Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Social Engineering

From: Leif Ericksen <leife () dls net>
Date: Tue, 03 Jan 2006 16:35:32 -0600
Social Engineering relies on one key element.  That is the HUMAN
Element.  Now, you can have programs that could listen to the voice and
do a pattern match, however until it is FLAWLESS, and can not be fooled
in any way shape or form (Tape recording, digital recording, GOOD voice
training) It is not preventable via a computer program.  For instance,
just today I was on a voice IVR twice and COUGHED, one time the system
assumed that I said HELP, on the other call it assumed something else
and transferred me to a different location.

The Human element is most *always* going to be the weakest link in any
security plan.  Another way to under stand Social Engineering is to
understand the Concept of COLD leading (a majority of telephone psychics
use this to get you to give up the information). 
<diverge> 
Taking the Psychic example: 
Ps "So what do you want to know about today?"
Cli "Well, I am currently single and I have been seeing this person I
want to know if (Did you give the name) is the person for me"
Ps "(Going by tonal quality) Humm. OH I see something coming to mind,
there is some (response based on tone)
Cli (might start saying something giving the lead on several different
directions.
</diverge> 

Having not read Kevin's book, I will make no comments on it or ask
questions based on it.  But, I will say with social engineering the
tactics are much like the (false) Psychic that uses cold leading.  You
call a help desk, or random number in the Company and start asking
target questions because you have some knowledge of the target company.
For instance, all those folks that Go way on vacation and have the
auto-responder send information about whom to contact in their absence,
that give the social engineer a foot in the door (as well as the thief
that wants to rob the persons house) as to whom the are to call or names
to drop as they dial a different number in the company looking for that
one person that is going to give away they proverbial keys to the city.


I hope that make sense.  
In short, no there are no computer programs that can be used to defeat
social engineers.  There is always the company directory that you
yourself can run your own checks against, but again, Hi I am calling for
Rob Smith...  You lookup Smith in the directory and find dozens of them.
Now is that really Rob, Robert or Bob that the person is listed as.  The
simple answer is as such.
        1) Education of the employees   
        2) Can I get your name and number Please? I will Contact XYZ for
           you and have them call you back. (Not always desirable)
        3) I can give you the number of the corporate operator (again
           not always desirable)
        4) Employee Education and awareness
        5) If in doubt, Sorry I can not help you, and I do not know what
           direction to point you in. Good byes should follow.
        6) Follow points, 1, 4, 5.

I one time was feeling good about a random call to my desk but when I
asked for their number so that I could have somebody call them back they
hung up on me.  They knew enough Current and Old information but when
asked for there number thy simply hung up.  

I hope this helps.

--
Leif Ericksen 

On Fri, 2005-12-30 at 18:06 +0000, coder wrote:

Hello everyone,

I am currently planning on writting a thesis on social engineering, I have
been fascinated with this subject since I watched Hackers 2/Takedown and
read Kevin Mitnick's book.

Now before I fully take on this idea, what products currently exist to
minimize/prevent social engineering? If anyone saw Hackers 2/Takedown,
Tsutomu Shimomura used a program that could tell him if the person on the
phone actually exists in a company, does this sort of software exist?

Sorry, if this is in the wrong mailing list, but I didn't see a "Social
Engineering" mail list ;)

Thanks

~Davie Elliott



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


-- 
Leif Ericksen <leife () dls net>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: