"Social engineering" is
hacker-speak for conning legitimate computer users into providing useful information that
helps the hacker gain unauthorized access to their computer system.
The attacker using social engineering usually
poses as a legitimate person in the organization and tricks computer users into giving
useful information. This is usually done by telephone, but it may also be done by forged
e-mail messages or even an in-person visit.
Most people think computer break-ins are purely technical, the
result of technical flaws in computer systems that the intruders are able to exploit. The
truth is, however, that social engineering often plays a big part in helping an attacker
slip through the initial security barriers. Lack of security awareness or gullibility of
computer users often provides an easy stepping stone into the protected system in cases
when the attacker has no authorized access to the system at all.
In testimony before Congress
after he was released from jail, our country's most notorious computer
hacker, Kevin Mitnick, told the lawmakers that the weakest element in
computer security is the human element. "I was so successful in
[social engineering] that I rarely had to resort to a technical
attack," Mitnick explained. He added that "employee training to
recognize sophisticated social engineering attacks is of paramount
As an example of how it is
done, here is a quick summary of Case 2, a successful hacking operation based almost entirely
on social engineering:
- Posing as someone from the public relations
department, the hackers called an executive's secretary and succeeded in obtaining the
executive's employee number. A second call exploited the knowledge of the executive's
employee number in order to obtain the executive's cost center number, which was then used
to receive overnight courier service delivery of the companys internal phone
- The hackers called the office in charge of new
employees and were able to obtain a list of new employees.
- Posing as information systems employees, the
hackers told the new employees that they wanted to give them a computer security
awareness briefing over the phone. During this process, the hackers obtained
"basic" information including the types of computer systems used, the software
applications used, the employee number, the employees computer ID, and their password.
- Using a "war dialer" together with a
call to the company's computer help desk, the hackers obtained the phone numbers of the
- They then called the modems and used the
compromised computer IDs and passwords to gain access to the system.
contains a detailed explanation of how this was accomplished -- the cover stories and
other manipulations that were used.
Some of the more common social engineering
- The attacker pretends to be a legitimate
end-user who is new to the system or is simply not very good with computers. The attacker
may call systems administrators or other end-users for help. This "user" may
have lost his password, or simply can't get logged into the system and needs to access the
system urgently. The attacker may sound really lost so as to make the systems
administrator feel that he is, for example, helping a damsel in distress. This often makes
people go way out of their way to help.
- The attacker pretends to be a VIP in the
company, screaming at administrators to get what he wants. In such cases, the
administrator (or it could be an end-user) may feel threatened by the caller's authority
and give in to the demands.
- The attacker takes advantage of a system
problem that has come to his attention, such as a recently publicized security
vulnerability in new software. The attacker gains the user's trust by posing as a system
administrator or maintenance technician offering help. Most computer users are under the
mistaken impression that it is okay to reveal their password to computer technicians.
- The attacker posing as a system administrator
or maintenance technician can sometimes persuade a computer user to type in computer
commands that the user does not understand. Such commands may damage the system or create
a hole in the security system that allows the attacker to enter the system at a later
Computer security experts recommend the
following measures to outsmart a hacker:
- If you cannot personally identify a caller who
asks for personal information about you or anyone else (including badge number or employee
number), for information about your computer system, or for any other sensitive
information, do not provide the information. Insist on verifying the callers
identity by calling them back at their proper telephone number as listed in your
organizations telephone directory. This procedure creates minimal inconvenience to
legitimate activity when compared with the scope of potential losses.
- Remember that passwords are sensitive. A password for your personal
account should be known ONLY to you. Systems administrators or maintenance technicians who
need to do something to your account will not require your password. They have their own
password with system privileges that will allow them to work on your account without the
need for you to reveal your password. If a system administrator or maintenance technician
asks you for your password, be suspicious.
- Systems maintenance technicians from outside
vendors who come on site should be accompanied by the local site administrator (who should
be known to you). If the site administrator is not familiar to you, or if the technician
comes alone, it is wise to give a call to your known site administrator to check if the
technician should be there. Unfortunately, many people are reluctant to do this because it
makes them look paranoid, and it is embarrassing to show that they do not trust a visitor.
If you feel you have thwarted or perhaps been
victimized by an attempt at social engineering, report the incident to your manager and to
security personnel immediately.
1. National Security
Institute, "Top Hacker Tells Congress that Employees Are Security's
Weakest Link," NSI Advisory, April 2000.
2. Erik Guttman, Lorna Forey, & G. Malkin, Users' Security
Handbook, Internet Engineering Task Force, July 1998 draft.