Tuesday, February 8, 2011

Social Engineering

Why waste your time trying to break passwords and encryptions when you can so easily social engineer. Social engineering can be defined as obtaining information, gaining access or making the target perform certain actions using psychological tricks on a person rather than breaking into a system. Hacking using social engineering is often easier than breaking into computers. In any secure system the weakest link is the human. Humans have cognitive biases, also called the bugs in the human hardware, and social engineers exploit these bugs. There are several techniques of social engineering in existence, some of the more prominent ones are.

1.       Pretexting

Pretexting means, using a fake, invented scenario to persuade the victim to divulge valuable information. Pretexting involves some amount of background research on the victim, so that the hacker appears to be a legitimate person. Pretexting can be in person, online or through phone. Hackers can call individuals, pretending to be customer service representatives or can call company individuals pretending to be high ranked officials and get them to divulge confidential information.

2.       Dumpster Diving

Dumpster diving is gathering information which has been discarded by a company to a dumpster. Things like discarded policy manuals, calendars, outdated hardware, memos and letter provide a huge amount of information to a hacker.

3.       Phising

In a phising scam, the hacker sends the victim an email, usually alerting him about changing his password to a certain website or even just asking them to login to a certain website where they have their account, like facebook, yahoo or some bank website. The scammer then provides a link in the email, which will supposedly carry the victim to the website mentioned in the email. The link instead carries the victim to a fake website which looks exactly like the original website. The difference though is that this website is designed by the scammer to forward the login information to him.

4.       Reverse Social Engineering

Reverse social engineering is the smartest technique of social engineering which has the best probability of getting results to the hacker. In this technique the attacker sets up the system such that the victim comes to him asking for help. Since the victim himself is asking for directions he can be manipulated at will. Reverse social engineering consists of three steps, sabotage, advertising and assisting. First the attacker sabotages the system and causes a problem to arise. He then advertises himself as the person who can fix the problem. This makes people come to him asking for help. He then helps the people fix the problem he himself had created and in the process extracts confidential information bit by bit from them.