1 Social Engineering and Reverse Social Engineering Ira S. Winkler Payoff Social engineering is the term that hackers use to describe attempts to obtain information about computer systems through nontechnical means. In most cases, hackers telephone unsuspecting system users and use a series of ruses to get the users to divulge their user identifiers and passwords. Although these techniques may seem ridiculous, hackers use them to obtain extremely valuable information. This article proposes that organizations benefit from these attacks by making them an integral part of a vulnerability analysis, especially where security awareness is poor. It also discusses typical attacks and describes methods for preventing them. Introduction Social engineering, or a hacker's attempt to obtain information about computer systems by nontechnical means, comes in many guises. Techniques include telephoning unsuspecting system users and, using a series of ruses, getting users to divulge their user identifiers and passwords, going through trash dumpsters for information, and obtaining a job within the targeted organization. Many people find these techniques ridiculous, but they can provide a hacker with extremely valuable information. Social engineering might seem like a fancy word for lying. It is, but it is also extremely effective. Social engineering specifically targets weaknesses in information systems security plans and procedures, as well as poor security awareness. These weaknesses are only detected after an attack has occurred, if the attack is detected at all. In addition, an attack may comprise several small attacks, each of which might be inconsequential. Unfortunately, the whole social engineering attack is greater than the sum of its parts. Small attacks probably go unnoticed, possibly occurring over several months. What is at stake in these attacks can be enormous. Many organizations have valuable information that justifies expensive protection mechanisms. This information may include corporate financial data, electronic funds transfers, access to financial assets, patient records, and personal information about clients or employees. Any compromise of this critical information can have serious consequences, including the loss of customers, filing of criminal charges or civil law cases against the organization, loss of funds, loss of trust in the organization, and the organization's collapse. Organizations respond to social engineering threats by implementing informationsecurity plans that establish control of information assets by specifying protection mechanisms. The plans usually rely heavily on technical security mechanisms, such as firewalls, user passwords, closed networks, and operating system protection mechanisms. In addition, physical protection mechanisms and other operational security issues are often discussed. The computer and information-security profession apparently believes that their employees understand the operational security requirements for protecting information. Unfortunately, this is not the case, except in defense-related organizations. Most employees actually have a low level of security awareness. In spite of this, most organizations funnel their information-security funding to technical mechanisms. Little revenue, if any, is designated for security awareness and operational security training. The disclosure of information through nontechnical means can and will occur. This type of disclosure can bypass millions of dollars of technical protection mechanisms. In many cases, if impending attackers want to gain access to a computer system, all they have to do is ask. Although this might seem ridiculous, vulnerability analyses performed for
2 large commercial organizations confirm that many people with computer access do not understand the value of the information to which they have access. Users have disclosed a variety of sensitive information, including the names of employees, organizational costing information, telephone numbers to organizational modems, and customer data. Surprisingly, user identifiers and passwords are extremely easy to obtain. When they are used in combination with the telephone numbers of the modems, passwords can be used with other technical intrusion methods to give attackers access to all of a company's information. Techniques Used in Social Engineering To hackers, social engineering usually means calling people up within a targeted organization and using a variety of ruses to obtain information from them. Hackers may claim to be from the computer support staff. They would say that they need a user's password to correct a problem with the computer system. In another type of social engineering, a hacker would obtain a job at the targeted organization. This technique might give the hacker access to the information that he desires. Even if direct access to the information is not acquired, the hacker might learn enough information to get additional access. A job as a janitor could be extremely valuable to a hacker because a janitor is usually given entry to areas of a building that an average employee do not have access to. Janitors can take their time to go through the garbage to obtain potentially valuable information and they can go through a person's desk or belongings after he or she leaves for the day. A recent edition of 2600: The Hackers' Quarterly includes an article on how to obtain a job as a janitor. Social engineering attacks may also involve going through trash dumpsters, referred to as dumpster diving. The Masters of Deception, who infiltrated the U.S. telecommunications system to the point that they could have crashed the system, were only able to access the system after obtaining user passwords from the garbage of the New York Telephone Company. Again, the tactic may seem to be almost comical, but it provides a hacker with very valuable information. It is well known that there are destruction procedures for classified materials in the defense community. Burn bags and shredders are common throughout the U.S. government. However, these procedures are almost unheard of in private industry. Other forms of social engineering include criminal actions. In several cases, foreign companies have hired former intelligence operatives to engage in industrial espionage by gathering economic intelligence. Such operatives steal equipment and break into corporate facilities. In addition, actions that thieves use to collect credit card numbers (e.g., shoulder surfing, in which someone eavesdrops on someone else entering a password) are being used to collect computer passwords. Social engineering gives an outside attacker the knowledge and abilities of internal employees. It can also give internal attackers more knowledge and abilities than they should have. Social engineering can bypass all technical security mechanisms to allow an attacker to obtain the information of their choosing. In some cases, an attacker can get all the desired information through a social engineering attack without having to resort to technical means. This is an extremely important concept. It indicates that a person who intends to obtain computer-based information does not need to know anything about computers. Liability Considerations The issue of liability is an additional element of social engineering that must be considered. A hacker who breaks into a computer system and obtains information is probably committing a crime. However, when a social engineer uses the telephone and asks someone for information, then there is definitely doubt as to whether a crime has occurred.
3 The person who gives out the information might be the person who is legally liable, possibly subjecting the organization to criminal or civil charges. If, for example, a person calls up a hospital, implies that he is from the Board of Health, and asks for and obtains the name of all patients diagnosed with AIDS, the patients whose lives were damaged by the disclosure of the information could sue the hospital. Essentially, social engineering attacks weaknesses in what is considered to be common sense. Weaknesses that Allow Social Engineering to Occur Because social engineers attack nontechnical weaknesses in security, these weaknesses must be discussed. Basically, two types of weaknesses allow social engineering to occur. A lack of security awareness facilitates most social engineering attacks. In other words, people do not know how to respond appropriately to compromising situations. Attacks are also facilitated by poor plans and procedures. In many cases, even though an organization designs plans and procedures to thwart a would-be attacker, they are not tested by an independent source to determine their adequacy. Poor Security Awareness Organizational information security plans usually address basic issues in computer security. These issues may include nondisclosure of passwords and not giving out sensitive data unless the identity of a caller is confirmed. However, most plans do not include realistic procedures for making employees aware of the security procedures. Many security experts assume that the general population understands basic security issues, such as the importance of a password. Computer and security personnel consider these issues to be common sense. However, before there can be common sense, there must be common knowledge. There is very little common knowledge when it comes to issues related to computer security. One such issue is the dissemination of computer passwords. An extremely large percentage of users do not understand the importance of a password for authentication and access to a computer system. They do not realize that their account can be accessed from anywhere in the world, given the proper access point. Users also do not understand the lengths that people will go to obtain the information that the users have access to on a daily basis. They also do not realize that throwing something in the garbage does not mean that the information is destroyed. What is garbage to a user might be extremely valuable to a hacker. Human Weaknesses People give out information for many reasons. In most cases, they just want to be helpful, because that is their job and/or nature. People can also be intimidated to release information, either by being made to believe that a superior wants the information or by just trying to make an annoying person go away. Corporate spies and many hackers understand what can be described as simultaneous good and bad personal attributes in a user, and they know how to exploit these attributes. Untested Plans and Procedures Although an organization might understand its vulnerabilities and the potential threats that hackers pose, and it may try to address these problems through proper operational procedures, it is difficult to determine if these procedures are adequate unless they are
4 tested. A good example of an untested procedure is the reliance on internal identifiers, which many organizations establish to authenticate an employee to another employee. Many organizations depend on Social Security numbers to identify people. However, an outside attacker can obtain a Social Security number with very little effort and then proceed to attempt to obtain desired information. Organizational procedures that require an authenticating mechanism must carry with them additional procedures that protect the mechanism. This is where a large number of security plans fail. Many organizations test a specific part of a security plan or procedure, but these plans and procedures must be tested as a whole. Preventing Social Engineering Attacks Because social engineering attacks can bypass even the most sophisticated technical protection mechanisms, it is probably impossible to prevent all forms of social engineering attacks. Many private organizations cannot go to the lengths that the U.S. intelligence community can to screen potential applicants, but they can establish a significant amount of prevention. The preventative methods described in this section are general to most organizations. However, specific industries and organizations have vulnerabilities that can only be identified when these entities experience a social engineering attack. Using Separate Internal Identifiers Many social engineering attackers are asked to authenticate themselves as real employees by providing their employee numbers. Fortunately for the attackers, the employee numbers are commonly used and easily obtained from real employees. Attackers can develop a list of employee numbers and are ready for any challenge. Companies should have a separate identifier for their computer-support activities. This procedure would separate personnel functions from support functions and provide additional security to both personnel and computer activities. Implementing Call-Back Procedures Many social engineering attacks can be prevented if company employees verify a caller's identity by calling him back at his proper telephone number, as listed in the company telephone directory. This procedure creates a minimal inconvenience to legitimate activities, but when compared with the scope of the potential losses, the inconvenience is greatly justified. If employees are required to call back anyone asking for personal or proprietary information, compromises of all natures can be minimized. Establishing a Security-Awareness Program Although it might appear ridiculous to think that a computer user would give out a password to a stranger, many users would find this innocuous. Companies spend millions of dollars to acquire state of the art hardware and software security devices, but they ignore general awareness programs. Computer professionals cannot assume that basic security practices are basic to noncomputer professionals. A good security-awareness program can be implemented for minimal cost and can save a company millions of dollars of losses. The commercial sector can learn a great deal about these techniques from the defense community, whose techniques include security-awareness briefings during employee indoctrinations, security-awareness weeks, and periodic newsletters. The Computer Security Institute (CSI) provides a service in which a company's name and logo can be placed on a monthly newsletter that CSI develops for the company. A company can also
5 use daily reminders, such as security-awareness posters and security warnings that are put on the message of the day and displayed when a user logs into a computer system. Identifying Direct Computer Support Analysts Every employee of a company must be personally familiar with a computer analyst. There should be one analyst for no more than 60 users. The analysts should be a focal point for all computer support, and should be the only computer support people who directly contact users. Users should be instructed to contact their analyst immediately if they are contacted by someone else claiming to be from computer support. Using Technical Security Features Operating systems come with many technical capabilities that can minimize the effects of social engineering. These security features can tell users when their account was last accessed and from where, or they can provide for the automatic expiration of passwords. Unfortunately, system administrators generally do not activate many of these security features. Although these functions can significantly minimize many threats to computer security, many users consider them annoying. System administrators should consider one-time password mechanisms, which can minimize the threats to computer security. In addition to combating social engineering attacks effectively, one-time passwords can prevent the exploitation of passwords that network sniffers gather. Creating a Security Alert System Attackers realize that even if their social engineering attack is detected, an employee usually has no method to alert other employees that an attack is occurring. This indicates that even if an attack is compromised, it can continue with minimal changes. Essentially, a compromise may only improve an attack by allowing the attackers learn what does not work. Employees should have some way to rapidly alert a computer security official that they might have been the target of an information-security-related attack. The information security staff should then evaluate the attack and be able to alert the entire organization that an attack may have occurred and to be aware of the potential for other types of attacks. Obviously, employees should be encouraged to report attacks that are both technical and nontechnical in nature. Having the Organization Attack Itself A company that wants to fully determine its vulnerabilities with regard to social engineering should attack itself just as an outsider would. This is particularly true of large organizations, where identifying the major vulnerabilities is difficult. This is the only method for determining how social engineers might infiltrate an organization, as well as seeing how far attackers might get and the level of damage they can do. Reverse Social Engineering Reverse social engineering is a very unique form of social engineering. In most social engineering attacks, the attacker goes to the victim to obtain information. In reverse social engineering, however, the victim unwittingly goes to the attacker. This statement may seem to be ridiculous. Why would anyone go to an attacker and hand him information? The trick is for the attacker to first use a traditional social
6 engineering attack to make victims believe that the attacker is a part of a legitimate organization, such as a support service, that is providing help for the victims. The problem is that the victims do not know that the person they call for assistance is an attacker instead of the person he claims to be. Because of the nature of reverse attacks, the hacker can receive much more information in these cases than they would from normal social engineering attacks. The attacker has immediate legitimacy because the victim is going to the attacker. This differs from a traditional social engineering attack, where the most difficult aspect for an attacker is attaining legitimacy in the victim's eyes. Obviously, the rewards of reverse social engineering can be great. Fortunately for potential victims, reverse attacks are much more difficult to complete successfully. How Reverse Social Engineering Is Accomplished In an example of reverse social engineering, the attacker physically intrudes into the targeted organization and posts signs stating who to contact for technical support. The sign carries the attacker's telephone number. In some cases, the attacker replaces a valid technical support telephone number with his own. Frequently, users do not know who to contact if there is a computer problem, and they welcome any offer of assistance. Obviously, these attacks require the victim to need technical support in order for the attacker to be contacted. Attackers can use a variety of methods to create this need. Creating a False Need for Technical Support To increase the likelihood of being contacted by their victims, attackers occasionally create the need for assistance through sabotage. By deleting a critical file or resetting system parameters during a physical intrusion, attackers create an immediate need for their services. Proper placement of the offers for help provides welcome relief for people who are panicking because they believe their system is destroyed. When such physical intrusions are not possible, an attacker might mail offers of technical support to the targeted organization. The book Secrets of a Super Hacker describes an incident where an attacker went through the garbage of a foreign embassy and found packaging for a modem. The attacker mailed the embassy a letter and a disk. The letter stated that there was a problem with one of the embassy's modem files and that the enclosed disk contained a file that would fix the problem. The letter provided a telephone number offering technical support that, of course, was actually the attacker's number. Naturally, the file on the disk sabotaged the computer system. Inevitably, embassy personnel called the attacker, and the attacker had the embassy staff manipulate their system in a way that permitted a future attack. Although this attack required an extreme amount of luck and planning, the rewards for the attacker were large. Attackers also use electronic versions of reverse social engineering attacks. Internet search tools allow potential attackers to search USENET Newsgroups for people that have mailing addresses from a specific organization. The Newsgroups also indicate the interests of the people posting the messages. After gathering names of employees and their interests, an attacker could mail the victims information about interesting Web sites or programs. If the victims obtain the advertised programs, which contain harmful software, the attack is successful. Again, the victim is going to the attacker or using the attacker's sabotaged tools, rather than the attacker going to the victim. This sort of reverse social engineering can work well for attackers with poor interpersonal skills, because there is no direct contact with the potential victims.
7 Preventing Reverse Social Engineering The factors that enable reverse social engineering to take place are very similar to those of social engineering. Basically, poor awareness and poor operational procedures cause individuals to respond incorrectly to compromising situations. As with social engineering, simple countermeasures such as the following can prevent the most sophisticated reverse attacks: Identifying direct computer support analysts. If users know who to go to for technical support, they would not likely respond to anonymous letters or postings. Users would also probably alert their support analysts if there were an unusual occurrence. A diligent analyst could then alert the rest of the organization of a possible attack. As part of this vigilance, computer support analysts should use due diligence when software updates are obtained. Preventing employees from retrieving programs off electronic forums. Many organizations have policies that prohibit the use of outside disks in organizational computer systems. These policies are important, but they must be updated to account for worldwide telecommunication systems, such as the Internet. People retrieve information from all over the world. Software inevitably gets retrieved as well. A company's policy should call for a ban on any utilities that do not come from the computer services organization. Other prevention mechanisms. This section only identifies two mechanisms to prevent reverse social engineering attacks. That actually is all that a company should need. Reverse social engineering requires that the victim perceive that the attacker is providing a critical service. If potential victims already have experts to consult, then they will not be vulnerable to false offers for help. Conclusion Although common sense would seem to be the best prevention for social engineering attacks, common sense is not the same for all computer users within an organization. Social engineering exploits operational security weaknesses that are often overlooked by information-security experts when plans and procedures are being written. These weaknesses have led to serious compromises of major computer systems that could not have been prevented through any technical protection. Security personnel must consider the limited common knowledge of the company's employees when they are developing plans and procedures. These plans and procedures are ineffective if no one is aware of them, and are useless if they do not address a coordinated attack on the system, which social engineering can present. Social engineering allows a person that is weak in computer skills to access information that people think that only a superhacker could obtain. Many more people are social engineers rather than superhackers, and the financial rewards or other desired results that social engineers are after can be just as great. Unfortunately, few people are addressing this area, which is just as significant as any technical attack. Author Biographies Ira S. Winkler Ira S. Winkler, CISSP, Chief Internet Security Strategist, National Computer Security Association, is one of the world's leading authorities on incident response and industrial espionage. His book, Corporate Espionage, discusses similar subjects.