{"id":8720,"date":"2019-09-03T21:52:32","date_gmt":"2019-09-03T19:52:32","guid":{"rendered":"https:\/\/blog.mi.hdm-stuttgart.de\/?p=8720"},"modified":"2023-08-06T21:44:34","modified_gmt":"2023-08-06T19:44:34","slug":"social-engineering-learn-from-the-best","status":"publish","type":"post","link":"https:\/\/blog.mi.hdm-stuttgart.de\/index.php\/2019\/09\/03\/social-engineering-learn-from-the-best\/","title":{"rendered":"Social Engineering \u2013 Learn From the Best!"},"content":{"rendered":"\n
\"Kevin<\/figure>\n\n\n\n

It isn\u2019t always necessary to attack by technical means to collect information or to penetrate a system. In many cases, it\u2019s more effective to exploit the human risk factor. To successfully protect yourself and your company from social engineering, you\u2019ve to understand how a social engineer works. And the best way to do this is by listening to the world’s most wanted hacker Kevin David Mitnick. Nowadays, the former social engineering hacker uses his expert knowledge to advise companies on how to protect themselves against such attacks. This blog entry is based on his bestseller \u201cThe Art of Deception: Controlling the Human Element of Security\u201d. It sheds light on the various techniques of social engineering and enumerates several ways in which you can arm yourself against them. <\/p>\n\n\n\n\n\n\n\n

Who’s This World’s Most Wanted Hacker?<\/h2>\n\n\n\n

Childhood and Adolescence<\/strong><\/h4>\n\n\n\n

In 1963, the most wanted hacker, Kevin David Mitnick<\/strong>, was born in Los Angeles [1]. He grew up with his single mother who worked a lot as a consequence he spent a huge amount of time by himself. But he enjoyed his resulting freedoms. <\/p>\n\n\n\n

At the age of 12, Kevin Mitnick found out how to use the Los Angeles bus network for free<\/strong>. For this, he had to elicit internal company secrets from the bus drivers, such as where to buy the right punch to validate empty tickets. He realized for the first time how useful his outstanding talent in manipulation could be. <\/p>\n\n\n\n

In his high school years, Kevin Mitnick met a classmate who introduced him to the art of phone phreaking<\/strong>. This is a type of hacking where the attacker explores the telephone network by exploiting telephone systems and employees of telephone companies. The two of them spent a lot of time using the telephone network for their amusement and making free calls. <\/p>\n\n\n\n

After graduating from high school, Kevin Mitnick studied computer science <\/strong>at the Computer Learning Center in Los Angeles. After only a few months and a hacked computer system, they made him a special offer. He had the choice either to run a project to improve computer security at the Computer Learning Center, or they would kick him out for hacking their system. He took the opportunity and run the project. In the end, he graduated cum laude. <\/p>\n\n\n\n

\"Kevin
Kevin Mitnick as a child [1]<\/figcaption><\/figure>\n\n\n\n

Hard Times<\/strong><\/h4>\n\n\n\n

Over the following years, Kevin Mitnick hacked into 40 major corporations<\/strong> [2]. He never damaged the systems or sold stolen information. He loved the intellectual challenge of breaking into systems and networks to find out how the technology works. And being always one step ahead was a big part of his satisfaction. <\/p>\n\n\n\n

\"Kevin
Kevin Mitnick’s Wanted Poster (November 1992) [2]<\/figcaption><\/figure>\n\n\n\n

In 1992, Kevin Mitnick was on the FBI Most Wanted List for penetrating some of the best-secured computer systems in the USA. After a few years of fatiguing escape, he was arrested on February 15, 1995<\/strong> [3]. He spent five years in prison<\/strong> followed by three years of supervised release<\/strong> during which time he was not allowed to use any computer system at all [1]. <\/p>\n\n\n\n

\"Kevin
Kevin Mitnick goes into the U.S. Courthouse in Raleigh (February 17,1995) [3]<\/figcaption><\/figure>\n\n\n\n

Kevin Mitnick Today<\/strong><\/h4>\n\n\n\n

Kevin Mitnick is one of the<\/strong> global bestselling authors<\/strong> and wrote four books [2]. His first bestseller \u201cThe Art of Deception: Controlling the Human Element of Security\u201d was published in 2002. The blog entry focuses on this work. Three years later his second book \u201cThe Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers\u201d was published. By the condition of the court, he wasn\u2019t allowed to report on his experiences as a hacker for several years. Therefore, his work \u201cGhost in the Wires: My Adventures as the World\u2019s Most Wanted Hacker\u201d was released for the first time in 2011. His last book is from the year 2017 and bears the title \u201cThe Art of Invisibility: The World\u2019s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data\u201d. <\/p>\n\n\n\n

Furthermore, he\u2019s the CEO of <\/strong>Mitnick Security<\/strong><\/a> [2]. Kevin Mitnick and his team analyze security risks and vulnerabilities of their clients using sophisticated technology and in-depth knowledge [4]. Some of their clients<\/a> are for example Dell, Hewlett Packard, IBM, NASA, Oracle, Visa and MasterCard [5].<\/p>\n\n\n\n

Besides, he\u2019s the Chief Hacking Officer of <\/strong>KnowBe4<\/strong><\/a> which is a security awareness training company [3]. And all around the world Kevin Mitnick gives presentations and talks about the latest hacking techniques [2].<\/p>\n\n\n\n

\"Kevin
Kevin Mitnick is the world\u2019s most famous hacker, a bestselling author and one of the top cybersecurity speakers [4]<\/figcaption><\/figure>\n\n\n\n

What is a Social Engineer?<\/h2>\n\n\n\n
\n

Social engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of people to obtain information with or without the use of technology.<\/p>\n Kevin Mitnick [6] <\/cite><\/blockquote>\n\n\n\n

In simple words, social engineering is an activity in which people are made to do things for strangers<\/strong> that they wouldn\u2019t normally do. It works primarily because employees have no idea of basic safety practices. And the social engineer also takes advantage of human credulity as well as the need to help other people. <\/p>\n\n\n\n

To be a successful social engineer, he or she usually possesses very good social skills<\/strong>. It\u2019s someone who is charming<\/strong>, polite<\/strong> and has sympathetic character traits<\/strong>. All these qualities lead people to immediately build a relationship with that person. Which is above all characterized by trust. An experienced social engineer can acquire practically all desired information with the help of the tactics and strategies of his trade. <\/p>\n\n\n\n

The Cycle of Social Engineering<\/h2>\n\n\n\n
\"Social
Diagram of the cycle of social engineering<\/figcaption><\/figure>\n\n\n\n

Everything starts with the research<\/strong>. The social engineer needs facts and information to know the intern jargon better. It\u2019s requisite for developing relationships and trust in the next step. The research includes searching publicly accessible sources such as annual reports, newspaper clippings or content of websites. Sometimes dumpster diving<\/a> could be necessary. <\/p>\n\n\n\n

In the next phase, the social engineer develops<\/strong> relationships and trust<\/strong>. Therefore, he or she uses insider information or misrepresentation of identity. In some cases, the social engineer names references to a person known to the victim as well as taking advantage of the need for help or the bondage to authority.<\/p>\n\n\n\n

After that, the attacker starts to exploit the trust. He or she\u2019s requesting information or an action<\/strong> from the victim. Sometimes the social engineer manipulates the victim in such a way that he or she asks the attacker for help. <\/p>\n\n\n\n

If the collected data isn\u2019t the final information in demand. The social engineer returns to step one and repeats the whole cycle until the target is reached<\/strong>. <\/p>\n\n\n\n

The Art of the Attacker: The 7 Steps to Get Someone to Do What the Attacker Wants<\/h2>\n\n\n\n

Some mentioned\ntechniques are strongly interconnected. However, it\u2019s neither necessary nor\nuseful to use all techniques at the same time. But every technique can be\nadvantageous at different times and for different victims. With every attack, a\nsocial engineer refines his or her sense of when which methods should be used. The\nfollowing seven headlines are from Kevin Mitnick’s book \u201cThe Art of Deception\u201d\nand correspond to chapters two to eight.<\/p>\n\n\n\n

#1 When Innocuous Information Isn\u2019t: The Hidden Value of Information<\/strong><\/h4>\n\n\n\n

Even if individual pieces of information may be irrelevant in themselves when someone puts everything together the hidden value becomes visible<\/strong>. For example, when a social engineer collects pieces of information like department abbreviations and for what they\u2019re responsible, he or she gets a clear picture of the internal structure of a company. Knowing the internal jargon and the structure of a company is very helpful. By having internal knowledge a social engineer gains credibility.<\/p>\n\n\n\n

#2 The Direct Attack: Just Asking for It<\/strong><\/h4>\n\n\n\n

Many attacks by social engineers are complicated and require good planning of the individual steps. They rely on technical sophistication and extensive manipulation. It’s amazing, however, that sometimes it’s enough to just ask for the wanted information<\/strong>. In this case, the knowledge of the internal jargon is of great importance. Employees would never give away sensitive information. But of course, different rules apply to colleagues than to outsiders. Another very common tactic is to hide the key question among a lot of unimportant questions and statements.<\/p>\n\n\n\n

#3 Building Trust: The Key to Deception<\/strong><\/h4>\n\n\n\n

It happens that an employee doesn’t know the person who asks him or her for something. They work in different departments of the company or at least the other one claims that. But if the information provided is appropriate and the other person gives the impression that he or she\u2019s the necessary knowledge by using the right internal jargon. The victim will expand the circle of trust and includes the person in it. Then the employee probably gives the social engineer what he or she\u2019s asking for. By having internal knowledge an attacker gains credibility and this credibility leads to trust<\/strong>.<\/p>\n\n\n\n

#4 \u201cLet Me Help You\u201d<\/strong><\/h4>\n\n\n\n

Everyone is\nvery grateful when he or she deals with a problem and then someone comes by\nwith knowledge and skill to help and offer support. The social engineer takes\nadvantage of this and knows exactly how he or she can solve the problems for\nothers since the social engineer causes them. After solving the artificially generated\nproblem the victim is very grateful and happy for the support. This can lead to\na situation where the victim gives the attacker some critical information or do\nhim or her a favor. <\/p>\n\n\n\n

Another\nbenefit is that an attacker who is called by the victim gains immediate\ncredibility. Because the victim thinks that he or she\u2019s calling someone who\nworks in computer service, the victim would never ask the attacker to prove his\nor her identity. <\/p>\n\n\n\n

To set up a situation in which the victim has to deal with a problem and asks the social engineer for help is called Reverse Social Engineering <\/strong>or the Reverse Sting<\/strong>. Another form of Reverse Social Engineering is when the victim recognizes the attack and uses psychological principles of manipulation to obtain as much information as possible from the attacker. With the help of this information, the company can try to protect themselves. <\/p>\n\n\n\n

#5 \u201cCan You Help Me?\u201d<\/strong><\/h4>\n\n\n\n

Another successful method of social engineering is to pretend that the attacker needs help<\/strong>. If somebody is in a jam, he or she\u2019s the people\u2019s sympathy. And this has proven to be an effective lever to achieve the social engineer’s goal. For example, an attacker introduces himself as an alleged colleague and the victim believes him or her. The diligence to help a colleague sometimes lubricates the cogs in the industry. But at the same time, this willingness to help could be a vulnerability and the social engineer would always take this chance and tries to exploit it.  <\/p>\n\n\n\n

#6 Phony Sites and Dangerous Attachments<\/strong><\/h4>\n\n\n\n

People have\na natural desire to get gifts for free. The smart attacker keeps that fact in\nmind while trying to break into the corporate network. Occasionally an offer\nappears in the mailbox that attracts the victim\u2019s attention. No matter what the\noffer is about, the email will show how to download a file or click a link. And\nif the victim follows the instructions, the attacker wins. <\/p>\n\n\n\n

The most damaging forms of malicious code \u2013 worms \u2013<\/strong> have all relied on social engineering techniques to spread them, exploiting that everyone wants something for free<\/strong>. Especially when the email comes from a friend or business colleague, people tend to open the attachment without bad ulterior motives. The worm can multiply through innocent victims and appears to come from a trusted person. <\/p>\n\n\n\n

Another type of internet fraud is that the attacker has set up a false login website<\/strong>, which looks very similar to the real website. The difference is that the wrong screen page does not give access to the computer system that the user wants to reach, but instead forwards his or her username and password to the hacker.<\/p>\n\n\n\n

Another regularly recurring trick is to send an email with a tempting offer to visit a certain website, and the receiver can go there directly via a link in the email. Only that this link won\u2019t take the receiver to the expected website<\/strong>, because the link in principle only pretends to connect to that website. The social engineer exploits the fact that people do not pay close attention to the exact link spelling or perceive a minimal deviation as a representation error. For example www.PayPai.com instead of www.PayPal.com. The fake website looks similar to the real website and the victims enter their usernames, passwords or credit card information carelessly. <\/p>\n\n\n\n

#7 Using Sympathy, Guilt, and Intimidation<\/strong><\/h4>\n\n\n\n

Skillful social engineers are very experienced in inventing impostures in which emotions such as fear, excitement or guilt are used to manipulate the victims<\/strong>. They use psychological triggers \u2013 automatic mechanisms that make others react immediately to concerns without a thorough analysis of all available information.<\/p>\n\n\n\n

Everyone\nremembers the first day, especially when somebody is young and inexperienced.\nSo when a newly hired person asks for help, he or she can assume that many\npeople remember the feelings and help more than usual. A social engineer takes\nadvantage of this and can use it to get the victim\u2019s sympathies. <\/p>\n\n\n\n

Furthermore,\neveryone wants to avoid difficult situations for themselves and others.\nBuilding on this positive impulse, the attacker can take advantage of a\nperson’s sympathy, make the victim feel guilty, or use intimidation as a\nweapon.<\/p>\n\n\n\n

A popular and highly effective form of intimidation relies on influencing human behavior through the use of authority<\/strong>. The name of the executive secretary alone can be of value. To mention the name of a person with a high(er) position is called <\/strong>name-dropping<\/strong><\/a>. It\u2019s usually used to quickly establish a relationship with a victim because it assumes that the attacker is very close to an authority figure. The scam of intimidating someone by reference to authority works particularly well when the other person is in a fairly low position in the hierarchy of the company. Besides a victim is much more likely to do the social engineer a favor if he or she\u2019s supposed to know a friend of the victim. <\/p>\n\n\n\n

Are There Any Warning Signs for an Attack?<\/h2>\n\n\n\n

A warning sign could be if a caller refuses to provide a callback number<\/strong> or have unusual requests<\/strong>. Furthermore, if somebody tries to play out authority<\/strong> or has a request with particularly high urgency<\/strong>, special care should be taken. In such cases, intimidation shouldn\u2019t be the reason for giving in. Maybe the attacker tries to increase the pressure with the threat of negative consequences<\/strong> in the event of non-cooperation. Often he or she reacts annoyed to inquiries<\/strong>. Also, the opposite could be used to manipulate the victim for example with compliments<\/strong>, flatteries<\/strong> or flirts<\/strong>. And last but not least, occasionally dropping known names<\/strong>.  <\/p>\n\n\n\n

What Can You Do to Protect Yourself and Your Company?<\/h2>\n\n\n\n

Kevin\nMitnick has dedicated an entire chapter to the subject \u201cRecommended Corporate\nInformation Security Policies\u201d in his book \u201cThe Art of Deception\u201d. Here you can\nfind some of his tips to reduce the chances of a social engineer. But the most\nimportant thing first, every company should adapt the policies to its demands\nand circumstances. There is no such thing as off-the-shelf safety.<\/p>\n\n\n\n