Social engineering (security)

At the same time, social engineering stands for a practice of political and social control or influencing societies by means of communication and can achieve results that are perceived as positive as well as negative. However, the strongly negative variant of the term currently dominates the conceptual image; there are also alternative definitions for social engineering (political science) .

Social engineers spy on the personal environment of their victim, feign identities or use behavior such as obedience to authority in order to obtain secret information or unpaid services. Social engineering is often used to break into a foreign computer system in order to view confidential data; one then speaks of social hacking [ 'hækɪŋ ].

history

An early form of social engineering was practiced in the 1980s with phreaking . Phreakers called telephone companies , pretended to be system administrators , and asked for new passwords, which they eventually used to make free modem connections.

Basic pattern

The basic pattern of social engineering can be seen in bogus phone calls: The social engineer calls employees of a company and pretends to be a technician who needs confidential access data to complete important work. In the run-up to the meeting, he had already compiled small snippets of information from publicly available sources or previous phone calls about procedures, daily office talk and company hierarchy, which help him manipulate people to be an insider of the company. In addition, he confuses his technically uneducated victim with technical jargon , builds sympathy with small talk about colleagues who appear to be common, and exploits respect for authority by threatening to disturb his superiors if the victim fails to cooperate. The social engineer may have already collected information in advance that a certain employee has actually requested technical help and is actually expecting such a call.

Despite its seemingly banality , the method repeatedly succeeds in spectacular data theft . In 2015, for example, an American student managed to open the private e-mail account of the then CIA director Brennan and access it for three days.

In automated social engineering, also known as scareware, special malicious programs are used that frighten the user and thus induce certain actions.

Other possible forms

Phishing

A well-known variant of social engineering is phishing . In this impersonal variant, bogus e-mails are sent to potential victims with a design that inspires confidence. The content of these messages can be, for example, that a certain service that you use has a new URL and that you should log in to this from now on if you want to use it. This bogus page is, in terms of layout and presentation, a copy of the original website of the service provider. This is to help keep the victim safe. If you fall for it, criminals get hold of your login name and password. Another possibility is that the victim is asked by an alleged administrator to send the login data back as a response, as there are supposedly technical problems. The basic pattern is similar to the bogus telephone call, because here, too, the social engineer usually poses as a technical employee who needs the secret information to check or restore data. Unlike there, the attacker usually does not have much more than the recipient's email address, which makes the attack less personal and therefore less effective.

Spear phishing (derived from the English translation of the term spear ), which means a targeted attack, is more efficient . Here the attacker procures z. B. the e-mail addresses of the students enrolled there via the student council of a university in order to send them a targeted phishing e-mail from a local bank or savings bank. The “hit rate” of this type of phishing attack is higher than that of normal attacks, since the probability that a student will have his bank account with this institute is very high.

Dumpster diving

Here, the victim's rubbish is rummaged through and searches for clues and clues about the social environment. These can then be used in a subsequent call to gain the victim's trust.

USB drop

The security company Kaspersky Lab revealed that an unknown group of hackers had attacked around 500 companies with USB drops since 2001. Random employees received infected USB sticks, the use of which infected their PC and gave the hackers access to the company's internal network. One possibility for attackers is to distribute the infected USB sticks in front of the company premises as a promotional gift.

Defense

The defense against social engineering is not easy to implement, since the attacker basically exploits positive human characteristics: The desire, for example, to provide unbureaucratic help in emergency situations or to respond to help with counter-help. To stir up general mistrust would also negatively affect the effectiveness and trusting cooperation in organizations. The most important contribution to combating social engineering is therefore made in the specific case by the victim himself, in that he undoubtedly ensures the identity and authorization of the person making the contact before taking further action. Just asking for the name and phone number of the caller or the condition of a colleague who does not exist can reveal badly informed attackers. Asking politely for patience, no matter how urgent a delicate request, is, should therefore be trained specifically. Even apparently insignificant and useless information should not be disclosed to strangers, because it could be misused in subsequent contacts to interrogate others or, together with many other in itself useless information, serve to delimit a larger issue. It is important to warn all potential further victims quickly; The first point of contact are the company's security department, the contact address of the e-mail provider, and other people and institutions whose information has been misused to pretend false facts. The following points should be observed:

• If the identity of the sender of an e-mail is not certain, one should always be suspicious.
• When calling, even apparently unimportant data should not be carelessly passed on to strangers, as they can use the information obtained in this way for further attacks.
• In response to an email request, under no circumstances should personal or financial information be disclosed, regardless of who the message appears to be from.
• Do not use links from emails that ask for personal information as input. Instead, enter the URL yourself in the browser.
• If you are unclear about the authenticity of the sender, contact them again by phone to check the authenticity of the email.

In view of the complexity and the possible side effects of preventive measures against social engineering, the US security specialist Bruce Schneier even doubts their value in general and instead suggests strategies based on damage limitation and rapid recovery.

Staff training is necessary, but of limited use, as studies at the US Military Academy West Point have shown. So-called social engineering penetration tests can be carried out in advance .

Well-known social engineers

The method became publicly known primarily through the hacker Kevin Mitnick , who was one of the most wanted people in the United States for breaking into other people's computers. Mitnick himself said that social engineering is by far the most effective method of getting a password and beats purely technical approaches in terms of speed by far.

The US IT expert Thomas Ryan became known in 2010 with his fictional character Robin Sage. The virtual Internet beauty used social networks to establish contact with the military, industrialists and politicians and coaxed confidential information from them. After a month, Ryan went public with the results of the experiment to warn against excessive trust in social networks.

The computer security hacker Archangel has shown in the past that social engineering is not only effective in revealing passwords, but also works in the illegal procurement of pizzas, plane tickets and even cars.

Other well-known social engineers are the check fraudster Frank Abagnale , Miguel Peñalver, David "Race" Bannon , who posed as an Interpol agent, the real estate fraudster Peter Foster , the con man Steven Jay Russell and the con man Gert Postel , who with another con man, Reiner Pfeiffer , played a role in the Barschel affair .

See also

• Rubber hose cryptanalysis

literature

• Uwe Baumann, Klaus Schimmer, Andreas Fendel: SAP pocket seminar. "Human factor - the art of hacking or why firewalls are useless". SAP 2005, Primer ( Memento from August 9, 2012 in the Internet Archive ) (PDF; 363 kB).
• Michael Lardschneider: Social Engineering. An unusual but highly efficient security awareness measure. In: Data protection and data security. DuD. 9, 2008 ( ISSN  1614-0702 print), pp. 574-578.
• Kevin D. Mitnick , William L. Simon: The Art of Deception. Human risk factor. (Reprint of the 1st edition). mitp, Heidelberg 2006, ISBN 3-8266-1569-7 (Original edition: The Art of Deception. Controlling the Human Element of Security. Wiley, Indianapolis IN 2002, ISBN 0-471-23712-4 (English)).
• Kevin D. Mitnick, William L. Simon: The Art of Burglary. IT risk factor. mitp, Heidelberg 2006, ISBN 3-8266-1622-7 .
• Klaus Schimmer: If the hacker asks twice! How do I prepare my employees for social engineering attacks? In: Data protection and data security. DuD. 9, 2008, pp. 569-573.
• Bettina Weßelmann: Measures against social engineering: Training must complement awareness measures. In: Data protection and data security. DuD. 9, 2008, pp. 601-604.
• Stefan Schumacher: The psychological foundations of social engineering. In: Proceedings. GUUG Spring Discussion 2009, 10. – 13. March 2009, Karlsruhe University of Applied Sciences. GUUG, Munich 2009, ISBN 978-3-86541-322-2 , pp. 77-98 ( UpTimes 1, 2009).
• Stefan Schumacher: Psychological basics of social engineering. In: The data thrower. 94, 2010, ISSN  0930-1054 , pp. 52-59, online (PDF; 8.9 MB) .
• Christopher Hadnagy: Social Engineering - The Art of Human Hacking. Wiley, Indianapolis IN 2010, ISBN 978-0-470-63953-5 (English)

Web links

• Social engineering - information from the Reporting and Analysis Center for Information Assurance MELANI of the Swiss federal administration
• Sicherheitskultur.at
• computec.ch free German-language documents
• social-engineer.org English language documents and wiki
• English-language practical examples
• Social engineering summary (PDF; 91 kB) on the basics of social engineering and countermeasures (German)
• Johannes Wiele: Recognize social engineering . In: LANline , about ways to recognize a victim of a social engineering attack

Individual evidence

1. ↑ Neue Zürcher Zeitung : Teenager claims to have cracked the CIA boss' private email account from October 20, 2015, accessed on October 20, 2015
2. ↑ Wired : Teen Who Hacked CIA Director's Email Tells How He Did It from October 19, 2015, accessed on October 20, 2015.
   (“As the data thief announced, he wants to receive the access data to Brennan's email account via social engineering have: He apparently got Verizon employees to release data from Brennan. ")
3. ↑ Social engineering: Human security vulnerability . 1und1.de/digitalguide. Retrieved September 14, 2017.
4. ↑ Mirjam Hauck: Human weakness . In: sueddeutsche.de . February 17, 2015, ISSN  0174-4917 ( sueddeutsche.de [accessed November 15, 2017]). 
5. ↑ Mirjam Hauck: Human weakness . In: sueddeutsche.de . February 17, 2015, ISSN  0174-4917 ( sueddeutsche.de [accessed November 15, 2017]). 
6. ↑ Johannes Wiele: Aftercare is better than caution. Bruce Schneier in conversation with scientists . In: LANline 3/2008 ( ISSN  0942-4172 ).
7. ↑ Technology Review: The Phishers' New Weapons . heise.de
8. ↑ A short, hot life . In: sueddeutsche.de , August 2, 2010