Social Engineering

Manipulating people to make them do what one wants them to do.

SocialEngineering is often the basis for some very fine hacks, where access is gained, not by attacking the computer directly, but by tricking people to provide access.

SocialEngineering is, for example, wearing a home-made badge, and behaving self-confidently and self-importantly to enter a restricted area.

This is nicely lampooned in MoronsFromOuterSpace, where the impostor's reflexive attempt to cover up the name on his stolen uniform is taken and repeated throughout the secret complex as a macho salute

---

Phishing in cyberspace is like "fishing"

The two words are pronounced the same. Phishing is spelt Pfishing at times. End objective is identity theft achieved through deception. Possibly involve intermediate steps of installing spyware by unsuspecting users who actioned on a seemingly legitimate hyperlink.

Early attempts (and successes) at phishing were achieved through email spoofing.

Internationalized Domain Name exposure in Gecko (e.g. MozillaFirefox) Engines in browsers

• malformed URL harder to spot due to character sets that are visually similar. See
  • http://it.asia1.com.sg/newsdaily/news003_20050214.html ( BrokenLink )
• also a different link to this in WebApplicationSecurity, section on browsers

Pharming is the result of evolution of Phishing Term coined by "MX Logic". DNS poisoning or domain hijacks are main approaches of this new technique. See http://www.theregister.co.uk/2005/01/31/pharming/

Countermeasure resources

• "Internet Storm Centre" "6 simple steps to beat phishing" at
  • http://isc.sans.org/presentations/phishthat.pdf
• "CERT tips " at
  • http://www.us-cert.gov/cas/tips/ST04-014.html
• another FAQ on countermeasures at
  • http://www.uni.edu/its/us/faqs/phishing.htm ( BrokenLink )
• "Anti phishing working group" site at
  • http://www.antiphishing.org/

See InternetSecurityForMicrosoftUsers for an Phishing example (late 2004) involving MS Media Player, and checkup on current WirelessSecurity risks and countermeasures.

---

Technology to detect spoofed Web sites. Is it any good?

Speculation exist that InternetExplorer v7 for WindowsXpSP2 will have this technology. See

• http://www.eweek.com/article2/0,1759,1766250,00.asp

---

Some years ago, while working for an employer who no longer exists, I had an opportunity to experiment with SocialEngineering.

For some reason, my employer thought that what we were doing was so-very-special that merely seeing our workplace would allow a competitor to go out, rewrite what we were doing, and trounce us in the marketplace. The irony of this is that we were the ones copying the look-and-feel of a competitor's product. Among the measures to protect our secret was a receptionist who had to greet everyone as they came through the door.

Even more than most security policies, this was schizophrenic and ineffective.

One day I asked a friend to come visit me at work. Knowing about the gate-keeper receptionist, he asked "Just announce myself to the receptionist?" I decided to have some fun: "No, just do this... Go through the door, walking like you about to be late to an important meeting. Do not slow down. Turn right, go through the door into the hall and through the door on the other side of the hall. Go 5 feet, turn left, go 20 feet, and my desk is right there. Above all, act like you have every right in the world to be there."

Sure enough, he arrived at my desk having been challenged neither by the receptionist, nor by the office manager who he passed in the hallway. He just looked like he belonged there.

---

I used to do this from time to time when I was a student. I could get to the front of the stage at concerts or skip many queues, just by announcing "Engineer Coming Through" in an "I've got a job to do" voice. Unlike just pushing past, or even asking politely, it didn't seem as if anyone was upset by this practice. Most people seemed happy that whatever I was doing was more important. --FrankCarver

This is also known as the ItsOkImWithTheBand manuever' -- PeteHardie

Other larger examples in clude (at least by my definition of the term) things like heavily taxing alcohol and tobacco to influence a society to consume less of them. -- LukeGorrie

Or, of course, the WarOnDrugs?

Which gives us a nice example of the LawOfUnintendedConsequences

---

If you ever want to read some incredible examples of SocialEngineering, read Uncommon Therapy: The Psychiatric Techniques of Milton H. Erickson, MD.

ISBN 0393310310

Milton felt it was more important to get people healthy than it was to get their consent to everything in the theraputic process. He used to do things like 'arrange' to have people in the waiting room of his office, pretending to be patients, so that he could force some interactions to occur.. and generally intervene in patient's lives. Interesting read.

---

KevinMitnick has written a book on SocialEngineering: "The Art of Deception: Controlling the Human Element of Security" ISBN 0471237124

The book provides many examples where SocialEngineering is the safest and most effective way of getting secrets from people and organizations.

---

Also worth reading:

Fay Faron: Rip-Off. A writer's guide to crimes of deception. ISBN 0898798272

Although targeted at writers of fiction, it is primarily a comprehensive catalog of techniques making people hand over their money to you without asking a question.

---

See also SwarmTechnology

---

CategorySecurity