Tuesday, November 9, 2010

Social Engineering

There are all sorts of engineering disciplines in the world ranging from Computer engineering, Software engineering, just to name a few. The one that really struck me is Social Engineering. At first I thought it was something to do with arrrrrrrrrrrr..........well, can't really tell! It was coined by hacker-turned-consultant Kevin Mitnick. 

Social Engineering involves falsely manipulating people's confidential information, without necessarily using force like hacking and cracking. I describe the act as swift. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. The biases are normally known as "bugs in human hardware". These bugs are manipulated to create attack techniques. Some of the attack techniques used in social engineering are:

  • Phishing 
  • Pretexting
  • Quid pro quo
  • Diversion theft

Pretexting is the act of creating and using an invented scenario - pretext, to engage a targeted victim in a manner that increases the chance the victim willl divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple lie, as it most often involves some prior research or setup and the use of priori information for impersonation e.g., date of birth.
This technique can be used to trick a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc. Pretexting has been an observed law enforcement technique, under the auspices of which, a law officer may leverage the threat of an alleged infraction to detain a suspect for questioning and conduct close inspection of a vehicle or premises.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators — or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN.

Diversion text
Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in the East End of London. In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere — hence, "round the corner".

Quid pro quo
Quid pro quo means something for something:
  • An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.

No comments:

Post a Comment