November, 2007

Social Engineering, and the Caveman Threat

The human mind is a very volatile creation.  Level of intelligence various from individual to individual, but yet…we all suffer from the same vulnerability.  We believe the unbelievable.   This is the single-most biggest threat to ANYONE, from conceptual thoughts to fortune 500 corporations, there are many people who will fall for even the silliest stories.

Working where I do, it has become saddenly obvious that everyone, from the floors to the C*O offices will tell you anything if you ask for it.  Granted, some people are more aware and will question you if you flat out ask for their full Social Security Number, but that is far and few inbetween.  If people are more than willing to give out this information, then how do you expect them to keep your latest-and-greatest product under wraps?  This is where this article comes in.  There really is no way to stop this threat, since you don’t control people’s minds…but there are ways to better safeguard your fortune’s life.  Before going into prevention, however, I would like to discuss a little bit of how this topic, social engineering, works.

As already stated, this deals with the human mind, and that’s all.  Most people’s first attempt is to be friendly to the individual they are targeting.  For example, say your janitor of 10 years wants the inside scoop of your newest networking topology…how are they going to get it?  They could just walk right into your office during the night and steal it, but that would get them caught rather fast since they are the only ones to work at night.  So, they just sit and ponder for a while, and realize that your secretary  is new, and probably does not know how to not talk about confidential information.  Over the coming weeks, the janitor begins to befriend your secretary, slowly bringing the topology work into the conversation…just testing the waters.  However, after a couple of months, the janitor’s got all the information they need and they sell the information to another company.

Gathering information isn’t the only purpose of social engineering, though.  As much as I really prefer to steer clear of this type of reference, I want to talk about the beginnings of Microsoft.  Before I begin this, I want to say this…the information on this story is from “Pirates of Silicon Valley”…so the factual integrity isn’t assured.  For those who have seen the movie, you may recall this quite well, but here’s the shortened version of this.  Around the time of Windows (when MS-DOS was being slowly dismantled), both Microsoft and Apple were competing for the first commercially available GUI operating system.  Near the release of both OSs, Apple’s Steve Jobs confronted Microsoft’s Bill Gates, claiming Apple created the exact same GUI before Microsoft did, and Microsoft is just stealing from Apple.  Bill Gates, however, has always been able to “con” his way into victory, and he did not fail here either.  He reassured Apple that what Microsoft is doing is completely legal, and is not violating any copyrights and the like.  Steve Jobs fell for these apparent lies, and Microsoft took over the market eventually.

You might be wondering, after reading all of that, what does that have to do with social engineering?  Well, if Bill Gates hadn’t been able to convince Steve Jobs that he’s following the law, he could’ve been sued, and Apple could’ve taken over the market share.  However, Bill Gates new exactly how to attack Steve Jobs, and he did it successfully by using social engineering.

As I have given two examples, I would like now to examine ways to stop this kind of stuff from happening.  One way is to only let the people who need to know, actually know the information.  This isn’t the most sure-fire way, but it does help…because then you can narrow down who is leaking the information.  Another way is by having the parties involved sign a contractual confidentiality agreement, to where they must agree to not speak of the material in question to anyone who shouldn’t know about it.  This is possibly one of the best ways to handle it, if you want to spend the time and effort into it, because in reality, no one really wants to be sued…especially when they will loose right off the bat.

As of right now, this is all that can really be covered on the topic of social engineering, without repeating myself.  It’s a rather simple concept and act, but the results can be devastating.   Most likely, another article will follow on this issue in the future…but until then, I plan on writing a few different articles.

(Side note: I know this isn’t enterprise-specific, but I feel it hurts businesses a lot more than it would an individual in certain circumstances.)

Small Update

I apologize for not updating this since the intro. post.  I was unable to get onto a computer for about the past week, and had other obligations to fulfill; however, here are some topics I will be covering within the next week or two:

1. User authentication (for both Windows and websites)
2. Maintaining a safe working environment (kind of a series, part one is mainly dealing with misc. applications)
3. Pros and Cons of creating your own software for the business (for example, writing an FTP client when thousands already exist just to add one more feature)
4. Social Engineering (how it’s done, and ways to [hopefully] prevent it)

There will also be more…but those are the main candidates right now.  The reason for these three is because I see a lot of flaws at my current place of employment, and a majority of these flaws are in the above spots.