The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (37 page)

Example: When Whurley entered the Eye in the Sky room, he was dressed like an executive, he spoke with a commanding authority, and he gave what the men in the room took to be an order to action. He had successfully donned the trappings of a casino manager or executive.

In virtually every social engineering attack, the attacker uses trappings of role so the target will infer other characteristics of the role and act accord- ingly. The role may be as an IT technician, a customer, a new hire, or any of many others that would ordinarily encourage compliance with a request. Common trappings include mentioning the name of the target's boss or Chapter 10 Social Engineers -- How They Work and How to Stop Them 233

other employees, or using company or industry terminology or jargon. For in-person attacks, the attackers choice of clothing, jewelry (a company pin, an athlete's wristwatch, an expensive pen, a school ring), or grooming (for example, hairstyle) are also trappings that can suggest believability in the role that the attacker is claiming. The power of this method grows from the fact that once we accept someone (as an executive, a customer, a fellow employee), we make inferences attributing other characteristics (an execu- tive is wealthy and powerful, a software developer is technically savvy but may be socially awkward, a fellow employee is trustworthy).

How much information is needed before people start making these inferences? Not much.

Credibility Establishing credibility is step one in most social engineering attacks, a cornerstone for everything that is to follow.

Example: Whurley suggested to Richard, a senior IT person, that the two of them have lunch together, realizing that his being seen with Richard would immediately establish his credibility with any employee who noticed them together.

Dr. Sagarin identified three methods used in The Art of Deception that social engineers rely on to build credibility. In one method, the attacker says something that would seem to be arguing against his or her self- interest, as found in Chapter 8 of The Art of Deception in the story "One Simple Call," when the attacker tells his victim, "Now, go ahead and type your password but don't tell me what it is. You should never tell anybody your password, not even tech support." This sounds like a statement from someone who is trustworthy.

In the second method, the attacker warns the target of an event that (unbeknownst to the target) the attacker causes to occur. For example, in the story, "The Network Outage," appearing in Chapter 5 of The Art of Deception, the attacker explains that the network connection might go down. The attacker then does something that makes the victim lose his net- work connection, giving the attacker credibility in the eyes of the victim.

This prediction tactic is often combined with the third of these meth- ods, in which the attacker further "proves" he or she is credible by help- ing the victim solve a problem. That's what happened in "The Network Outage," when the attacker first warned that the network might go out, then caused the victim's network connection to fail, as predicted, and subsequently restored the connection and claimed that he had "fixed the problem," leaving his victim both trusting and grateful. 234 The Art of Intrusion

Forcing the Target into a Role (Altercasting) The social engineer maneuvers his or her target into an alternative role, such as forcing submission by being aggressive.

Example: Whurley, in his conversations with Lenore, put himself into a needy role (just broke up with his girlfriend, just moved to town and needs a job), in order to maneuver her into a helper role.

In its most common form, the social engineer puts his or her target into the role of helper. Once a person has accepted the helper role, he or she will usually find it awkward or difficult to back off from helping.

An astute social engineer will try to gain a sense of a role that the vic- tim would be comfortable in. The social engineer will then manipulate the conversation to maneuver the person into that role -- as Whurley did with both Lenore and Megan when he sensed they would be comfortable as helpers. People are likely to accept roles that are positive and that make them feel good.

Distracting from Systematic Thinking Social psychologists have determined that human beings process incom- ing information in one of two modes, which they have labeled the sys- tematic and the heuristic.

Example: When a manager needed to handle a difficult situation with his distraught wife, Whurley took advantage of the man's emotional state and distraction to make a request that landed him an authentic employee's badge.

Dr. Sagarin explains, "When processing systematically, we think care- fully and rationally about a request before making a decision. When pro- cessing heuristically, on the other hand, we take mental shortcuts in making decisions. For example, we might comply with a request based on who the requestor claims to be, rather than the sensitivity of the infor- mation he or she has requested. We try to operate in the systematic mode when the subject matter is important to us. But time pressure, distrac- tion, or strong emotion can switch us to the heuristic mode."

We like to think that we normally operate in a rational, logical mode, making decisions based on the facts. Psychologist Dr. Gregory Neidert has been quoted as saying, "we humans are running our brains at idle about 90 percent to 95 percent of the time."1 Social engineers try to take advantage of this, using a variety of influence methods to force their victims to shift out of the systematic mode -- knowing that people oper- ating in a heuristic mode are much less likely to have access to their Chapter 10 Social Engineers -- How They Work and How to Stop Them 235

psychological defenses; they are less likely to be suspicious, ask questions, or present objections to the attacker.

Social engineers want to approach targets that are in heuristic mode and keep them there. One tactic is to call a target five minutes before the end of the workday, counting on the fact that anxiety about leaving the office on time may lead the target to comply with a request that might otherwise have been challenged.

Momentum of Compliance Social engineers create a momentum of compliance by making a series of requests, starting with innocuous ones.

Example: Dr. Sagarin cites the story "CreditChex," appearing in Chapter 1 of The Art of Deception, in which the attacker buries the key question, sensitive information about the bank's Merchant ID number, which was used as a password to verify identity over the phone, in the middle of a series of innocuous questions. Since the initial questions appear to be innocuous, this establishes a framework in which the victim is positioned to treat the more sensitive information as also innocuous.

Television writer/producer Richard Levinson made this a tactic of his most famous character, Columbo, played by Peter Falk. Audiences delighted in knowing that just as the detective was walking away, and the suspect was lowering his or her defenses, pleased with themselves at fool- ing the detective, Columbo would stop to ask one final question, the key question that he had been building up to all along. Social engineers fre- quently make use of this "one-more-thing" tactic.

The Desire to Help Psychologists have identified many benefits people receive when they help others. Helping can make us feel empowered. It can get us out of a bad mood. It can make us feel good about ourselves. Social engineers find many ways of taking advantage of our inclination to be helpful.

Example: When Whurley showed up at the employees' entrance of the casino, the guard believed his story about taking a "honey" to lunch, loaned him money for the date, gave him advice about how to handle a woman, and didn't become insistent when Whurley walked away without ever hav- ing shown an employee's ID badge.

Dr. Sagarin comments, "Because social engineers often target people who don't know the value of the information they are giving away, the help may be seen as carrying little cost to the helper. (How much work 236 The Art of Intrusion

is it to do a quick database query for the poor slob on the other end of the telephone?)"

Attribution Attribution refers to the way people explain their own behavior and that of others. A goal of the social engineer is to have the target attribute cer- tain characteristics to him or her, such as expertise, trustworthiness, cred- ibility, or likability.

Example: Dr. Sagarin cites the story, "The Promotion Seeker," appearing in Chapter 10 of The Art of Deception. The attacker hangs around for a while before requesting access to a conference room, allaying suspicion because people assume an intruder wouldn't dare spend time unnecessarily in a place where he or she might be caught.

A social engineer might walk up to a lobby receptionist, put a $5 bill down on the counter, and say something like, "I found this on the floor. Did anyone say they lost some money?" The receptionist would attribute to the social engineer the qualities of honesty and trustworthiness.

If we see a man hold a door open for an elderly lady, we think he's being polite; if the woman is young and attractive, we likely attribute a quite different motive.

Liking Social engineers frequently take advantage of the fact that all of us are more likely to say "yes" to requests from people we like.

Example: Whurley was able to get useful information from Lenore, the girl he met at the fitness center, in part by using "cold reading" to gauge her reactions and continually tailor his remarks to things she would respond to. This led her to feel that they shared similar tastes and interests ("Me, too!"). Her sense of liking him made her more open to sharing the information he wanted to get from her.

People like those who are like us, such as having similar career interests, educational background, and personal hobbies. The social engineer will frequently research his target's background and equip himself to feign an interest in things the target cares about -- sailing or tennis, antique air- planes, collecting old guns, or whatever. Social engineers can also increase liking through the use of compliments and flattery, and physi- cally attractive social engineers can capitalize on their attractiveness to increase liking. Chapter 10 Social Engineers -- How They Work and How to Stop Them 237

Another tactic is the use of name-dropping of people that the target knows and likes. In this, the attacker is trying to be seen as part of the "in group" within the organization. Hackers also use flattery or compli- ments to stroke the ego of the victim, or target people within the organ- ization who have recently been rewarded for some accomplishment. Ego stroking may nudge the unsuspecting victim into the role of a helper.

Fear A social engineer will sometimes make his or her target believe that some terrible thing is about to happen, but that the impending disaster can be averted if the target does as the attacker suggests. In this way, the attacker uses fear as a weapon.

Example: In the story, "The Emergency Patch," appearing in Chapter 12 of The Art of Deception, the social engineer scares his victim with the threat that the victim will lose valuable data unless the victim agrees to have an emergency "patch" installed on the company's database server. The fear makes the victim vulnerable to the social engineer's "solution."

Status-based attacks frequently rely on fear. A social engineer mas- querading as a company executive may target a secretary or junior staffer with an "urgent" demand, and with the implication that the underling will get into trouble, or might even get fired, for not complying.

Reactance Psychological reactance is the negative reaction we experience when we perceive that our choices or freedoms are being taken away. When in the throes of reactance, we lose our sense of perspective as our desire for the thing we have lost eclipses all else.

Example: Two stories in The Art of Deception illustrate the power of reactance -- one based on threats concerning the loss of access to informa- tion, the other on the loss of access to computing resources.

In a typical attack based on reactance, the attacker tells his target that access to computer files won't be available for a time, and names a time period that would be completely unacceptable. "You're not going to be able to access your files for the next two weeks, but we'll do everything possible to make sure it won't be any longer than that." When the victim becomes emotional, the attacker offers to help restore the files quicker; all that's needed is the target's username and password. The target, relieved at a way to avoid the threatened loss, will usually comply gladly. 238 The Art of Intrusion

The other side of the coin involves using the scarcity principle to coerce the target into pursuing a promised gain. In one version, victims are drawn to a Web site where their sign-on information or their credit card information can be stolen. How would you react to an email that prom- ised a brand-new Apple iPod for $200 to the first 1,000 visitors to a par- ticular Web site? Would you go to the site and register to buy one? And when you register with your email address and choose a password, will you use choose the same password that you use elsewhere?

COUNTERMEASURES Mitigating social engineering attacks requires a series of coordinated efforts, including the following:

Developing clear, concise security protocols that are enforced

consistently throughout the organization

Developing security awareness training

Developing simple rules defining what information is sensitive

Developing a simple rule that says that whenever a requestor

is asking for a restricted action (that is, an action that involves

interaction with computer-related equipment where the con-

sequences are not known), the requestor's identity must be

verified according to company policy

Developing a data classification policy

Training employees on ways to resist social engineering

attacks

Testing your employee's susceptibility to social engineering

attacks by conducting a security assessment

The most important aspect of the program calls for establishing appro- priate security protocols and then motivating employees to adhere to the protocols. The next section outlines some basic points to consider when designing programs and training to counter the social engineering threat.