect yourself or maybe even your 
company from most social engineering attacks, if not most all. Online, on the phone, on the 
street, all places where the possible social engineer preys. Will you be his next victim? 
Hopefully not.

-Tal0n cyber_talon@hotmail.com

#nixsec @ efnet