Social engineering (security)

Social Engineering [ səʊʃl̩ ˌ ɛndʒɪnɪəɹɪŋ ] ( engl. actually " applied social science", also called " social engineering " ) is called interpersonal influences with the aim of eliciting certain behavior in people they, for example, to the disclosure of confidential information, to purchase a product or to to move the release of funds. Social engineers spy the personal environment of their victim from distract identities before or use behaviors like obedience to authority in order to gain secret information or unpaid services. Most used social engineering penetration into a foreign computer system to view confidential data; one then speaks of Social Hacking [' hækɪŋ ] (see Hacker ).

History

An early form of social engineering was practiced in the 1980s with phreaking. Phreak called any of these telephone companies to, posed as a system administrator and asking for new passwords, which they eventually manufactured free modem connections.

Basic pattern

The basic pattern of social engineering is reflected in bogus phone calls: The social engineer calls a company's employees and pretends to be a technician who requires confidential access to complete important work. Even before he has collected from publicly available sources or previous calls small scraps of information about procedures, daily office talk and corporate hierarchy that will help him in the interpersonal manipulation to pose as an insider of the company. In addition, he confused his technically illiterate victims with jargon, builds with small talk about seemingly common colleagues sympathy and uses of authority respect by threatening to disturb his superiors if I fail the victims cooperation. Under certain circumstances, the social engineer has already collected prior information that a particular employee has even really technical assistance requested and been realistic to expect such a call.

Other possible forms

Phishing

A known and impersonal variant of social engineering is phishing. In this impersonal variant fictitious e- mails with confidence-inspiring presentation will be sent to the potential victims. Content of these messages can be, for example, that a particular service that you are using, has a new URL and you should log in on this from now on, if you will take him to complete. In this fake page is, of layout and presentation forth to a copy of the original website of the service provider. This should help to weigh the victim to safety. If you enter it, so get criminals in the possession of the login name and password. Another possibility is that the victim is prompted by an administrator supposed to send back the login data in response, because supposedly there are technical problems. The basic pattern is similar to the bogus phone call, because here, too, are the social engineer usually as technical staff from which the secret information needed for data verification or recovery. Unlike there, the attacker has mostly here about not much more than the e -mail address of the recipient, which makes the attack less personal and therefore less effective.

Dumpster Diving

Here, the garbage of the victim is ransacked and searched for clues and clues about the social environment. These can then be used in a subsequent call to designed to obtain the trust of the victim.

Defense

The defense against social engineering is not easy to accomplish, since the attacker basically takes advantage of positive human qualities: the desire about, bureaucracy to help in emergency situations or respond to help with counter help. To stir up general mistrust, would adversely affect the effectiveness and trustful cooperation in organizations. Therefore, the main contribution to the fight against social engineering supplies in the concrete case, the victim itself by identity and authorization of a Stylized undoubtedly ensure before carrying out further actions. Already the prompt for the name and phone number of the caller or the being of a non-existent colleagues can uncover ill-informed attacker. Politely ask for patience when a delicate inquiry will also put forward so strongly, should therefore be specifically trained. Even seemingly minor and useless information should not be disclosed to strangers as they could in the following contacts in order to sounding out other abused or together with many others in itself useless information for defining a larger facts serve. Important is a quick warning to all other potential victims; first contact the security department of the company, contact address of the e- mail provider and fellow human beings and institutions whose information was misused for false pretenses. The following points should be observed:

• If the identity of the sender of an email not sure, you should always be suspicious.
• For calls even seemingly unimportant data should not be passed carelessly to strangers, as they may use the resulting information for further attacks.
• In response to an e -mail request under no circumstances personal or financial information should be disclosed, regardless of who the message appears to come.
• Do not use links from e-mails that require personal data as input. Instead, enter the URL itself in the browser.
• Any uncertainty about the authenticity of the sender's contact this again by telephone to verify the authenticity of the e -mail.

The U.S. security specialist Bruce Schneier doubt even generally, given the complexity and the possible side effects of preventive measures against social engineering in their value and instead proposes strategies that rely on mitigation and fast recovery.

Employee training are necessary, but only limited help, as have studies at the U.S. Military Academy at West Point shown. Prior to the so-called social engineering penetration tests can be performed.

Known Social Engineers

Publicly known was the method mainly by the hacker Kevin Mitnick, who was one of the most wanted people in the United States by his dips into computers. Mitnick himself said, social engineering is far the most effective method to get a password, and propose a purely technical approaches in terms of speed by far.

Known the U.S. IT expert Thomas Ryan with his fictional character Robin Sage was 2010. The Virtual Internet Beauty set forth through social networking contacts with the military, industrialists and politicians, and drew from them confidential information. Ryan went after a month with the results of the experiment to the public to warn against excessive trustfulness in social networks.

The working for the computer security hacker Archangel showed in the past that social engineering is effective not only in the disclosure of passwords, but also in the illegal procurement of pizzas, airline tickets and even cars work.

Other famous social engineers are the check fraudster Frank Abagnale, Miguel Peñalver, David " Race" Bannon, posing as Interpol agent who plot scammers Peter Foster, the impostor Steven Jay Russell and the impostor Gert Postel, who with another impostor, Reiner Pfeiffer, has played a role in the Barschel affair.