A thought beyond the paradox-Social Engineering

An article by H5    Comments Off

When I was naive in hacker’s domain, each and everyone used to talk about social engineering and obvious mention of Kevin Mitnick because he is the one who introduced the term. Later, I was tagged as a good social engineer and hackers started staying away from me. Trust me; this term is overrated because we are victims of ‘Social Engineering’ since birth.

TV advertisements or any marketing persons are good social engineers, who plant best image of their products in your brain and make you to believe you on that. They convinces you that if you apply their product say face whitener cream then you will look like an actress or super models. This is one sort of social engineering. You start believing on their manufactured goods that this will make you beautiful. If creams can really make you beautiful then, India would have been place of only beautiful faces.

Kevin Mitnick, by lies or with excuses used to fool security guards and access telephone lines and security codes of company he was working for. Nowadays, every employee tries to cheat his employer by one or the other mean and their social engineering skills are par excellence when compared to Kevin. I had a peon who was from a poor family and gained my trust. We trust him so much that I handed over him my office keys. As all know that our office is a media house and here all sort of people pay visit. One day a model visited my office and on reception my peon got chance to interact with him. From there his urge was to make muscles and look good and getting in glamour industry sprouted. His earning was meager, and dreams were big. He used to take loan for buying protein powders, gym fees, whitener creams, hair gel, etc. His dressing changed. Too much loan, changed focus, and lost dedication for work, made him victim of my anger. One night, he had stolen laptop from office and gave it to hackers working in my office to crack the password. He beautifully convinced them for this. Finally, he sold it to someone but caught. However, during this entire process, the kind of aura and illusions he created was amazing, I think even Kevin may award him for his skills.

Knowingly or unknowingly, we give access to people in our life and you never know when they encroach into your personal space. Here starts social engineering. Many a times, they make you believe what they want you to visualize. They create such a false atmosphere that you tend to come in to their fold. Emotional attachments and faith is one of the biggest weaknesses of human nature. We tend to fall for our own people and start believing them blindly. Since birth a mother is one of the best social engineer in child’s life, we all experience little blackmailing from our mom, or if not term it ‘blackmailing’ then ‘emotional atyachar’, one of the notorious Anonymous hacker told that your mom convincing you not to go for night out and you agree to her without protesting is also ‘Social Engineering’.

Conflicting strategies are deliberate attempts made on human psyche and by using preventative methods, and principles, one can prevent such attacks. Social engineering is a term that describes a non-technical kind of imposition that relies heavily on human interaction and often involves tricking other people to break normal security measures. A social engineer runs what used to be called a “cheat sport”. Person using social engineering to break into your life might try to gain the confidence and get them to reveal everything about them that compromises the integrity and privacy of a human. Social engineers often rely on the natural helpfulness attitude of people as well as on their weaknesses. Once, the process is to be blend in, get trusted but trust no one, destroy everything, disclosing nothing and leave with no trace. Social engineering is a module of many, if not most types of social exploits (minds). There are many master and many minds around you. In a way keeping undue control of your life is nothing but making you fall victim to their convincing skills of possessing you, directly or indirectly.

If we talk about technology then virus writers use social engineering tactics to persuade people to run malware-laden email attachments, phishers use social engineering to convince people to divulge sensitive information, and scare -ware vendors use social engineering to panic people into running software that is useless at best and hazardous at worst. Another aspect of social engineering relies on people’s inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about shielding it. Commonly, social engineers will search dumpsters for valuable information, commit to memory access codes by looking over someone’s shoulder or take benefit of people’s natural proclivity to choose passwords that are meaningful to them but can be easily guessed.

Social engineering will remain the greatest threat to any security system and human life. Hindrance includes educating people about the value of information, training them to protect it, and increasing people’s awareness of how social engineers operate. By conning an individual into revealing information they believe in illusions created around them and by possessing their faith in the name of emotional bonds. Social engineering is successful because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into releasing information that they do not realize and that will be used to attack. For example, an employee in an enterprise may be tricked into revealing an employee identification number to someone who is pretending or representing to be someone he trusts. While that number may not seem valuable to the employee, which makes it easier for him to reveal the information in the first place, the social engineer can use that employee number in concurrence with other information that has been gathered to get closer to finding way into the enterprise’s network. Phishing is a type of safety attack that relies on social engineering in which it lures the victim into revealing information based on the human tendency to believe in the security brand name with trustworthiness.

Finding good, real-life examples of social engineering attacks is difficult. Target organizations either do not want to admit that they have been victimized or the attack was not well documented so that nobody is really sure whether there was a social engineering attack or not. Why we are targeted through social engineering? Well, it’s often an easier way to gain illicit access then many forms of technical hacking or hypnotizing an individual. Social engineering attacks take place on two levels: the physical and the psychological. In the workplace, the phone, your trash, and even on-line, one can barge into your privacy. Few days ago, I was not well and left my computer turned on and email was open, an unwanted person got access to my mails and my personal interactions were exposed to office staff. This is called physical attack. In the workplace, the hacker can simply walk in the door, like in the movies, and pretend to be a maintenance worker or consultant who has access to the organization. Then the intruder struts through the office until he or she finds a few passwords lying around and emerges from the building with ample of information to exploit the network from home, later that night. Another technique to gain authentic information is to just stand there and watch an oblivious employee type in his password. The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. E-mail can also be used for more direct means of gaining access to a system. For instance, mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. Once my computer was compromised by few known hackers and that is how my blogs, email, social network accounts, etc were hacked by them.

Good hackers themselves learn social engineering (SE) from a psychological point-of-view, emphasizing how to create the perfect psychological environment for the attack, influence imitation, ingratiation, consistency, dispersion of responsibility, and plain old friendliness are the common methods used in SE. Regardless of the method used, the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust with that sensitive information. The other important key is to never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship. Impersonation generally means creating some sort of character and playing out the role. Apart from computer attacks, by hypnotizing, taking you in trance, past life regressions and depression drainage are also kind of social engineering, in which you yourself surrender to the forces. Your life is precious and also vulnerable to emotional attachments, a little smartness and boundary for everyone can prevent you from unpleasant traps.

Human brain works faster than computer and can be programmed to work as it should be, every program has a loop and that loop becomes vulnerability. However, there is a patch for software but, there is no patch for human stupidity.

Vaidehi Taman
(Group Editor NBC)
editornbc@gmail.com
May 2012