Basically, social engineering is the art and science of getting people toc omply to your wishes. It is not a way of mind control, it will not allowy ou to get people to perform tasks wildly outside of their normalb ehaviour and it is far from foolproof.
It also involves far more than simply quick thinking and a variety of amusing accents. Social engineering can involve a lot of 'groundwork', information chit-chat chit chat before an attempt at gaining information is ever made. Like hacking, most of the work is in the preparation, rather than the attempt itself.
You may think this talk may seem to be a weak excuse to demonstrate how these techniques can be used for hacking. OK, fair enough. However, the only way to defend against this sort of security attack is to know what methods may be used. With this knowledge, it is possible to pick up on these techniques being used against either you or your company and prevent security breaches before anyone gets near your data. A CERT-style security alert with few details is pointless in this case. It would simply boil down to "Some people may try to get access to your system by pretending some things are true. Don't let them." As usual, no help whatsoever.
So What ?
Social engineering concentrates on the weakest link of the computer security chain. It is often said that the only secure computer is an unplugged one. The fact that you could persuade someone to plug it in and switch it on means that powered-down down computers are vulnerable.
Also, the human part of the security setup is the most essential. There is not a computer system on earth that doesn't rely on humans. This means that this security weakness is universal, independent of platform, software, network or age of equipment.
Anyone with access to any part of the system, physically or electronically is a potential security risk. Any information that can be gained may be used for social engineering further information. This means even people not considered as part of a security policy can be used to cause a security breach.
A big problem ?
Security professionals are constantly being told that security through obscurity is very weak security. In the case of social engineering, it is no security at all. It is impossible to obscure the fact that humans use the system or that they can influence it because as I stated before, there isn't a computer system on earth that does not have humans as a part of it.
Almost every human being has the tools to attempt a social engineering 'attack', the only difference is the amount of skill used when making use of these tools.
Methods
Attempting to steer an individual towards completing your task can use several methods. The first and most obvious is simply a direct request, where an individual is asked to complete your task directly. Although least likely to succeed, this is the easiest method and the most straightforward. The individual knows exactly what you want them to do.
The second is by creating a contrived situation that the individual is simply a part of. With more factors than just your request considered the individual concerned is far more likely to be persuaded because you can create reasons for compliance other than simply personal ones. This involves far more work for the person attempting persuasion, and almost certainly involves gaining extensive knowledge of the 'target'.
This does not mean that situations do not have to be based on fact. The fewer untruths the better.
One of the essential tools used for social engineering is a good memory for gathered facts. This is something that hackers and sysadmins tend to excel in, especially when it comes to facts relating to their field. To illustrate this I am going to perform a small demonstration....
[Demonstration here. This showed that with social pressure an the individual will conform to a group decision, even if it is the wrong choice.]
Conformity
Even in cases where a person is sure, they are right it is possible to cause them to act differently. If I had simply asked the last the person on their own what the middle word was they would have given me the correct answer and no matter how much I tried to persuade them they probably wouldn't have changed their mind.
However, this group setting was a vastly different situation. This situation had what psychologists called 'demand characteristics', that is this situation had strong social constraints on how the participants should act. Not wishing to offend the other people, not wanting to look dozy in front of a large audience and not undermining the views of well-respected other well-respected participants all lead to a decision to 'go with the flow'. Using situations with these characteristics is an effective way of guiding people's behavior.
Situations
However, most social engineering is conducted by lone individuals and so the social pressure and other influencing factors have to be constructed by creating a believable situation which the target feels emmersed in.
If the situation, real or imaginary has certain characteristics then the target individual is more likely to comply with your requests. These characteristics include:
Diffusion of the responsibility away from the target individual. This is when the individual believes that they are not solely responsible for their actions.
A chance for ingratiation. Compliance is more likely if the individual believes that by complying they are ingratiating themselves with someone who may give them future benefits. This is getting in with the boss.
Moral duty. This is where an individual complies because they feel it is their moral duty to. Part of this is guilt. People prefer to avoid guilt feelings and so if there is a chance that they will feel guilty they will if possible avoid this outcome.
Personal persuasion
On a personal level, some methods are used to make a person more likely to co-operate with you. The aim of personal persuasion is not to force people to complete your tasks, but enhance their voluntary compliance with your request.
There is a subtle difference. The target is simply being guided down the intended path. The target believes that they have control of the situation and that they are exercising their power to help you out.
The fact that the benefits that the person will gain from helping you out have been invented is irrelevant. The target believes they are making a reasoned decision to exchange these benefits for a small loss of their time and energy.
Co-operation
There are several factors, which if present will increase the chances of a target co-operating with a social engineer.
The less conflict with the target the better. Co-operation will be more readily gained when the softly-softly approach is used. Pulling rank (or invented rank), annoyance, or orders rarely work for effective coercion.
The 'foot in the door' factor is where the focus of a persuasion attempt already knows you or has had an experience of dealing with you. This is particularly effective and was known by con men as the 'confidence trick'.
Psychological research showed that people are more likely to comply with a large request if they had previously complied to a far smaller one.
If this 'foot in the door' includes a positive history of co-operation, where things have gone well in the past, then the chances of co-operation are greatly increased.
The more sensory information a target can gain from a social engineer the better. This is especially true of sight and sound, you are more likely to be believed if the target can see and hear you than if they can just hear your voice over the fone. Unsurprisingly ASCII text communications do not lend themselves to persuasion. It is very easy to refuse someone via a IRC-style chat.
Involvement
However, success does depend a lot on how involved a person is in the request you are making. We can say, system administrators, computer-security officers, technicians, and people who rely on the system for essential work tools or communication are highly involved in most social engineering attacks by hackers.
Highly involved people are persuaded better by strong arguments. The more strong arguments you give them the better. Surprisingly it's not the same for weak arguments. Someone highly involved in the attempt at persuasion is less likely to be persuaded if you give them weak arguments.
When someone is likely to be directly affected by a social engineering attempt, weak arguments tend counterarguments counter-arguments in's targetshead. So for highly involved people, the rule is more strong arguments, less weak arguments.
People are classed as low involvement if they have very little interest in what you are asking them to do. Relevant examples might be security guards, cleaners, or receptionists at a computer system site. Because low involvement people are not likely to be directly affected by a request, they tend not to bother analyzing the pros and cons of persuasive banter.
Instead, it is common for a decision to agree with your request or not to be made based on other information. Such information could be the sheer number of reasons the social engineer gives, the apparent urgency of the request or the status of the person trying to do the persuading. The rule of thumb here is simply the more arguments or reasons the better.
People who aren't involved in what a social engineer is trying to achieve will be more persuaded by the number of arguments or requests rather than how relevant they are.
One important point to note is that less competent people are more likely to follow more competent models. In the case of computer systems, this is likely low involvement low-involvement involvement people. The moral of these points is, don’t try and social engineer the sysadmin, unless, of course, the sysadmin is less competent than you are, which as we all know is very unlikely.
Securing against human attacks
With all this information how would someone go about making their computer system more secure? A good first step would be to make computer security part of everyone's job whether they the used computer or not. This will not only boost their self-perceived status with no extra cost to you but will make staff more vigilant. If you make someone involved in keeping your computer system secure they are more likely to pay closer attention to unauthorized individuals trying to gain access to a system.
However, the best defense against this, as with most things, is education.
Explaining to employees the importance of computer security and that there are people who are prepared to try and manipulate them to gain access is an effective and wise first step. Simply forewarning people of possible attacks is often enough to make them alert enough to spot them. Remember, to give both sides of the story when educating people about computer security. This isn't just my personal bias. When individuals know both sides of an argument they are less likely to be dissuaded from their chosen position. And if they are involved in computer security, their chosen position is likely to be on the side of securing your data.
There are attributes that people less likely to comply with persuasion tend to have. Less compliant people tend to be pretty bright, highly original, able to cope with stress and self-confident confident. Stress management and self-confidence can be taught or at least enhanced. Self-assertion courses are often used for management employees, this training is excellent in reducing the chances of an individual being socially-engineered, as well as having many other employment benefits.
What this comes down to is making people aware and involved in yoursecurity policy. This takes little effort and gives great rewards in terms of the amount of risk reduction.
Conclusion
Contrary to popular belief, it is often easier to hack people than sendmail. But it takes far less effort to have employees who can prevent and detect attempts at social engineering than it is to secure any unix system.
Sysadmins, don't let the human link in your security chain let your hard work goes to waste. And hackers, don't let sysadmins get away with weak links, when it is their chains that are holding your data.
(This work was not written by Chantfire; original author unknow?)