The human side of computer security
What are the effects of social engineering on Internet security?
Usually, this column focuses on the technical side of computer security. In fact, people generally seek technical solutions for security problems. This month, Carole considers the human side to the computer security equation. After all -- what's the point of setting up secure firewalls and e-commerce sites if your help desk opens up a hole? (1,500 words)
Why would someone considered by many to be the world's greatest computer hacker, resort to social engineering techniques rather than technical skills? Because they work. Technical security vulnerabilities may be patched, but humans are always vulnerable.
What is social engineering?
Social engineering is the art of manipulating people into actions they would not normally take. Sometimes, this is quite necessary and serves a good purpose. Ambassadors use their knowledge of a particular culture to facilitate good relations. An effective manager learns the personality traits of her group to keep them motivated and productive. Children usually try to manipulate their parents -- and good parents are even better at it. Top salespeople use social engineering skills to discover a client's needs and the best way to present a product to that client. A skilled social engineer can manipulate people without them being aware of the manipulation.
People don't like to be manipulated. Just observe the reactions many people have when approached by a member of a door-to-door religious group or salesperson. Often, people from these groups use such obvious and aggressive techniques that the people they are targeting tune out everything they have to say. It isn't that the message or product is bad. It's just that no one wants to be sold to.
Basic human characteristics
Theologians have attempted to define human characteristics as the Seven Deadly Sins (pride, envy, gluttony, lust, anger, covetousness and sloth) and the Seven Virtues (faith, hope, charity, fortitude, justice, temperance, and prudence). A good understanding of these human characteristics is fundamental to human manipulation.
While stereotyping isn't really fair, it is true that city people are often exposed to sales pitches and scams. How many of us have given money to someone who approached us on the street with a sob story only to see the same "desperate" person telling a similar story to someone else a couple of months later? Like anything else received in high doses over time, social engineering is vulnerable to progressive immunity.
Social engineering and the Internet
Spam is the door-to-door salesman of the Internet. With a rather crude sales pitch, it succeeds mostly in annoying people. However, because of the sheer volume of targets, it's successful enough to be used. I recently got spam with an interesting social engineering approach: according to its pitch, I have a secret admirer who purchased a gift certificate just for me (see "E-gift certificate").
You can always tell when a friend or relative has bought his or her first computer. Suddenly, your mailbox is full of "virus warnings" and chain letters that have gone around the Net a few thousand times. Why do newbies fall for this? Usually, it's because they haven't seen enough of this garbage to develop an immunity to it. I tend to feel obligated to educate the sender and everyone else in the mail header. I find it useful to reply with a standard "rant" (see "Stop the insanity").
I don't know who wrote it, but it's humorous as well as informative. I have another response for chain letters, but it's pretty rude. If profanity doesn't offend you, send me mail, and I'll pass it on.
For some strange reason, it seems that the same people who send out all the faux virus warnings are the most likely to download a real virus. Clearly, the authors of viruses are also social engineers.
Anyone who plays poker knows that the most important technique in the game is to observe the other players to determine their weaknesses while not betraying your own. On the Internet, information about a person or company can betray potential weaknesses to be exploited. Most security audits caution companies to protect internal network topology. While "security through obscurity" isn't a solution, the best practice is to not release any more information about your company (or yourself) than is necessary.
Unfortunately, the individual doesn't always have a choice. My parents, who live in Florida, found themselves inundated with ads specifically targeting Mercedes owners. Since they did not purchase their car from a dealer, they wondered how these companies discovered that they own a Mercedes. It turns out that the state of Florida was providing registration data to a third party (see http://www.hackernews.com/archive.html?012699.html). As e-commerce grows, privacy protection will become a major issue.
While individuals may demand that their personal information be protected and private, they often voluntarily give the same information away. Just offer something for "free" in return for a survey and see what people will tell you. What's alarming is that children, who are more susceptible to manipulation, may blindly provide personal information to anyone who asks. Not too long ago, I caught my son's friends completing a survey to send to everyone on its header list (see "Re: read and do it").
A master at work...
Kevin Mitnick is certainly not the only person to have used social engineering techniques to get into computer systems, but he is probably the most famous and was apparently very good at it. The following true story was relayed to me by Brian Martin, a security consultant assisting Kevin Mitnick in his defense.
Kevin worked in an office in Denver doing basic computer admin stuff. During his time there he was poking around the Net, but more so he was calling various companies -- testing the limits of what he could do.
One night he left work while it was beginning to snow and had to walk five or so blocks to get home. Using a cellphone, he called a directory-listed 800 number to a large cellular company. By the first block, he had obtained an unlisted 800 number to the engineering department of this company.
Just after the second block he was talking to one of their engineers about source code to a cellphone. By the third block he was giving this engineer the login and password to an account at an ISP near him (in order to FTP files to him).
He passed the fourth block and hung up with the engineer, confident he was receiving proprietary source. When he arrived at home, cold and damp from the light snow, he found the full proprietary source to a cellphone made by one of the largest electronics companies in the world.
Five blocks, a cellphone, and a directory-listed 800 number.
Countering social engineering attacks
Education and policy
Social engineering attacks are very hard to counter. In fact, I've had audit agreements that specifically stated that social engineering attacks weren't to be used. The problem with countering social engineering attacks is that it requires establishing appropriate policies and educating people -- two difficult tasks. Most people learn best from first-hand experience. Once it has been demonstrated that they are susceptible, people tend to be more wary.
It is possible to make people more immune to social attacks by providing a forum for discussion of other people's experiences. Not every New Yorker has to be mugged to know to be street smart. Stories about other people's misfortunes are enough to generate wariness. A good way to provide a forum is to establish an internal Web site with safety tips and information. Amusing stories tend to get the point across better and, of course, people love to hear about someone else's misfortune. This forum could also be used to report on virus hoaxes and real viruses. In fact, if you have this forum, you can make a policy statement that information about viruses is only to be distributed through this forum.
There actually are some technical solutions to the social engineering problem. The key is to limit the amount of information that is available -- just as a poker player would. Here are some things you can do to maintain the corporate "poker face":
Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique and the reader is cautioned to investigate with his or her company as to the feasibility of using the information and software in the article. No warranties, implied or actual, are granted for any use of the information and software in this article and neither author nor publisher is responsible for any damages, either consequential or incidental, with respect to use of the information and software contained herein.
About the author
Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for more than 15 years on various platforms and has particularly focused on sendmail configurations of late. Carole provides security consultation to several financial institutions in the New York City area.
If you have technical problems with this magazine, contact email@example.com
>From firstname.lastname@example.org Fri Jun 18 01:51 EDT 1999 To: email@example.com Subject: e-gift certificate #212-6587900-8293668 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Length: 2931 Status: RO X-Status: $$$$ X-UID: 0000000573 It's our pleasure to send you this gift certificate from The Body Temple that can be applied toward the purchase of any item at our online catalogue. This is an automatic e-mail notification to inform you that an e-gift certificate was just purchased for you. The generous person who gave you this gift is listed below. DON'T DELETE THIS MESSAGE! You'll need the claim code below to place your order. Happy shopping! Your friends at The Body Temple.
Amount: $20.00 From: A Secret Admirer Gift message: I saw this stuff on the news and I thought you'd get a kick out of it. Supposedly, it really works... Can't wait to hear what you think! Claim code BDJB-DG5M52-4PL4 Order #212-6587900-8293668 Expiration date 15-Jul-99
Using your gift certificate is easy: 1. Visit The Body Temple web site. 2. Select the items you want. 3. When you have selected the items you want, hit the ORDER button. You can redeem your gift certificate by entering its claim code on the order form. To claim your e-gift certificate, you may visit The Body Temple web site below. For your protection, the site is e-commerce secure and encrypted for ordering online: http://3511663956/scentz/home.html
The fine print: Gift certificates must be redeemed at The Body Temple web site. Gift certificates are not redeemable for cash. Gift certificates and unused portions of gift certificates expire on the date listed on the e-gift certificate or the earliest date permitted under applicable law, whichever occurs later. Any unused balance will be placed in your gift certificate account. If your order exceeds the amount of your gift certificate, you must pay for the balance with a credit card or check on TPS's e-commerce secure web site or by mail with a money order. If your browser is not compatible with The Body Temple web site, you may request a free product brochure by sending a self addressed stamped envelope to: TBT 3905 State St., Suite 7198 Santa Barbara, CA 93105
The legal stuff Funds from unclaimed gift certificates become property of TPS. If you do not wish to receive reminder notifications that a gift certificate in your name is being held in TPS's gift certificate account, you may remove your name from future reminder mailings by entering your name below. Although e-mail requests are updated automatically, CA and WA residents may do this by voicemail at 888-294-0356. Voice mail requests are checked and updated once per month.
Return to article
Stop the Insanity... My latest rant about the crap I get as e-mail. 1. Big companies don't do business via chain letter. Bill Gates is not giving you $1000, and Disney is not giving you a free vacation. There is no baby food company issuing class-action checks. MTV will not give you backstage passes if you forward something to the most people. You can relax; there is no need to pass it on "just in case it's true." Furthermore, just because someone said in the message, four generations back, that "we checked it out and it's legit", does not actually make it true. 2. There is no kidney theft ring in New Orleans. No one is waking up in a bathtub full of ice, even if a friend of a friend swears it happened to their cousin. If you are hell-bent on believing the kidney-theft ring stories, please see: http://urbanlegends.tqn.com/library/weekly/aa062997.htm. And I quote: "The National Kidney Foundation has repeatedly issued for actual victims of organ thieves to come forward and tell their stories. None have". That's "none" as in "zero". Not even your friend's cousin. 3. Neiman Marcus doesn't have a restaurant, and they don't really sell a $200 cookie recipe either. And even if they do, we all have it. And if you don't, you can get a copy at: http://www.bl.net/forwards/cookie.html 4. We all know all 101 ways to drive your roommates crazy, irritate coworkers, gross out bathroom stall neighbors and creep out people on an elevator. And...We also know exactly how many engineers, college students, Usenet posters and people from each and every world ethnicity it takes to change a light bulb. 5. Even if the latest NASA rocket disaster(s) DID contain plutonium that went to particulate over the eastern seaboard, do you REALLY think this information would reach the public via an AOL chain-letter? 7. If your CC: list is regularly longer than the actual content of your message, you're probably going to burn in Hell, for all of eternity...and you will deserve it. 8. If you're using Outlook, IE, or Netscape to write e-mail, turn off the "HTML encoding. " Those of us on Unix shells can't read it, and don't care enough to save the attachment and then view it with a web browser, since you're probably forwarding us a copy of the Neiman Marcus Cookie Recipe anyway. 9. If you still absolutely MUST forward that 10th-generation message from a friend, at least have the decency to trim the eight miles of headers showing everyone else who's received it over the last 6 months. Besides, if it has gone around that many times-we've probably already seen it, and anyway, we're busy making cookies. 10. Craig Shergold (or Sherwood, or Sherman, etc.) in England is not dying of cancer or anything else at this time and would like everyone to stop sending him their business cards. He apparently is also no longer a "6 year old little boy" either. 11. The "Make a Wish" foundation is a real organization doing fine work, but they have had to establish a special toll free hotline in response to the large number of Internet hoaxes using their good name and reputation. It is distracting them from the important work they do. 12. The American Cancer Society TAKES donations, they do not MAKE donations. They do NOT judge your case based on how many cute stories have been e-mailed on your behalf. 14. While we're on it, there is no software that tracks where an e-mail has gone to and how many people saw it. 15. There is no "Good Times" virus. In fact, you should never, ever, ever forward any e-mail containing any virus warning unless you first confirm it at an actual site of an actual company that actually deals with virus. http://www.symantec.com/avcenter/hoax.html
http://ciac.llnl.gov/ciac/CIACHoaxes.html And you cannot get a virus from a flashing Instant Message, you have to download .... ya know, like a FILE! 16. If you are one of those insufferable idiots who forwards anything that promises "something bad will happen if you don't," then something bad will happen to you if I ever meet you in a dark alley. Bottom Line ... composing E-mail or posting something on the Net is as easy as writing on the walls of a public restroom. Don't automatically believe it unless it's proven false...ASSUME it's false, unless there is proof that it's true. Got it? Good. Now, forward this message to ten friends and you will win the Publishers Clearinghouse sweepstakes. --Author unknown
Return to article
Subject: Re: read and do it, pleazzzeee =) Date: Wed, 17 Mar 1999 20:21:06 EST Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit 1st--send this survey to everyone you know to see how well they know you... 2nd--fill this survey out about the person who sent it to you and send it back to them **be honest** 1. Your name: 2. My name: 3. Take a stab at my middle name..: 4. How long have u known me?: 5. How well do u know me?: 6. Do i have any other screen names?: 7. What grade am i in?: 8. When u first saw me what was your impression? 9. My age? 10 Birthday?: 11. Color hair?: 12. Color eyes: 13 Tall / average / short / fat / average / thin?: 14. Do I have any siblings?: 15. Popular?: 16. Whats one of my favorite thing to do?: 17. Do u remember one of the 1st things i said 2 u?: 18. Good person/bad person: 19. What is the best feature about me?: 20. What is the worst feature about me?: 21. Am i shy or outgoing? 22. Would u say i am funny?: 23. Am i a leader or a follower? 24. Any special talents?: 25. Am i your friend?: 26. Would u call me preppy, slutty, homey-like, like one of the rest? 27 Am i conservative or unconservative?: 28. Am i smart?: 29. If there were 1 good nickname for me what would it be?: 30. Can u picture me dancing?: 31. Have u ever seen me cry?: 32. Am I likely to have a good time? Why/why not: 33. When u hear my name what's the first thing u think of?: 34. Do I drink?: 35. Smoke?: 36. Would u say i'm nice or cruel?: 37. Have u ever caught me at an embarrassing moment?: 38. Do u wish we were closer?: 39. Do u wish we weren't as close?: 40. Would u trust me w/ a secret?: 41. Have u ever been really mad at me? 42. Ugly/ok/nice-looking/hot: 43. On a scale from 1-10 where would i stand w/ u? 44. Would u ever go out with me cause u think i look good? 45. Would u ever go out with me cause u think i have a good personality? 46. What's My Favorite Color?