We all have our stereotypical images of the hacker. That pale-skinned, overweight, uber geek with next-to-no social skills and equally poor hygiene. These are the youngsters you imagine tip-tapping at their keyboards until the wee hours of the A.M. trying to crack your codes, break your ciphers, and bring down your servers. Stereotypes do little good, and your line of defense against them is worse yet.
The true crackers (we’ll use this term instead of the more socially accepted “hacker”) are those with an even more dangerous skill set than a God-like knowledge of TCP/IP, root kit, and a subscription to 2600! Most crackers fall into three categories: Socio-Crackers, Techno-Crackers, or Politico-Crackers.
The first category, Socio-Crackers, hack and crack from a gang-like mentality. These hackers do what they do for peer recognition. It’s turf war in .com and everyone wants to be elite. The cracks that this group pulls off are fairly run-of-the mill stunts, ranging from the defacing (or bringing down) of Web sites to cracks aimed at embarrassing peers or people of note.
Techno-Crackers do their thing because it makes them feel technologically superior to the rest. Often the hackers from the social category claim to be members of the technological category—but only because everyone else is (that’s a joke, ya see). The offending stunts this group pulls off are philosophically different from those of the first category. Instead of being motivated by peers, these crackers are motivated by a burning desire to further advance technology. Good examples of this group are those that hack military security systems (or Microsoft software) to show vulnerabilities in systems thought to be secure.
The third category, and quite possibly the most dangerous, is the political hackers. These are groups of people who rise up to fight political hardships or oppression and do so with the only means they have—technology. A recent example of this category would be the Chinese retaliation on the United States for the U.S. spy plane incident.
If any of the above groups fit the stereotype, it would be the first. But even then, there is only a remote chance that your e-commerce site (the one that was just rendered useless) was brought down by a 15-year-old tech prodigy named Melvin. More likely, it was a social engineer.
What is social engineering?
Quite simply, social engineering is the ability to manipulate society (or members of society) to get where or what you want. Social engineers don’t work from the outside, nor do they work from the inside—they work from the periphery.
In the 1995 movie Hackers, there is a simple scene where the protagonist, Crash Override, calls a company security officer and poses as an important executive needing to retrieve a file from his office computer. In order to do so, the executive needs the phone number of the modem to get in. The security guard, not being even remotely tech savvy, gives Crash Override the phone number, therein giving him free access to the internal network.
Now, that was Hollywood and the technological ideas of the early-to-mid 90s. But what it illustrates is a very common weakness in a company’s security policy—the employees. People are malleable, especially in the adept hands of the social engineer.
Social engineers are quick thinkers and speak easily to those they are trying to manipulate. Take, for instance, the short-change artist. I was once working for a software retail outlet when I was completely duped by a short-change artist. At first, he simply wanted to buy a pack of batteries, and then he wanted to break a twenty, and when all was said and done my drawer was short $180. Now, I am a professionally trained actor with years of experience in communication and improvisation, yet this man who communicated as if he barely had a high school education was able to manipulate me into handing over $182 in change for a $2 purchase! I didn’t see it coming and neither will you or your employees.
The tricks of their trade
One of the most common ways in which a social engineer will gain access to things he or she shouldn’t is by using “adopted authority.” By simply convincing the victim that he or she is someone of authority (within a corporation, technical support, local police, or even the FBI), a cracker gains instant (and easy) access to sensitive data.
Adopted authority can also be achieved via e-mail or mailing groups when the cracker, again, poses as technical support (or some other position of authority). By e-mailing a security warning, with carefully crafted instructions that aid in gaining access to systems, to a newsgroup or corporate IT staff, a cracker need not even show a badge of authority to manipulate victims into giving him or her what is needed.
Yet another tool of the social engineer is impersonation. Although typically reserved for Hollywood, it does occur. Of course, this form of impersonation is not exactly a James Bond-like physical disguise; it generally occurs in the form of e-mail. A cracker with enough skills can spoof e-mail addresses quite simply. We’ve all seen the standard e-mail from Bill Gates promising thousands to all who forward the e-mail to everyone in the inbox. The initial address sure looks legit (firstname.lastname@example.org), but think about it, what are the chances that Mr. Gates is actually going to send out an e-mail like this? This is an example (albeit a poor one) of spoofing. Imagine that you’re a corporate lackey with a user account and password on the company network who gets an e-mail from what seems to be the CEO of the company, instructing you to send your username and password because that CEO can’t seem to get onto the network. Could it happen? Sure it could. Should you respond with your username and password? No way! If you do, chances are you’ve been socially engineered.
Threats or personal gain are also tricks of the social engineering trade. These types of feats were once less likely, but with the rise of violence in today’s society, they’re quite possible. This type of engineering does not always fall into the threatening category, of course. Take for instance a so-called member of the payroll department who needs your Social Security number because the system is currently down and without the number your paycheck will not be processed in time. How often would you question accounting, especially when your check is on the line?
Making you feel sorry for the social engineer is one of the dirtiest, yet most successful, tricks of the trade. A “new” employee enters the IT department saying that he or she just started and already is facing deadlines—but the boss is out for the day and the employee doesn’t have access to the network. Any member of the IT staff with a heart might be prone to set up that account and get him or her up and running, not knowing they’ve just opened up the safe for ol’ sticky fingers Louie!
How to avoid it
From the sounds of it, you need to train your users to be hard-nosed, heartless drones who are unwilling and unbending in the act of doling out information. But it’s not so. There are some very simple guidelines that will help you to keep out those who shouldn’t be in!
I’m not talking access lists and iptables here. I’m talking corporate policies. Although they are often looked on as unproductive and unfriendly, develop a solid set of rules that dictate who gets to know what and how much each employee has access to. This will take time and tolerance, but in the end you’ll have social engineers attempting to get information from people who simply don’t know.
Speaking of policies, you need to have them! Hiring new employees should involve rigorous paperwork and data entry that makes everyone on payroll aware of their new status. Sure, paperwork is a pain, but it can also save your hide and protect you from liability.
One very simple precautionary method is to simply be paranoid! Assume the standard you only get what you need to do what you need to do policy and do not stray. Assume people want what you have—and don’t let them have it. It may seem a bit extreme and overboard, but it will, in the end, save your skin.
If an employee is released from their position, assume they might use what they know to get back at the company. Although it might cause more work than you’d like to deal with, change IP addresses and passwords when an employee leaves. Never assume that the only login name and password that employee knew was his or her own. If a defunct employee had access to a database or file server, change the administrative and common passwords on the suspect servers. Add security policies that deny the ex-employee’s home e-mail account access to your internal network and VPN.
Another technique is verification. This comes in many forms and on every level. From name badges to paperwork to digital certificates, in this day and age you can verify anything you wish. If someone needs access to something, make sure they have paperwork that states that they should have access. If someone comes to you saying he or she is new to the company, make sure that the person is in fact an employee! Don’t assume anything.
Finally, one of the most important methods of protecting your company/staff/network from social engineering is training. Take our favorite security man from Hackers. The poor man had no idea what was happening (or even what a modem was) and had no way of knowing that he was handing out access to an elite cracker. Had this man been trained properly and known the consequences of handing out such information, more than likely he would not have handed it out.
Although not the most productive use of time, mass corporate e-mails reminding employees of network and computer policies are good ideas. Inform users of what they can and cannot do. Give them weekly pointers on networking and network security. Not only will they benefit, you will as well.
It’s not possible to cover every microsecond of time or every micrometer of space in the IT industry. Security is a risk we all know and are growing to hate. We try firewalls, protocols, and laws, but it seems the counterculture always has a counter.
You’re paranoid, and you should be. Someone out there somewhere wants what you have and will stop at no means to get it. To stop a thief, you sometimes have to think like a thief. Although it is often looked down upon, take a look at the hacker/cracker/phreaker magazine 2600. From here, you might gain insight into the mind of the social engineer and find yourself one step ahead of those trying to bring you down.