People Hacking:
The Psychology of Social Engineering
05/07/97
Social Engineering!! What is it????
Basically, social engineering is the art and science of getting people to comply
to your wishes. It is not a way of mind control, it will not allow you to get
people to
perform tasks wildly outside of their normal behavior and it is far from
foolproof.
It also involves far more than simply quick thinking and a variety of amusing
accents. Social engineering can involve a lot of 'groundwork', information
gathering and
idle chit chat before an attempt at gaining information is ever made. Like
hacking, most of the work is in the preparation, rather than the attempt itself.
You may think this talk may seem to be a weak excuse to demonstrate how these
techniques can be used for hacking. OK, fair enough. However, the only way to
defend against this sort of security attack is to know what methods may be used.
With this knowledge it is possible to pick-up on these techniques being used
against
either you or your company and prevent security breaches before anyone gets near
your data. A CERT style security alert with few details is pointless in this
case. It
would simply boil down to "Some people may try to get access to your system by
pretending some things are true. Don't let them." As usual, no help
what-so-ever.
So What ?
Social engineering concentrates on the weakest link of the computer security
chain. It is often said that the only secure computer is an unplugged one. The
fact that
you could persuade someone to plug it in and switch it on means that even
powered down computers are vulnerable.
Also, the human part of the a security set-up is the most essential. There is
not a computer system on earth that doesn't rely on humans. This means that this
security
weakness is universal, independent of platform, software, network or age of
equipment.
Anyone with access to any part of the system, physically or electronically is a
potential security risk. Any information that can be gained may be used for
social
engineering further information. This means even people not considered as part
of a security policy can be used to cause a security breach.
A big problem ?
Security professionals are constantly being told that security through obscurity
is very weak security. In the case of social engineering it is no security at
all. It is
impossible to obscure the fact that humans use the system or that they can
influence it, because as I stated before, there isn't a computer system on earth
that does
not have humans as a part of it.
Almost every human being has the tools to attempt a social engineering 'attack',
the only difference is the amount of skill used when making use of these tools.
Methods
Attempting to steer an individual towards completing your task can use several
methods. The first and most obvious is simply a direct request, where an
individual is
asked to complete your task directly. Although least likely to succeed, this is
the easiest method and the most straightforward. The individual knows exactly
what you
want them to do.
The second is by creating a contrived situation which the individual is simply a
part of. With more factors than just your request to consider the individual
concerned
is far more likely to be persuaded, because you can create reasons for
compliance other than simply personal ones. This involves far more work for the
person
making the attempt at persuasion, and almost certainly involves gaining
extensive knowledge of the 'target'. This does not mean that situations do not
have to be
based in fact. The less untruths the better.
One of the essential tools used for social engineering is a good memory for
gathered facts. This is something that hackers and sysadminsssss tend to excel
in, especially
when it comes to facts relating to their field. To illustrate this I am going to
perform a small demonstration....
[Demonstration here. This basically showed that with social pressure an
individual will conform to a group decision, even if it is obviously the wrong
choice.]
Conformity
Even in cases where a person is sure they are right it is possible to cause them
to act in a different manner. If I had simply asked the last person on their own
what
the middle word was they would have given me the correct answer and no matter
how much I tried to persuade them they probably wouldn't have changed their
mind.
However, this group setting was a vastly different situation. This situation had
what psychologists called 'demand characteristics', that is this situation had
strong social
constraints on how the participants should act. Not wishing to offend the other
people, not wanting to look dozy in front of a large audience and not
undermining the
views of the other well respected participants all lead to a decision to 'go
with the flow'. Using situations with these characteristics is an effective way
of guiding
people's behavior.
Situations
However, most social engineering is conducted by lone individuals and so the
social pressure and other influencing factors have to be constructed by creating
a
believable situation which the target feels immersed in.
If the situation, real or imaginary has certain characteristics then the target
individual is more likely to comply with your requests. These characteristics
include:
Diffusion of responsibility away from the target individual. This is when the
individual believes that they are not solely responsible for their actions.
A chance for ingratiation. Compliance is more likely if the individual believes
that by complying they are ingratiating themselves with someone who may give
them
future benefits. This is basically getting in with the boss.
Moral duty. This is where an individual complies because they feel it is their
moral duty to. Part of this is guilt. People prefer to avoid guilt feelings and
so if there is
a chance that they will feel guilty they will if possible avoid this outcome.
Personal persuasion
On a personal level there are methods that are used to make a person more likely
to co-operate with you. The aim of personal persuasion is not to force people to
complete your tasks, but enhance their voluntary compliance with your request.
There is a subtle difference. Basically, the target is simply being guided down
the intended path. The target believes that they have control of the situation,
and that
they are exercising their power to help you out.
The fact that the benefits that the person will gain from helping you out have
been invented is irrelevant. They target believes they are making a reasoned
decision to
exchange these benefits for a small loss of their time and energy.
Co-operation
There are several factors, which if present will increase the chances of a
target co-operating with a social engineer.
The less conflict with the target the better. Co-operation will be more readily
gained when the softly-softly approach is used. Pulling rank (or invented rank),
annoyance or orders rarely work for effective coercion.
The 'foot in the door' factor is where the focus of a persuasion attempt already
knows a you or has had experience of dealing with you. This is a particularly
effective
and was known by con men as the 'confidence trick'. Psychological research
showed that people are more likely to comply with a large request if they have
had
previously complied to a far smaller one. If this 'foot in the door' includes a
positive history of co-operation, where things have gone well in the past, then
the chances
of co-operation are greatly increased.
The more sensory information a target can gain from a social engineer the
better. This is especially true of sight and sound, you are more likely to be
believed if the
target can see and hear you than if they can just hear your voice over the
phone. Unsurprisingly ASCII text communications are do not lend themselves to
persuasion.
It is very easy to refuse someone via a IRC style chat.
Involvement
However, success does depend a lot on how involved a person is in the request
you are making. We can say system administrators, computer security officers,
technicians and people who rely on the system for essential work tools or
communication are highly involved in most social engineering attacks by hackers.
Highly involved people are persuaded better by strong arguments. In fact the
more strong arguments you give them the better. Surprisingly its not the same
for weak
arguments. Someone highly involved in the attempt at persuasion is less likely
to be persuaded if you give them weak arguments. When someone is likely to be
directly affected by a social engineering attempt, weak arguments tend to
generate counter arguments in the targets head. So for highly involved people,
the rule is
more strong arguments, less weak arguments.
People are classed as low involvement if they have very little interest in what
you are asking them to do. Relevant examples might be security guards, cleaners,
or
receptionists at a computer system site. Because low involvement people are not
likely to be directly affected by a request, they tend not to bother analyzing
the pros
and cons of persuasive banter. Instead it is common for a decision to agree with
your request or not to be made based on other information. Such information
could
be the sheer number of reasons the social engineer gives, the apparent urgency
of the request or the status of the person trying to do the persuading. The rule
of
thumb here is simply the more arguments or reasons the better. Basically, people
who aren't involved in what a social engineer is trying to achieve will be more
persuaded by the number of arguments or requests rather than how relevant they
are.
One important point to note is that less competent people are more likely to
follow more competent models. In the case of computer systems this is likely to
be low
involvement people. The moral of these points is, don’t try and social engineer
the sysadmins, unless of course the sysadmins is less competent than you are,
which as
we all know is very unlikely.
Securing against human attacks
With all this information how would someone go about making their computer
system more secure ? A good first step would be to make computer security part
of
everyone's job whether they use computer or not. This will not only boost their
self perceived status with no extra cost to you but will make staff more
vigilant. If you
make someone involved in keeping your computer system secure they are more
likely to pay closer attention to unauthorized individuals trying to gain access
to a
system.
However, the best defense against this, as with most things, is education.
Explaining to employees the importance of computer security and that there are
people who
are prepared to try and manipulate them to gain access is an effective and wise
first step. Simply forewarning people of possible attacks is often enough to
make
them alert enough to spot them. Remember, to give both sides of the story when
educating people about computer security. This isn't just my personal bias. When
individuals know both sides of an argument they are less likely to be dissuaded
from their chosen position. And if they are involved in computer security, their
chosen
position is likely to be on the side of securing your data.
There are attributes which people less likely to comply with persuasion tend to
have. Less compliant people tend to be pretty bright, highly original, able to
cope with
stress and reasonably self confident. Stress management and self confidence can
be taught or at least enhanced. Self assertion courses are often used for
management employees, this training is excellent in reducing the chances of an
individual being socially engineered, as well as having many other employment
benefits.
What this comes down to is making people aware and involved in your security
policy. This takes little effort and gives great rewards in terms of the amount
of risk
reduction.
Conclusion
Contrary to popular belief, it is often easier to hack people than sendmail. But
it takes far less effort to have employees who can prevent and detect attempts
at
social engineering than it is to secure any Unix system.
sysadmins, don't let the human link in your security chain let your hard work go
to waste. And hackers, don't let sys-admins get away with weak links, when it is
their
chains that are holding your data.