Social Engineering – A Matter of Trust

In the world of cyber security, there is one very dangerous exploit that no anti-virus can ever detect, that no firewall can block, and that no complex password can ever protect a person from.  This one catastrophic flaw in security is enough to bring down large corporations and government agencies in mere seconds.  So what kind of security threat could possibly be that big?  Social Engineering.

Social Engineering is the art of manipulating people – usually through blind trust, habit, or curiosity – to either divulge what is seemingly innocent information or perform a rudimentary task.  Most of the time, people don’t realize they have even fallen victim to a Social Engineering attack until it is too late (assuming they ever find out!).

Most people are familiar with the popular forms of Social Engineering attacks.  For example, an email or phone call from your “bank” asking you to provide information they should already have or the ever-popular Nigerian Prince scam.  Just about any get-rich-quick plan that has been floating around in emails or even the “smilingly-innocent” Facebook games can be boiled down to a form of Social Engineering (Random fact: Did you know that all you need to pull a person’s credit report is their name and address?  Keep that in mind the next time you go to let a Facebook app access your personal information!).

A few days ago, I received a call from a man named “Tom” who works at the company that we will call “XYZ”.  I’ve never worked with Tom directly before this but he knew all of the people whom I’ve worked with and he knew many details about the project our business was doing for company “XYZ.”  The purpose of Tom’s call was to ask about a credit report that our business had processed for company “XYZ.”  Now, one of my job requirements is to help our customers with any problems so my instinct was to immediately help Tom out.  But here’s the problem: How do I know Tom really works for company “XYZ?”  Does Tom even have permission within company “XYZ” to discuss confidential credit information?

As much as I wanted to trust Tom, I couldn’t.  Caller ID’s can be faked and the information he had about the project could have been obtained through questionable means (namely, insecure emails).  As far as I knew, Tom could be trying to using a form of Social Engineering known as pretexting (the practice of getting your personal information under false pretenses ) to squeeze information out of me that could be used against either the individual whose credit report he was asking for, against company “XYZ,” or against our business.

The good news is that I was able to call my contact at company “XYZ” and verify that Tom was indeed in a position to request help from me (more on this later).  However, let’s assume Tom was trying to exploit me and look into areas where he would have been trying to exploit me through:

1)      Helpfulness:  He would have been trying to use my desire to help out a customer to gather confidential data!

2)      Trust: He would have been looking for me to trust that he really did work for company “XYZ” and that he had their best interest in mind.

Notice something?  The very things that make a good employee and support person – or just a nice person in general – can also be that person’s biggest weaknesses!  Let’s look at a few more, simpler cases of Social Engineering:

–          Holding the door:  You’re assuming that the person you are holding the door for is actually allowed in the building.

–          Piggybacking:  Letting someone who “locked themselves out” or “forgot their ID” inside the building.

–          Dumpster Diving:  If you don’t shred documents or destroy hard drives properly, anyone can get your confidential data out of the trash.

–          Curiosity/Learning (AKA Baiting):  “Let’s see what’s on this CD…”, “Let me try this application…”, “I’ll open this document/url…” – All of these are famous last words before unknowingly installing a virus or malware!

–          Diversion:  Persuading a person responsible for a legitimate delivery that the package they are delivering (data or physical) is to be delivered to an alternate location through a last minute decision the company had made.

–          Email: Most people don’t realize that all of their emails bounce from server-to-server in plain text and can be easily snooped.

Notice that all of the above examples do require an element of trust or false sense of security.  So, how do we get around this?  Simple: Don’t blindly trust anyone.  Now this solution sounds easy but how can you do this practically in the real world?

In IT, one of the most reliable forms of security is a process known as Pretty Good Privacy (PGP).  It is a complex security protocol that essentially requires a form of trust in order to allow a recipient to access its encrypted payload.  Prior to exchanging any secure data, the two parties involved will exchange what are known as “keys.”  The purpose of this is so that two key’s are required to “open” (decrypt) any secure file exchanged between the two parties.  Those key’s are:

1)      The sender’s public key (we’ll call the sender “George”):  This is the key that George presents to the individuals who are authorized to decrypt his encrypted data.  This way, since George’s private key was used to “lock” the file, his public key is required to “unlock” it.

2)       The recipient’s private key (we’ll call the recipient “Sam”):  This is the key that only Sam will possess, which will unlock anything that was locked by his public key.

As a result, George knows that Sam is the only one who can unlock the file since Sam is the only one who has the matching private key.  Likewise, Sam knows the file is from George because the file can only be unlocked using George’s public key (and only George has the matching private key required lock the file in the first place).

Why did I mention this?  Because the basic principle behind this security is also the best way to establish trust and therefore minimize the chance of being exploited through Social Engineering.  This is because your trust is based on:

–           Something you have (i.e. George’s public key)

–          Something you know (i.e.  Sam’s private key)

Going back to my case with Tom, before I could help him, I had to be sure he was who he claimed to be.  My processes of authenticating Tom went like this:

1)      Something I know:  I called up my contact at company “XYZ” and verified that Tom worked for them and that he was authorized to look into this case.

2)      Something I have:  I then asked my contact for Tom’s contact information so that *I* could call him.

The last step is just as important as the first one.  Why?  Because even though Tom (the one who worked for company XYZ) passed step one, there is no guarantee that the person I talked to was that Tom.  However, since I was the one calling him, I knew that I was talking to the correct Tom.  Therefore, I was able to address his problem and work with him in confidence.

Further reading:  http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/1   This details how the hacking group Anonymous used simpl attacks and social engineering to take down the entire Federal branch of the computer security company HBGary.