Social engineering

Click the banner for the site map of NoticeBored.com, the information security awareness service

Social networking & social media

Social networks have their uses for security purposes.

Is it feasible to ban social networking in the workplace?

A Facebook compromise that led to someone’s friend being duped out of a thousand Australian dollars might be used to generate yet another awareness case study on this topic - we’re spoilt for choice this month!

As well as the personal privacy issues for individuals, Facebook, Twitter and the like are a useful source of information for corporate hackers and social engineers.

Obama warns teens about not disclosing personal information online that they may later regret.

A new site providing privacy and other security advice to the users of social media has grand plans: let’s hope it delivers on the promise.

General article on various social networking security issues, like for instance the possibility of malware infection through add-on applications for social networking sites, or even infected applications that claim to remove other viruses.

There are real dangers associated with cloud computing.

One blogger’s advice to women on using social media actually applies equally to men.

ENISA report on security aspects of social media.

A whizzy promotional video expounds on the explosive growth of social media.

Guidelines for the use of social networking media and systems.

Notes on social networking albeit with little analysis.

Here’s a guide to Facebook privacy settings, mostly little known and barely used. Another here. Check out also the official Facebook privacy principles and help that contributed to Facebook being rated by Americans as one of the most trusted companies.

Hollywood is using social networking.

Using Twitter even has physical security implications.

Find out why Twitter is not the Information Security Management Handbook. Are you giving away information on Twitter without even thinking about it?

A short video on social networking risks.

After Ontario's information and privacy commissioner spoke out, Facebook responded.

Twubble with Twitters: SuperNews! is a cartoon video depicting the incessant fascination with microblogging that afflicts some ~~addicts~~ fans of Twitter.

A video on Flickr led to the prosecution of a self-confessed off-season duck shooter. Doh!

This blogging manifesto is, in effect, a succinct security policy with guidance on blogging in a corporate environment. There is more explicit advice on writing such policies here.

An interesting self-referential example of someone using social media to promote a book ... on social media.

Social networking is social, and that means public.

Facebook accounts have been hacked using login credentials stolen from another social networking website, a dating site, demonstrating yet again that it’s not A Good Idea to use the same credentials on multiple sites. Let me repeat that: don't use the same password on all your online accounts.

Social networks have been used for a new “friend” version of the old Spanish Prisoner/419 scam.

A prank promoting a German film.

Yet Another dumb criminals story.

Social engineering & pretexting

Reasonable people agree that Pranknet oversteps the mark in using social engineering techniques to fool hotel guests into trashing their rooms, setting off fire alarms etc. However given that criminals feel no ethical constraints, Pranknet’s tricks are a salutary lesson on the power of social engineering.

Simple psychological manipulation tricks may be part of a social engineer’s toolkit but the article doesn’t scratch the surface. Persuading other people to do what we want them to do, or to allow us to do what we want to do, takes more than just parlor tricks.

It might be old news but it’s legendary: read about the entrepreneurial social engineer who allegedly extracted $millions from targets on the Forbes rich list. He even invested $thousands in the technology to exploit his victims but, as with many fraudsters, greed eventually got the better of him.

Read about cyberstalking on Wikipedia.

The man who posted a video on YouTube of himself speeding through Oxfordshire at 130 mph probably regrets releasing the personal information, having landed a 12 week prison sentence as a result. Another gentleman who bragged about his hangover on Facebook was forced to back down on his request for a sick day after his boss read the brag.

A fake uniform and maybe an advance phone call or two is about all a social engineer, physical penetration tester or indeed bank robber/identity thief needs to obtain confidential information and even complete systems from nearly 1,000 sleepy US bank branches. [Now there’s a sales opportunity for a security awareness firm!]

Find out how social engineering attacks work and get some ideas on thwarting them from this CERT podcast and EDPACS article by our CEO.

A useful guide from Microsoft explains a range of controls to reduce the threat of social engineering attacks. It's a 37-page Word document.

Brazen robbers conned their way into a shared data centre in London by posing as Policemen with a convincing story about intruders on the roof.

No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (~US$39 from Amazon) looks like an interesting book by Johnny Long, famous for his earlier book Google Hacking, and Kevin Mitnick, fa Read our book review mous for the hacking exploits that landed him in jail and his earlier books The Art of Deception and The Art of Intrusion.

The Art of Deception by Kevin Mitnick and William Simon (~$18 from Amazon) is reviewed elsewhere on this website. It describes social engineering techniques. Kevin’s original first chapter didn’t make it into the book mysteriously appeared on the web. The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders, and Deceivers is another Kevin Mitnick and William Simon book (also ~$18 from Amazon). This book tells other hackers’ stories in nine main chapters. A tenth chapter gives further, albeit fairly basic advice on social engineering controls. .

Zen and the Art of Information Security by Ira Winkler is reviewed here. It’s a gentle introduction to information security for those with little if any prior exposure. Ira admits it is a book version of popular presentations he has given to non-technical audiences worldwide: we were left wanting more depth but then we are not the target audience..

‘Catch Me If You Can: the True Story of a Real Fake’ is the title of a biography and movie starring Tom Hanks based on the life of Frank W. Abagnale, an infamous fraudster. The descriptions of Frank’s brazen social engineering attacks are both entertaining and informative. Paperback ~$10 from Amazon. DVD $12.

In a story about the Chinese attacking Western companies to obtain commercial advantage, The Times briefly mentions an alleged social engineering compromise of Royal Dutch Shell in Houston, Texas, by 'special interest group' of Chinese nationals.

A social engineer has been stealing the personal data of thousands of American corporate executives, including senior execs at Fortune 500 companies such as airlines, banks, manufacturers and pharmaceuticals, using ‘spear phishing’ (targeted emails).

Nigerian fraudsters are breaking into Web-based email accounts, impersonating the owners and sending pleas for money to everyone in their address books, asking them to wire emergency money to Nigeria. The emails weave some story about getting mugged or losing a wallet while on a trip to Nigeria.

“Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” [Wikipedia]

Kevin Mitnick’s entertaining autobiographical speech at the H.O.P.E. conference in July 2004 was recorded for posterity and is available as a streaming MP3 here and here. His 2005 keynote presentation at the Citrix iForum conference in Australia highlighted the threat of social engineering: “Mitnick said social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it’s free or very low cost, it’s low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem.”

A Dutch bank has been stung to the tune of £15m by a gentleman thief who used his persuasive charms and chocolate to obtain a key to the diamond safe.

In spam that delivers a pink slip, Computerworld presents a case study on an organization whose staff received spear phishing emails. “Last week, a handful of employees at Dekalb Medical Center in Decatur, Ga. , received e-mails saying they were being laid off. The subject line read ‘Urgent - employment issue,’ and the sender listed on the message was at dekalb.org, which is the domain the medical center uses. The e-mail contained a link to a Web site that claimed to offer career-counseling information. And so a few employees, concerned about their employment status and no doubt miffed about being laid off via e-mail, clicked on the link to learn more and unwittingly downloaded a keylogger program that was lurking at the site.”

The US Senate looks likely to vote through a pretexting law on a fast-track procedure. Pretexting in general is already outlawed in California and throughout the US if used to obtain financial information.

Here’s a short security awareness video (low or high resolution) and article from the University of Delaware about the dangers of revealing too much information on ‘social networking’ sites such as MySpace, Friendster or FaceBook.

“‘Phone Phishing’, a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to ‘take care’ of callers and often they are more than willing to help.” So says a piece in India’s Economic Times.

Hear someone turn the tables on a telemarketer, using ‘social engineering’ methods to persuade them they have called a police officer attending a serious crime scene. Very amusing.

Mike Berryclearly has a lot of fun baiting the 419 scammers through 419eater website, even getting one to send impressive wooden sculptures of Creature Comforts characters and a Commodore 64 computer ... but there’s a serious undercurrent to this form of social engineering. Estimates vary but thousands of dollars are thought to be lost to 419ers every day and the scams remains as popular as ever

Read NZ Ministry of Economic Development’s scamwatch website.

One way to get personal information out of people is through fake job ads. Candidates expect to supply a fair amount of information about themselves as part of the application process and, perhaps because of their circumstances, their guards are down. Enterprising social engineers are evidently using the opportunity to obtain sufficient information to commit identity theft.

Social Engineering, the USB Way is a worrying report into a successful penetration test using a mixture of social engineering and malware techniques. One morning before work, the testers scattered USB thumb drives containing Trojans in the parking lot and smokers’ corners outside their target credit union premises. The workers duly discovered the ‘lost’ drives, took them in, plugged them in and compromised their systems security. The worrying part is the success rate, the potential impact and the likelihood of success elsewhere. Possible controls include security awareness training, antivirus tools, IDS and USB blocking software.

Identity theft often involves a social engineering element. A Cyber Security Tip from CERT offers some practical advice to reduce the chances of being taken in by the identity thieves, and to identify and respond to them if you are.

The Washington Post reported that people falsely claiming to be unannounced inspectors working for a US government hospital inspection body were identified as imposters and ejected from at least three hospitals. Their motives were unclear. Up to two weeks before the last incident, the inspection body had routinely posted the names of its inspectors on its website (’nuff said).

Social engineers’ skills are not limited to the realm of computing. A British court case involving someone who tried to con his way into Windsor Castle has led to the press digging up information on his past exploits.

Gartner predicts that social engineering is “the single greatest security risk in the decade ahead” [... or at least until Gartner’s next security report ...].

A US-CERT Cyber Security Tip offers basic advice to reduce the risk of social engineering and phishing.

How to Defend Your Network Against Social Engineers recommends, amongst other things, developing and enforcing a security policy addressing social engineering, and training users in how to recognize a social engineering attempt. [Naturally, we’d recommend NoticeBored for that, and more].

Sarah Granger has written a good overview of social engineering including suitable controls. Part 1. Part 2.

Social Engineering 101 is an unmoderated bulletin board system where people post questions and answers about social engineering. The techniques described are pretty naive ... but are probably quite effective nonetheless.

Social networking & social media

Social engineering & pretexting

Related NoticeBored links collections