Social Engineering “at its finest”?
January 23, 2008
I posted a couple of days ago about how very few in information security know what really good social engineering looks like. Leave it to the inimitable Mr. Schneier to help me make the point with this post that he ends with:
“Social engineering at its finest.”
Okay, so let me get this straight. A guy in the right uniform walks in to the bank and says: “I’m here for the regular guy“.
This takes skill?
To me, this is very much the equivalent of saying that website defacements of IIS in 2001 using RFP’s MSADC script was “hacking at its finest”. Seriously, just because the guy got a uniform and a badge doesn’t make him anything more than a script kiddie in the realm of pulling off the attack.
This is the kind of attack that Mitnick talks about all the time when he says that social engineering usually doesn’t take much more than the guts to ask for what you want.
Let’s consider a better example of what really skilled social engineers look like: this story where two guys robbed a store by talking to the clerk. If you read the article, you’ll get a pretty good idea of what the attackers did. It’s the ultimate example of a “compliance set” (or “yes set” for those hypnotists out there), and it required some knowledge of the target’s adherence to his culture and the cultural cues that would set the appropriate context for the exploitation.
Really, I want to say that I expected better of Bruce, but that wouldn’t be fair. As I said before, our community as a whole has yet to take notice of what really good social engineering is.
In my writing and this blog (which I’ve promised Hoff and Martin that I’ll continue), I’ll probably be talking about this a lot as I do more writing on the book and in other venues.
The problem with awareness…
January 22, 2008
Andy blogged this morning about social engineering and trust. While I loved the post, and I think he made some good points about social engineering, something that he said struck me while reading:
“The important thing is that we make our users aware of social engineering threats and at the very least teach them to not just blindly give out information. If they are unsure then they need to refer the person to management. Teach them to stop and think before acting.”
This is an incredibly normal line of thinking, and it is the traditional way of dealing with social engineering. The main issue with it is two-fold: first, an even half-way prepared social engineer will have prepared a strong enough frame to verify most of the simple checks that a normal user is going to have.
But the bigger issue is that, when we talk about things like “not blindly giving out information”, what we’re really saying is that we need to teach our users not to trust each other.
The problem with this is simple: an agile, responsive and successful business is built on a lack of boundaries and a healthy set of organizational trust. The kind of mistrust that most infosec people would engender intentionally in their users would cause significant inefficiencies within most organizations.
So, if we’re not teaching our users to not blindly give out information, or to verify everything, what do I think we should be teaching them?
Instinct. Most who are in infosec have developed an instinct for when things “don’t smell right”. When an email just seems a little bit “phishy” (pun intended).
I believe that can be taught (well, indoctrinated) into our users, with about the same effort as it takes to teach them not to trust each other.
Advanced Social Engineering
January 18, 2008
I was at lunch when a fascinating discussion broke out on Twitter between Alex Hutton (aka @alexhutton and Jennifer Leggio (aka @mediaphyter) (the brains and driving force behind this year’s blogger meetup at RSA and, I’ve learned, quite an intelligent security mind… but she really does need a blog) about “Advanced Social Engineering”. The important part of the conversation for the purposes of this blog:
mediaphyter: “Advanced social engineering” — I am starting to think we use that term way too loosely.
mmurray @mediaphyter Most have no idea what advanced social engineering looks like. They can’t yet fathom…
alexhutton @mmurray: Most parents know *exactly* what advanced social engineering looks like – they just don’t think adults do it too
Alex went on to say that “advanced social engineering” is what kids do with “Lying, Manipulation, False Pretenses, illicit access or gaining of privileges”.
Here’s where I disagree. You see, kids don’t have to do anything particularly advanced as social engineers because they’re trading on relationships. While the parent might FEEL as though they’re being social engineered, they’re not… the fact that they’re feeling it suggests to me that it’s not advanced at all.
Using an analogy to hacking: if you notice that you’re being attacked, the attacker isn’t particularly sophisticated.
This is what I meant when I said that most people don’t know what it is… a truly advanced exploit of a human will leave the attacker richer because of the information/access gained, and the target without any knowledge or awareness of it happening.
The best example of this: This Derren Brown video.
I suppose that this is as good a time as any to announce that I’m writing a book on this subject… on truly advanced human exploitation. Not the typical “pretend to be the help desk guy” stuff, but how to really use language, awareness and context to manipulate a situation and get in and out completely undetected.
That’s what real “advanced social engineering” looks like. And I stand by my original assertion: very few know what it really looks like yet.