AB In Social Engineering? We Should All Get One

Kevin Mitnick once said in his book, The Art of Deception: Controlling the Human Element of Security:

When trusted employees are deceived, influenced, or manipulated into revealing sensitive information, or performing actions that create a security hole for the attacker to slip through, no technology in the world can protect a business.

The power of deception is eminent. Just take a look around… ‘Italian job’ attack hits 10000 sites, 70 months in jail for convicted AOL phisher, Image attack on MySpace boosts phishing exposure, cell phone text scams, e-mail scams, online game scams. All of these are forms of deception. But why do they often make up the headlines? It is apparent that many have fallen victims to these deceptive methods. Add to that our human nature and you’ll see how superior deception is.

The Human Factor is Security’s Weakest Link

It was mentioned in the book that in the end, social engineering attacks can succeed when people are stupid, or more commonly, simply ignorant about good security practices.

During Kevin’s early years, he found a way to travel for free throughout the greater L.A. area. He was able to do this because he found a flaw in the bus company’s transfer system. Through a carefully crafted question, he soon found himself issuing his own tickets. He said that the trash bins at the bus terminals were always filled with partly-used books of transfers that the drivers tossed away at the end of the shifts. He simply picked them up. This wouldn’t have been possible if the bus company knew all along where to properly put its trash.

In this age where the World Wide Web is almost becoming a second home, do you know where to dump your trash? When accessing your e-mail, your MySpace account, or your online bank account, are you sure they’re the correct sites you’re logging into? Do you log out and exit your Web browser after an Internet session? These are practices that we often take for granted because we feel so used to the site. As long as it looks the same, we go ahead and type in our login credentials. On another note, we feel so secure with the expensive security suite installed in our systems, yet we fail to recognize the importance of updates. In the World Wide Web, leaving a lot of trash is perilous. There are many who sneak around, waiting for whatever piece of information that they can dive into.

Learn It, Then Fight It

In the book, Kevin Mitnick defined social engineering as:

You might say that there are 2 specialties within the job classification of con artist. Somebody who swindles and cheats people out of their money belongs to one sub-specialty, the grifter. Somebody who uses deception, influence, and persuasion against businesses, usually targeting their information, belongs to the other sub-specialty, the social engineer.

Social engineering isn’t rocket science. It’s an art. From Wikipedia, social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. It usually involves common sense, extra caution, and charm. It’s self-paced and just like the Web, it’s dynamic. New methods emerge over time, so being updated is an advantage.

Once you’ve learned social engineering, you’ll become more aware of your surroundings. More importantly, you’ll know where to put your trash. Only then will you be able to fight it.

You can begin by reading Kevin Mitnick’s books - The Art of Deception: Controlling the Human Element of Security and The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers. There are resources on the Web as well:

• Social engineering (security) from Wikipedia
• Social Engineering Fundamentals from SecurityFocus

If social engineering is a degree in education, all of us should get one. Less people will more likely fall victim to these attacks which could otherwise be prevented using common sense and extra caution.

This entry was posted on Thursday, June 21st, 2007 at 20:19 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.