After I wrote my last post on the callous nature of people exploiting the Japanese Tsunami and subsequent problems at the Fukushima nuclear plant, it occurred to me that I haven’t really written much on social engineering.
The easiest way to get someone’s password is to ask for it.
It’s quite simple: people want to be helpful and don’t want to be seen to be a problem in the organisations. So, when someone phones them up, saying they work for “IT” and they need their user ID and password, most people simply provide it. In many cases, phone-lists are available online so it’s easy to come across as authoritative. It is vitally important to get the message across to all staff that they must never share their passwords. If there is any doubt, people will provide it to whoever asks as they don’t want to get into trouble.
There have been several studies into how much people value their personal information. One such study was done at LSE, as part of Project FLAME (pdf) where different types of user information were requested for different levels of incentive (in this case, varying qualities of chocolate) and then verified. The results can be found here.
So, even when people are being blatantly asked for information probably more personal than their work password, they are happy to divulge it.
The Art of Deception
Kevin Mitnick is a former hacker, turned computer security consultant, who knows a lot about social engineering. At the age of 12, he figured out a way of riding the bus system in Los Angeles for free, re-using tickets others had thrown away by modifying them with a hole-punch after a friendly conversation with an LA bus-driver. He subsequently went on to use his ability to convince others to part with information to gain access to a number of high profile systems, including Digital Equipment Corporation (now part of HP), Pacific Bell, Motorola, Nokia, Sun and Fujitsu Siemens.
Much of this activity was done with the unknowing complicity of the staff at these organisations. He has gone on to write a best-selling book, called “The Art of Deception“, which makes for chilling reading and is essential reading for those in the information security industry.
Years ago, I remember listening to something on the Hackers News Network, a quasi-radio station on the Internet, that would publish mp3s of sessions that they held. One of these was to phone a Blockbuster Video store in the US somewhere, pretending to be someone they had found in a phone-book. The session was fascinating: the poor shop assistant was trying to be as helpful as possible, but ended up revealing a credit-card number and address of someone who the callers intrinsically didn’t know anything about.
There are people out there who are more than willing to abuse the trust of good-natured people. It’s always worth being a little suspicious.