Security: Social Engineering
Social Engineering in the security sense is trying to get private or confidential information by taking advantage of human nature and trust. This is done by taking public information (normally posted on social networking site) and using it to manipulate people into giving them, or taking, the information they want.
Below we are going to outline some of the most basic social engineering tactics used so that you can be aware of what they are how to avoid them.
Social Networking Sites
Sites like Facebook and Twitter make it very easy to stay in touch with our friends and families. However, they are a honeypot of information for people with bad intentions if you do not take care in what you post, who you accept as friends, and the security settings you use.
Take the following scenario as an example:
An old friend from high school adds you to Facebook; you don’t remember him so you do the proper thing and check to make sure that the school he has listed is the same as the one you attended. You chat up a conversation using the built in chat and talk about the good old times from when you are at school. It sounds like he knows the teachers and who was there, so you feel more comfortable about keeping him on your friends list. After a while you get an email from him with pictures he found while going through his old stuff. You open the attachments to find random pictures of what appears to be your school.
What you don’t know at this point is that the files also included a Trojan virus, allowing him to now access every aspect of your computer. This includes all of your files, passwords, browser history, and more.
How did he know so much information?
Unless your security settings are set right, he was already able to see the school you attended. From this information alone, he was able to get copies of your yearbooks (the pictures he scanned and sent you), teacher information, and more. Once he got added as a friend, he was able to see all the other information you have available on your profile page. Phone number, location, email address (if you have it set to public), friends, pictures, timeline and when you graduated, plus much, much more.
How could we have prevented this?
One of the best ways to help prevent this is to keep private information just that, private. If your friends on Facebook know you, they don’t need to see your school information, email, or phone number. You may want to tweak your security settings to make sure that your more personal information remains personal. You should also check the profile of the person before you accept him as a friend. If his timeline is public, make sure you check his history to see when he added that school information. If he just added it recently, it could be a sign that he is setting up a social engineering con.
We can also help prevent attacks like this by asking him questions that would be hard to answer using just public information. If he does not yet know what school you went to (check your profile security settings) ask for student names or teachers. You could also message a few of your friends that went to the same school and see if any of them know him.
It’s a matter of being careful and mindful that people like that are out there.
Here’s another example:
You wake up to see that you have received an email informing you that your bank password has been changed. You try to login but see that it has indeed changed from what you had set it too. You call the bank to get the issue resolved. Once you are able to login, you see that your accounts have been drained and that your bank credit card is maxed out.
How could this one have happened?
Security questions are normally the key to situations like this.
Most sites allow you to change your password simply by answering some security questions. Most security questions seam “personal”, but with the addition of social networking, information that was once private is not so private anymore.
Take the following 3 basic questions for example…
In what city or town was your first job?
This one was easy, we looked at your LinkedIn profile and saw that the first job you worked for was “Small Town Company, LLC” (example) and after doing a simple search on the internet we found that they only have one location in Washington, D.C.
What was the name of your high school?
This one is listed on your public Facebook page. In most situations, you don’t even need to be added as a friend to see this information.
What is the name of your first pet?
This one would depend on how much you post on your profile. If you’re pet passed away and you post about it or if you talk about him in passing; it would be easy to find if the assailant was able to see your timeline.
How can we prevent this?
This one can be simple. If you have a good memory, don’t use real answers for the security questions. Or if you have the option, create your own security questions and use something that you would never post/talk about in public. We highly recommend the later of the two of these options.
Here is another social networking scenario that hits a little more to home:
An old co-worker requests to be your friend. Because you work(ed) for a big company, it’s hard to remember all the people there, so you allow it. He now has access to all of your old posts, pictures and your time line. It’s coming up on July 4th, and it’s time for your week long vacation you take every year at around this time. When you return home, you find everything in shambles and your personal belongings missing.
Robberies happen all the time, however, most of the time the assailant(s) don’t have much time because they don’t know when you will be back, or what kind of stuff you have. In this situation, they were able to see that you were out of town on vacation for a week. Also because you had pictures of that new flat screen tv and sound system you got a few weeks ago, they know that it’s going to be a worthwhile trip for them. They know the basic layout of your house and neighborhood from looking at your photo albums.
How did he know me?
While he may have added you on Facebook, he found you by your LinkedIn profile. It shows the company you work for and ones you have worked at in the past. From that information he was able to hunt down more details about the company and come up with a convincing Facebook profile so that you would add him.
The same principle applies to this situation as the ones previous. Take care in who you accept as friends. Also, be careful what information you post, and where you post it. If you need to keep work information public, take care in how much detail you put online.
We can also help prevent this by taking care in what we post on our “private” Facebook profile. Don’t show patterns, as this just provides the assailants with the information they need to plan the heist. It’s also a good idea not to post details about a trip until after you get back. That way (unless it’s a pattern) the would-be thieves wont have anything to work off of.
Another common tactic used when attempting Social Engineering attacks is using the good old phone. We have an inherent trust when talking to real live people on the phone. Unfortunately, this can work in the attackers favor.
Here is an example…
Phone rings and you see that the caller ID is from your bank. You answer, and then the bank representative proceeds to ask you a set of questions to confirm your identity. Once the call is finished you find that your bank password has changed and that all of your funds have been drained.
This is another tactic used to obtain the answers to security questions, social security numbers, birthdays and more.
How did the number appear to be from my bank?
There are many services out there (a lot of them are free) that let you call people changing your caller ID to appear to be any number you want. A good precaution is to call your bank directly if something feels off. Simply inform the person calling that you will call back for security reasons. Most of the time, they will understand and give a ticket ID or a direct extension you can use. Just make sure that you use the direct number for the bank listed in your statement or on their website.
This concludes our section on Social Engineering
We used a bank in most of our examples; however the bank could be substituted with a number of other services. We also used Facebook and LinkedIn in our scenarios; however they could be replaced with a number of other online sites.
Just be mindful of what information you are giving, and who you are giving it to.