Stealing Secrets Social Engineering on the phone

By Rob Siciliano

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have.

At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get the necessary information that may lead to penetrating a person’s computer.

Social engineering is a fancier, more technical form of lying.

An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network.

Social engineering is all based on telling a lie and getting others to tell the truth in response. Thousands of years of civilized conditioning and cultural teaching to help and trust one another has made people just a little too eager to help.

Participants in the contest successfully got employees from some Fortune 500 companies to provide full profiles of the inner workings on network PCs and software that could easily be used to launch an attack.

Some revealed what operating system they had, the version of their service pack, antivirus software, browser, email, which model their laptops were, the virtual private network software the company used, and even what garbage collector hauled the company’s trash.

In some cases, the tricksters even got the Fortune 500 employees to visit certain websites while on the phone. Sometimes the simple act of visiting a website can install a malicious program on your PC if it’s not properly protected.

Based on the answers provided by the employees, the social engineer can guide the person to whatever website that would infect their computer based on the answers provided.

Recognize that while you are generally not being swindled by those who call you, there is a chance that you may be. This means having systems in place regarding what can be said to whom, when, and why.

Training on social engineering and how to prevent it is a must for any company and frankly for any individual who doesn’t want to fall victim to a conman.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures

Comments (4)

	1. 09-11-2010 05:43
	It's always good to remind people of the potentially harmful nature of seemingly innocent calls; in over 2 years of work experience at Fortune 500 and smaller firms, I have rarely ever seen a concerted effort to train employees about this tactic. Registered

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

	2. 09-19-2010 21:29
	This is one of those things that really needs to be trained better at companies of all sizes. The training required would not take all that long but would simply make people aware of the types of techniques that people employ to get this type of information. We will see as IT security becomes a bigger issue as time goes on if it is treated with a higher priority among normal users. -sean Registered

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

	3. 09-21-2010 16:12
	Social engineering has been and likely always will be the most common, easiest and most harmful way that companies lose sensitive data. It's good to keep that in mind while we are -- necessarily -- spending lots of resources developing technological barriers. Registered

Mark Henricks

	4. 09-21-2010 21:05
	Once again we see that the human element is always the most challenging part of any system. ;) Registered

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Only registered users can write comments.
Please login or register.