<html>
<HEAD><TITLE>"Social Engineering" just a new twist on an old 
con game </TITLE></HEAD>
<body>
<body  text = "#000000" link = "#0000ff" vlink = "#ff0000" bgcolor = "#ffffff">



<p>
<h1>"Social Engineering" just a new twist on an old con game</h1>

<p><i><b>Editor's Note:</b>  This article was adapted from one that 
appeared in the July 5, 1994 issue of the U.S. Department of Energy's 
Computer Incident Advisory Capability (CIAC) Information 
Bulletin.</i></p>

<p>In today's world of computer crime, all perpetrators don't have to 
come in over the Internet; they may just as easily get information 
simply by asking. Beware of the friendly insider or the official 
sounding outsider; they may be playing on your good will or naivet&eacute 
to get what they need. A few examples should help...</p>

<p>A department secretary answers the telephone, "Josie Bass.  May I 
help you?"</p>

<p>"Hello. This is Martin White with the computing center. We think 
someone  may have broken into the file server. Can I talk to the 
technical person in charge?"</p>

<p>"It's Friday afternoon.  I'm the only one here," Josie 
says.</p>

<p>"How're you doing, Josie?"</p>

<p>"Good. And you?"</p>

<p>A deep breath. "Not too bad, except that it's Friday afternoon 
and I think we're going to have to wade through a mountain of paper. 
Anyway, as I was saying, we think your file server has been 
compromised."</p>

<p>"What makes you think so?"</p>

<p>"Your account name is <i>jbass</i>, isn't it?"</p>

<p>"Yeah."</p>

<p>"We've been seeing unusual traffic coming and going on your 
server."</p>

<p>"Well, can't you tell for certain what's going on?" Josie 
asks. </p>

<p>"Sure, I'm searching now, but it's so much paper." The 
sound of a page being flipped. "What scares me is that while I'm 
doing this, the bad guys could be downloading or changing information on 
your server.  Maybe you ought to take your server off the network or 
change your system password."</p>

<p>"Jeez, I don't know how to do that."</p>

<p>Martin sighs. "That's too bad. The intruders may not have even 
entirely cracked your system."  The sound of another page being 
flipped and then fingers snapping.  "Josie, I just thought of 
something. I have all this on line. It would just take a minute to check 
if I had your password." A heavy sigh. "Why didn't I think of 
this before? It's been a long week - too many hours looking at 
numbers." A pause. "Okay, what's your password?"</p>

<p>"I...er," Josie hesitates.</p>

<p>"Oh, yeah, you shouldn't give it out. I understand." The 
sound of another page being flipped. "It was such a good idea, 
too." Pause. "These guys sure tried a lot of different ways to 
break in..." Another page.</p>

<p>"Hey," Josie says, "we could be here all night. Forget 
I told you this:  my password is <i>Jb2cats</i>."</p>

<p>"Thanks. Great. Hold on." The sound of keys being typed. 
"Okay. Let  me double check." More typing. "That's it. 
Good news, they never got in to your system." Pause. "Thanks a 
lot, Josie. We would have been here half the night for a non-event. By 
the way, once they pass you by, it's very rare that they'd come back. 
You're in good shape. "</p>

<p>"Thanks.  You have a good weekend," a relieved Josie 
responds.</p>

<p>"You too."</p>

<p>"Martin White" and his confederates will have a good 
weekend changing the grades of students who are taking classes from that 
department - for a fee, of course. </p> 

<p>This is one (fictionalized but only too realistic) example of what's 
called "social engineering," an ironic characterization of the 
nontechnical aspect of Information Technology (IT) crime. In other human 
interactions it's called a "con (or confidence) game" where 
Martin is the "con artist." The underlying idea is simple:  
deceive the victim into revealing secret information or taking 
inappropriate action for the attacker's benefit.</p>

<p>Most of us are helpful and trusting - it's human nature. We want to 
be good neighbors and have good neighbors.  Social engineers exploit 
this cooperative inclination. They also employ intimidation and 
impersonation as well as plain old fashioned snooping and eavesdropping. </p>

<p>As the theft of information increases, we need to increase our 
awareness of the indirect methods used by information pirates.  </p>

<p>For example:</p>

<ul>
<li>A confused and befuddled person will telephone a clerk and ask for 
his password to be changed. 

<li>An important sounding man identifying himself as an executive will 
telephone a new system administrator and demand access to his account NOW! 

<li>A person at an airport will look over your shoulder ("shoulder 
surfing") as you key in your telephone credit card or ATM PIN (they 
even use binoculars and camcorders). 

<li>A visitor will watch you type your login-ID and password at your 
keyboard. 

<li>A confident person will call up a computer operator and ask him or 
her to type in a few lines of instruction at the console. 

<li>An attacker will sift through your paper trash ("dumpster 
diving"), looking for clues to unlock your IT treasures. 
</ul>

<p>Unlike the technology it targets, social engineering is an old 
profession with a new name. It succeeds frequently because our culture 
has not caught up with its own technology. A social engineer would have 
a much more difficult time getting the combination to a safe than getting 
a password, or even the combination to a locker at the health club. The 
best defense is simple:  it's education, training, and awareness.</p>

<p><i>Remember: A password is like a toothbrush.  Change it every three 
months and never, never let anyone else use it (not even someone 
claiming to be from CERT).</i></p>

<p>


</body>
</html>