Social Engineering, The Weakest Link
Article by Rick Leinecker, June 1, 2006

You pat yourself on the back knowing that your computer is secure. You've followed all of the recommendations, and you just know that hackers can't do any damage. But before you get too smug, we need to talk about social engineering. This is one of the most effective tools that hackers use, and rock solid computer security might not help.

Okay, what the heck is social engineering? Quite simply, it's the process (or art) of getting people to comply with your wishes. If you can enlist the help of a legitimate user to help you gain access to resources that are locked down within a secure computer, then you've done an end run around tight security measures. You have what you want without having to hack the computer.

A social engineering attack can have any number of desired outcomes. The attacker can be after financial data, company secrets, credit card information, and ways to damage a system. These are most of the same goals that traditional Internet hackers have.

There are some simple ways to mount a social engineering attack. The easiest method is to ask someone for something. If they know you and think you have the authority to have access to a file, they might copy it to a disk and give it to you. They might let you sit down at their computer and view some data. Or, they might even send a data file to you as an email attachment. This is the least effective type of social engineering attack, though.

The next method is a contrived situation in which you trick someone into giving you data files. You might invent a situation in which the boss is stuck in traffic, and you need to rush the data over to the meeting place in advance of his arrival. To pull something like this off you have to be believable and the apparent circumstances must be consistent with what you're presenting.

One variation of the contrived situation goes something like this. A caller identifies himself as a network consultant. He needs your password to test out the new security measures that he implemented. When you give him your password, he now has access to all of the resources that you have access to. In this way, an imposter can get your password and then get the data he needs without your ever knowing that he got the data.

There is some human behavior that can help a social engineer get what he wants. Humans like to conform. In a group setting, if the attacker can make it seem like you're a non-conformist because you won't give up the information, you're more likely to comply. In fact, statistics show that social engineering attacks that use this approach succeed most of the time.

Another strong human instinct is triggered by obligation. A good example of this was the Hare Krishnas who used to give out flowers in airports, and then ask for donations. Once the flower was given, people would almost always give a donation because they felt obligated. In a 2003 Infosecurity survey, ninety percent of office workers gave away their password in exchange for a cheap pen.

Sometimes people give you information because they don't think that they're totally responsible and therefore won't get in any trouble. Some give up information in the hopes that they'll ingratiate themselves with the requester. Others may feel a moral duty to help out, possibly as a result of feeling that the information should be made public and not kept secret. Some people would do anything to avoid a conflict and are usually willing to comply in order to avoid an unpleasant situation.

With all of these human tendencies that I've described, it's no wonder that social engineering is such a common tool in the hacker's arsenal. Attackers could spend months trying to break into a system with conventional techniques, or they could be creative and trick you into giving them your password. Which is easier? Many times it's the social engineering route. And for that reason, you need to be extra careful.

Those are the basics of social engineering attacks.