Text of Harl's Talk at Access All Areas III
What is Social Engineering ?
Basically, social engineering is the art and science of getting people to comply to your wishes. It is not a way of mind control, it will not allow you to get people to perform tasks wildly outside of their normal behaviour and it is far from foolproof.
It also involves far more than simply quick thinking and a variety of amusing accents. Social engineering can involve a lot of 'groundwork', information gathering and idle chit chat before an attempt at gaining information is ever made. Like hacking, most of the work is in the preparation, rather than the attempt itself.
You may think this talk may seem to be a weak excuse to demonstrate how these techniques can be used for hacking. OK, fair enough. However, the only way to defend against this sort of security attack is to know what methods may be used. With this knowledge it is possible to pick-up on these techniques being used against either you or your company and prevent security breaches before anyone gets near your data. A CERT style security alert with few details is pointless in this case. It would simply boil down to "Some people may try to get access to your system by pretending some things are true. Don't let them." As usual, no help what-so-ever.
So What ?
Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that even powered down computers are vulnerable.
Also, the human part of the a security set-up is the most essential. There is not a computer system on earth that doesn't rely on humans. This means that this security weakness is universal, independent of platform, software, network or age of equipment.
Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach.
A big problem ?
Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it, because as I stated before, there isn't a computer system on earth that does not have humans as a part of it.
Almost every human being has the tools to attempt a social engineering 'attack', the only difference is the amount of skill used when making use of these tools.
Attempting to steer an individual towards completing your task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete your task directly. Although least likely to succeed, this is the easiest method and the most straightforward. The individual knows exactly what you want them to do.
The second is by creating a contrived situation which the individual is simply a part of. With more factors than just your request to consider the individual concerned is far more likely to be persuaded, because you can create reasons for compliance other than simply personal ones. This involves far more work for the person making the attempt at persuasion, and almost certainly involves gaining extensive knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The less untruths the better.
One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field. To illustrate this I am going to perform a small demonstration....
[Demonstration here. This basically showed that with social pressure an individual will conform to a group decision, even if it is obviously the wrong choice.]
Even in cases where a person is sure they are right it is possible to cause them to act in a different manner. If I had simply asked the last person on their own what the middle word was they would have given me the correct answer and no matter how much I tried to persuade them they probably wouldn't have changed their mind.
However, this group setting was a vastly different situation. This situation had what psychologists called 'demand characteristics', that is this situation had strong social constraints on how the participants should act. Not wishing to offend the other people, not wanting to look dozy in front of a large audience and not undermining the views of the other well respected participants all lead to a decision to 'go with the flow'. Using situations with these characteristics is an effective way of guiding people's behaviour.
However, most social engineering is conducted by lone individuals and so the social pressure and other influencing factors have to be constructed by creating a believable situation which the target feels emmersed in.
If the situation, real or imaginary has certain characteristics then the target individual is more likely to comply with your requests. These characteristics include:
On a personal level there are methods that are used to make a person more likely to co-operate with you. The aim of personal persuasion is not to force people to complete your tasks, but enhance their voluntary compliance with your request.
There is a subtle difference. Basically, the target is simply being guided down the intended path. The target believes that they have control of the situation, and that they are exercising their power to help you out.
The fact that the benefits that the person will gain from helping you out have been invented is irrelevant. They target believes they are making a reasoned decision to exchange these benefits for a small loss of their time and energy.
There are several factors, which if present will increase the chances of a target co-operating with a social engineer.
The less conflict with the target the better. Co-operation will be more readily gained when the softly-softly approach is used. Pulling rank (or invented rank), annoyance or orders rarely work for effective coercion.
The 'foot in the door' factor is where the focus of a persuasion attempt already knows a you or has had experience of dealing with you. This is a particularly effective and was known by con men as the 'confidence trick'. Psychological research showed that people are more likely to comply with a large request if they have had previously complied to a far smaller one. If this 'foot in the door' includes a positive history of co-operation, where things have gone well in the past, then the chances of co-operation are greatly increased.
The more sensory information a target can gain from a social engineer the better. This is especially true of sight and sound, you are more likely to be believed if the target can see and hear you than if they can just hear your voice over the fone. Unsurprisingly ASCII text communications are do not lend themselves to persuasion. It is very easy to refuse someone via a IRC style chat.
However, success does depend a lot on how involved a person is in the request you are making. We can say system administrators, computer security officers, technicians and people who rely on the system for essential work tools or communication are highly involved in most social engineering attacks by hackers.
Highly involved people are persuaded better by strong arguments. In fact the more strong arguments you give them the better. Suprisingly its not the same for weak arguments. Someone highly involved in the attempt at persuasion is less likely to be persuaded if you give them weak arguments. When someone is likely to be directly affected by a social engineering attempt, weak arguments tend to generate counter arguments in the targets head. So for highly involved people, the rule is more strong arguments, less weak arguments.
People are classed as low involvement if they have very little interest in what you are asking them to do. Relevant examples might be security guards, cleaners, or receptionists at a computer system site. Because low involvement people are not likely to be directly affected by a request, they tend not to bother analysing the pros and cons of persuasive banter. Instead it is common for a decision to agree with your request or not to be made based on other information. Such information could be the sheer number of reasons the social engineer gives, the apparent urgency of the request or the status of the person trying to do the persuading. The rule of thumb here is simply the more arguments or reasons the better. Basically, people who aren't involved in what a social engineer is trying to achieve will be more persuaded by the number of arguments or requests rather than how relevant they are.
One important point to note is that less competent people are more likely to follow more competent models. In the case of computer systems this is likely to be low involvement people. The moral of these points is, don’t try and social engineer the sysadmin, unless of course the sysadmin is less competent than you are, which as we all know is very unlikely.
Securing against human attacks
With all this information how would someone go about making their computer system more secure ? A good first step would be to make computer security part of everyone's job whether they use computer or not. This will not only boost their self perceived status with no extra cost to you but will make staff more vigilant. If you make someone involved in keeping your computer system secure they are more likely to pay closer attention to unauthorised individuals trying to gain access to a system.
However, the best defence against this, as with most things, is education. Explaining to employees the importance of computer security and that there are people who are prepared to try and manipulate them to gain access is an effective and wise first step. Simply forewarning people of possible attacks is often enough to make them alert enough to spot them. Remember, to give both sides of the story when educating people about computer security. This isn't just my personal bias. When individuals know both sides of an argument they are less likely to be disuaded from their chosen position. And if they are involved in computer security, their chosen position is likely to be on the side of securing your data.
There are attributes which people less likely to comply with persuasion tend to have. Less compliant people tend to be pretty bright, highly original, able to cope with stress and reasonably self confident. Stress management and self confidence can be taught or at least enhanced. Self assertion courses are often used for management employees, this training is excellent in reducing the chances of an individual being socially engineered, as well as having many other employment benefits.
What this comes down to is making people aware and involved in your security policy. This takes little effort and gives great rewards in terms of the amount of risk reduction.
Contrary to popular belief, it is often easier to hack people than sendmail. But it takes far less effort to have employees who can prevent and detect attempts at social engineering than it is to secure any unix system.
Sysadmins, don't let the human link in your security chain let your hard work go to waste. And hackers, don't let sysadmins get away with weak links, when it is their chains that are holding your data.
(c) Harl 1997. All rights reserved.