netWorker - March 2008

People spend a fortune on technological solutions, and then get compromised by good old-fashioned con jobs, said Riley, senior security strategist in the Trustworthy Computing group.

Why? Because every computer system and network relies to some extent on human beings, and since it’s becoming increasingly difficult to hack computer networks thanks to improved technology, he proposed, “Why not hack the network administrators instead?”

Interesting idea. And just how do you hack an administrator?

It’s actually rather easy, according to Riley. In a security survey, 67 percent of people happily gave their passwords to “researchers” in exchange for a chocolate bar!

That sounds a little far-fetched, even to a dyed-in-the-wool chocoholic like me, but it’s true. People, on the whole, are entirely too trusting and prone to manipulation by social engineering.

Social engineering is the art and science of getting people to comply with your wishes. It’s not some kind of mind control or voodoo; it’s the clever use of psychology to use peoples’ more benevolent instincts against them to defeat even the most powerful technological defenses.

It’s also the highest form of hacking, and can yield huge rewards.

One would think that an experienced administrator should be immune to con agents, but Riley described a series of techniques designed to disarm even the most cynical.

Diffusion of responsibility. The attacker tries to convince the victim that an improper action is somehow supported by higher-ups, and thus he or she is not solely responsible for that action. Five-year-olds are adept at this ploy (“Mom said it’s OK…), but adults fall for it too.

Chance of ingratiation. The victim receives hints that compliance with the request will generate some sort of personal benefit—

brownie points with the boss, or competitive advantage, or perhaps even the privilege of assisting a sultry-sounding woman over the phone.

Trust relationships. Building trust through a series of small, innocuous (but positive) interactions makes it more likely that the victim will assist the attacker during the crucial hack.

Moral duty. The goal here is to convince the victim that there is a wrong that will be righted by compliance. It requires research on the part of the attacker, to come up with plausible arguments, and to persuade the victim that detection is unlikely.

Guilt. There’s nothing like a little guilt to get people to do something—just ask any mother. Good social engineers are experts at creating situations where compliance with their requests will prevent or alleviate guilty feelings.

Identification. Building a connection with the potential victim makes it much easier to get information—people are more likely to share with a buddy than with a stranger. A sociable chat and a little information-gather-ing about the target can go a long way towards a successful exploit.

Desire to be helpful. Ask, and you will often receive. Ask someone to hold a door to a secure area open because you have your arms full, ask them to help in logging on to an account, and they’ll often become unwitting accomplices in an exploit. Social engineers know that most people have poor refusal skills.

Cooperation. Barking orders like a Marine sergeant is usually not part of the social engineer’s repertoire—typically the attitude is of reason, logic, and patience. Annoying the target is usually a poor way to get information (although sometimes it works very well). Get someone difficult to blow their stack in a directed way and they’ll spit out all kinds of information.