My 03/9/08 Missoulian column
Social engineering goes back to the cave man days, and even if the only thing Neanderthal man could “engineer” was fire or a wood club to keep the peace, he learned that persuasion was a good skill to have. In the age of the World Wide Web, there are many more ways to get “socially engineered.” If you manage a business these days, you’ll be the focus of social engineering attacks because serious hackers go where the money is – banks, finance firms and stores. The reason is social engineering attacks are successful for the bad guys, even if the payoff isn’t immediate.
The bad guys want specific information; the big prizes are, of course, log-ins and passwords, but other bits of information about individual PCs and computer systems, the structure of a business network and even employees’ names are valuable. Remember phishing? A recent variant on that scam is what’s called “spear phishing”: that’s a phishing scam that targets a specific person, and even if it isn’t completely successful, small bits of information can be valuable to a hacker.
Suppose a hacker can find out the name and e-mail address of a new employee at a business such as a bank. The hacker could craft an e-mail to that person that tells him to go to a fake Web site for the bank and retrieve a new version of the employee manual, or to re-enter their employee ID or log-in and password because the “system went down.” The Web site harvests their information and, as a result, the hacker is in the front door of the bank.
Governments and universities are vulnerable: the Los Alamos and Oak Ridge national laboratories have been hit with spear phishing attacks, with Oak Ridge losing sensitive personal data. Last year, the Department of Defense identified thousands of spear phishing attempts aimed at the Pentagon and active-duty military in Iraq, some that purported to be copies of military exercise plans that were required reading. And last month, spear phishing attacks were aimed at students at Columbia, Princeton, Duke and other universities.
Even if a spear phishing e-mail isn’t completely successful – if you follow the Web link but realize it’s a scam and don’t enter any information, or if you respond to the e-mail out of curiosity – it can still yield information for the hacker. In each e-mail you send and receive there is hidden information in what’s called the “header.” This includes harmless information such as a message ID that tracks replies and forwards of that message, but also the Internet protocol addresses of the sender and recipient.
In an organization with certain network settings, having that IP address allows a hacker to target an individual PC with attacks designed to break into file sharing and other services and to hunt for other open doors and vulnerabilities. Web sites can also be configured to record IP information from visitors who just look but don’t enter information. With specific information such as an IP address, the rest of the network and business can be vulnerable.
A real prize for hackers is information about the information technology structure of an organization and the people involved, and getting that can sometimes be as easy as looking in the classified ads. Job ads are perused by those looking for jobs, but also by social engineers. A human resource department may run an ad for a network technician position and in it list all the hardware and software applicants need to be proficient in – that also happens to be good information for a social engineer.
How? If electronically “questioned” in a certain way, company Web servers, file servers and other network hardware and software will willingly give up all kinds of information, if not configured to ignore such requests. Information about the current vulnerabilities of hardware and software is easy to find, and exploits can be crafted. Sometimes it’s as simple as a default log-in that was never disabled. Sometimes it’s a minor jigsaw puzzle for a hacker working with an employee name, the IP address of their PC, a guess at a password and knowledge of a security hole on a certain part of the IT hardware.
There’s a new social engineering scam almost every day, while old scams evolve with changing technology. Saying “our employees were trained last year” or “our security was OK last year” isn’t good enough. Businesses, organizations and governments need to be constantly looking out for their structures and employees.