The goal of my paper will be to explore the topic of Social Engineering in all its facets.  But what really is social engineering?  Is it a term that can be applied in any field other than Information Technology?  Your Dictionary references Webster’s Dictionary, which defines social engineering as thus (Your Dictionary, 2006):

A deceptive process in which crackers “engineer” or design a social situation to trick others into allowing them access to an otherwise closed network, or into believing a reality that does not exist.

 

However, in a much broader sense, social engineering can indeed take place outside of a technical field or applied to describe a non-I.T. related situation, because in reality, the act essentially involves deceiving another individual into divulging information that should be kept secret.  The following definition better describes social engineering in this light (Social engineering (security), 2009):

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud or computer system access; in most cases the attacker never comes face-to-face with the victim.

 

 The goal of this paper aims to explore these many situations that others might not classify as an social engineering act to steal information, and in addition to that goal, explore similar objectives throughout: to create a conversation about social engineering by generating awareness, discuss the many different kinds of social engineering methods, cite examples of real world social engineering events & the people responsible, and finally, cover a list of best practices to avoid social engineering attacks.

 

        So now that we have established a “working definition” by which to base the foundation of this discussion on social engineering, the next logical step would be to mention a few of the well-known techniques employed in social engineering acts (Granger, 2001). 

A very widely recognized form of social engineering occurs over the phone, which gives all the anonymity in the world a person with malicious intent could ask for.  Those that are particularly vulnerable to this type of threat are help desks, customer service reps, and of course, the common victim: the innocent individual minding their own business at home, on the comfort of their couch.  But just because most of these attacks are known to occur over the phone, does not mean that you are safe when actually using the phone yourself.  What do I mean by this?  IT’s known as shoulder surfing (Dwyer, 2008), or when someone else gleans your PIN number or ATM number by simply standing over your shoulder at either a large airport or phone booth. 

Another great example of why social engineering isn’t just something to worry about at the workplace is how often thieves thrive on another technique known as Dumpster Diving, which involves hackers or anyone with malicious intent attaining information such as: calendars showing when employees might be out of town, policy manuals detailing how internal systems are protected, or even hard drives that can be restored & vital information discovered (Berg, 1995).

But my favorite form of social engineering has to be the form described as Quid Pro Quo.  (Wikipedia, 2009) Imagine, if you will, that the “attacker” attempts to randomly ring up someone claiming to be returning their technical support call; eventually, said attacker will find someone who is grateful to have been called back, who will have no problem following whatever instructions the attack doles out… which will most likely be either a series of malicious commands or the giving up of valuable information (such as a credit card number or name and password).

        While there are certainly many more techniques that could be discussed, I would like to focus the next section on elaborating on the techniques described above with specific, real world scenarios of social engineering taking place.  A very fascinating example of an attacker making the victim believe that he is of a higher authority is described by McAfee Avert Labs and SANS analyst Lennny Zeltser (Kumar, 2009):

Apparently, yellow fliers were placed on vehicles in a parking lot, and the fliers claimed that the vehicles were in violation of parking regulations. The fliers further stated that the owner could visit a certain website to get more information and pictures about the offense.

 

Now you can imagine the result of this very clever form of social engineering: said victim sees the fliers and once they reach home, attempt to visit the designated website – only to be told to download a toolbar or some other form of disguised malware, which in turn infects their PC with even more malware. 

Kevin Mitnick, who was once one of the most wanted hackers in the U.S. in the late twentieth century, wrote a book entitled The Art of Deception (Mitnick, Amazon, 2009).  In his book, he describes several examples of social engineering, and in one he describes how someone could wait for a snow storm to occur, and then calling the network center posing as a… you guessed it, snowed-in employee.  In other similar examples, Mitnick gives a smaller example of how someone could get a police officer to divulge when he might be out of town, and by scheduling a court date at that specific time; get out of the speeding ticket (Mitnick, Social Engineering Books, 2006).   

        A few of these examples of social engineering are really quite startling.  How can one hope to avoid falling into these tricks when many of them are so clever?  There are a few “best practices” that can be taught which will help falling into the social engineering traps.  Some may be ideal for teaching fellow employees and others might just be applicable to the individual, helping him or her to live a more secure life in regards to their important information’s safety. 

        Some of the best techniques to teach employees, as identified by US-CERT (United States Computer Emergency Readiness Team), are as follows (McDowell, 2004): 

Be suspicious of any phone calls, visits, or email messages from individuals asking about employee or internal information.  Always ask any individual claiming to be of a legitimate organization to verify their claims; this is especially true if they could use your position as a gateway to attain privileged information (for example, you work at a help desk).  Almost never reveal sensitive information over the internet.  Never.  Before doing anything with any amount of sensitive information, consult a higher authority or person with full knowledge of your company’s security policy. Always shred any company documents before discarding them.  Even the slightest bit of information can give an attacker inside knowledge as to who works at the company, their operating hours, or phone numbers.

Richard Steinnon of the website CIO Update decries what is often touted as the “best defense against social engineering:” training.  He stipulates that if you determine a mandatory training in order to sharpen peoples’ awareness is needed in order to avoid social engineering attacks… then you already have a hole in your defenses.  Ultimately, the very best defense against a good social engineering attack is: enforce policy (Stiennon, 2009).

            In conclusion, I have covered a wide ranging of topics all of which involve a discussion centered on Social Engineering.  What began as an initial exploration into the definition of Social Engineering, the discussion then progressed into examples of the varying types of social techniques that attackers employ to trick others into divulging sensitive information. 

Many common ex
amples of real world attacks were also covered and how devastating their implications can be to the victims; corporations or individuals are not safe against any sort of Social Engineering attack.  Chief among those who used to be considered the most dangerous of all, Kevin Mitnick, wrote a book describing in detail how wide-ranging Social Engineering attacks can be. 

And finally, I briefly covered some “best practices” to avoid such social attacks from occurring to you or future employees.  While it may seem obviously to a technically inclined individual, everyone can be a victim of these kinds of attacks when not following the most basic of policies.  Being intelligence with information essentially keeping it to yourself.  But rest assured that there are those out there who are constantly inventing new and dangerous ways in which to trick innocent people into giving away important information.  And it’s only with constant diligence and a re-affirmation to confidentiality can we hope to avoid the trap known as Social Engineering.

 

 

Works Cited

Berg, A. (1995, November 11). Social Engineering. Retrieved April 19, 2009, from Packet Storm Security : http://www.packetstormsecurity.org/docs/social-engineering/soc_eng2.html

Dwyer, J. (2008, January 12). Picking Pockets? Nah, Surfing Shoulders. Retrieved April 19, 2009, from New York Times: http://www.nytimes.com/2008/01/12/nyregion/12about.html

*Granger, S. (2001, December 18). A True Story. Retrieved April 19, 2009, from Security Focus: http://www.securityfocus.com/infocus/1527*

Kumar, L. (2009, February 4). Real World Social Engineering. Retrieved April 19, 2009, from McAfee Avert Labs Blog: http://www.avertlabs.com/research/blog/index.php/2009/02/04/real-world-social-engineering-to-spread-malware-online/

*Major, S. D. (2009). Social Engineering: Hacking the Wetware! Information Security Journal: A Global Perspective , 40-46. *

McDowell, M. (2004). Tips. Retrieved April 19, 2009, from US-CERT.GOV: http://www.us-cert.gov/cas/tips/ST04-014.html

Mitnick, K. (2009). Amazon. Retrieved April 19, 2009, from Amazon: http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124

Mitnick, K. (2006). Social Engineering Books. Retrieved April 19, 2009, from Social Engineering: http://www.social-engineering.eu/books/artofdeception/

Social engineering (security). (2009, April 16). Retrieved April 19, 2009, from Wikipedia: http://en.wikipedia.org/wiki/Social_engineering_(security)

Stiennon, R. (2009, October 19). The Best Defense Against Social Engineering. Retrieved April 19, 2009, from CIO Update: http://www.cioupdate.com/trends/article.php/3638951/The-Best-Defense-Against-Social-Engineering

Wikipedia. (2009, April 16). Retrieved April 19, 2009, from http://en.wikipedia.org/wiki/Social_engineering_(security)

Your Dictionary. (2006). Retrieved April 19, 2009, from http://www.yourdictionary.com/hacker/social-engineering

It’s estimated that more than one-third (35 percent) of U.S. adults have a profile on a social networking site, according to the Pew Internet & American Life Project’s daily tracking survey of 2,251 adults. A more practical survey can be done just by thinking of the number of people you know who use these sites – starting with yourself.

While many will legitimately use social networking sites for broadcasting, distribution, and communication purposes, more people are attempting to instigate and manage friendships online.

Therein lies the problem. I contend that if social networking sites contribute to the decline or decay of social skills, they inadvertently create an antisocial mindset for people as they navigate in the real world because they become more adept and comfortable at socializing in an online world.

If you were walking down the street, or sitting on a bus and someone tapped you on the shoulder and said, “I’d like to add you as a friend,” you would look at them as though they were insane, or at the very least, with skepticism. Online, most people are not nearly as discriminate about their friend selections as they are in real life, but they should be.

Friends are afforded special privileges both online and offline. Offline you have to earn them. Online they are instantly granted. One such privilege is knowing who your other friends are and what you are up to. This comes in the form of “updates” which a surprising number of people use to post personal information and comments.

The shouting nature of MySpace (which is saturated with people who are eager to draw attention to themselves or their songs) makes it a favorite among a younger demographic of social network users.

Dr. Himanshu Tyagi, a psychiatrist at West London Mental Health Trust, stated in a recent report that people born after 1990, who were just five-years-old or younger when the use of Internet became mainstream in 1995, have grown up in a world dominated by online social networks such as MySpace and Facebook. He states:

“This is the age group involved with the Bridgend suicides and what many of these young people had in common was their use of Internet to communicate. It’s a world where everything moves fast and changes all the time, where relationships are quickly disposed at the click of a mouse, where you can delete your profile if you don’t like it and swap an unacceptable identity in the blink of an eye for one that is more acceptable,” said Dr. Tyagi. “People used to the quick pace of online social networking may soon find the real world boring and unstimulating, potentially leading to more extreme behavior to get that sense.”

It’s been my observation that most people don’t know who they have among their “friends” on MySpace. More commonly, people amass hoards of friends strictly for the sake of appearance – the appearance of being popular. So friends can get used both offline and online in that regard.

The 80/20 rule teaches us a lot about friends and time invested in friendships (which is what really defines them). 80% of correspondence that you send to anyone on any given social networking site will be sent to only 20% of the people you have in your “friends list.” Just as 80% of your time spent nurturing friendships will be with 20% of your friends. You are most likely to communicate with that 20% without the aid of a social network.

Facebook, for lack of a better if not more accurate description, has become the adult version of MySpace. As the real estate mantra goes: build it and they will come. But social networks have a saying all their own: build it and they will use it for illegitimate purposes.

B.J. Fogg, director of the Persuasive Tech Lab at Stanford University and editor of a book called The Psychology of Facebook has been studying the social networking phenomenon for years. He argues that what we are doing on Facebook and other social networking sites is a lot like “primate” grooming. We are building “social solidarity” by publicly flirting and socializing online.

Yes, your suspicions are correct: the most illegitimate use of social networks takes place among people who are married or in committed relationships who use them to locate old flames. Actually, that’s not the illegitimate part. The illegitimacy stems from the resulting clandestine relationships that occur. There’s a lot of rekindling taking place on social networks…probably right now as you read this article.

According to Nancy Kalish, a professor of psychology at Cal State Sacramento and author of the book Lost & Found Lovers: Facts and Fantasies of Rekindled Romance, many people try to reunite online because it’s so easy,” Kalish says. “Most people go looking for lost loves, initially, out of curiosity. First loves in particular are most often sought out online, she says, and they pose the most danger to real-world relationships for two reasons: biological and emotional.

First, she says, when two people meet in the adolescent years (between 16 and 22), they start to form their identity together and break away from family. In those formative years, “you define what love is and what you want from a partner, and when you lose that, you lose that piece of yourself.” This combines with the hormones that are encoding in your brain at that age as “emotive memory” and creates a biological imprint of that person.

On top of all this chemistry, the adolescent years are typically the years when humans start to reach their reproductive maturity and look for biologically compatible mates. Kalish argues that this in turn causes problems because people are delaying marriage. She says, “we are so far away from marrying our first love because people are waiting until later in life to settle down. When they do settle down, oftentimes, the chemistry just isn’t the same.”

Perhaps this is the reason why in the Pew survey, of the adults who had removed their profile from a social networking site, 3 percent said they did it because their spouse or partner wanted it removed.

My favorite social networking site is LinkedIn. It’s essentially an online portal for resumes. Like the others, it operates on a membership/sign-up basis, but is geared toward professionals and building professional networks. Unlike MySpace and Facebook, people lead with their credentials on LinkedIn and the site regulates, discourages, and prevents abuse of the system by blocking those who get repeated rejections for linking requests.

It’s most distinctive feature are the recommendations that others make on your behalf to help you complete and promote your profile. The LinkedIn business premise is simple: you should know at least 5 people with whom you have real relationships who can endorse you to make you a more valuable connection to others.

LinkedIn is not a cozy, give-a-shot-out, tell you about my weekend, post a stupid comment about what I just saw on TV social network. It is for serious professionals who want to network with credentialed people without the levity and frivolity that is so commonplace on social networks. It’s not designed for conviviality and making friends.

Another social network that’s growing in popularity is Twitter. Twitter allows users to “follow” each other (i.e. keep up with each other’s activities) and is predicated on the exchange of short updates that can be seen online via their website or sent to you via your cell phone. I suspect that many music artists and professionals who regularly calendar events that the public, their fans, or constituents need to be made aware of will utilize it more in the future.

Personally, I have yet to make a friend through any social networking site. Nor do I know of anyone who has. I’m sure it happens. I’ve even been contacted by “friends” from my past. I’m hesitant to call them “friends” because I believe it’s extremely rare when you lose contact with a real friend.

Most of the time when we lose contact with each other it’s because we
lacked the motivation or commitment to maintain the friendship in the first place; therefore, I tend to keep past “friends” in my past because that’s usually where they belong. Those who don’t subscribe to this philosophy usually end up briefly re-uniting with their past friends and drifting apart once more.

For me, the social networks offer their greatest value from a professional capacity. They serve as a divide between my associates and my friends, while allowing me to communicate with both simultaneously. But in the end, they offer us a reminder of just how valuable real friends and friendships are, if we can take our faces away from the computers screens long enough to realize it.

One of the best ways to brand yourself and let people know who you are and what you’re doing is by joining online social networks like MySpace, FaceBook, LinkedIn, Digg, Reddit, Orkut or Twitter. Today, social networking is one of the fastest growing, not to mention free ways to reach your audience. And we’re not just talking about business people who know their way into online social networking to build and promote their businesses, but there are also artists and politicians (like Barack Obama’s social networking ambitions) that are using these online communities to reach their audiences. With the use of the Web 2.0 platform and the ability to upload a wide range of file formats and convert your materials to mp3s and podcasts you can reach your target audience far more rapidly than ever before.

The concept of electronic social networking isn’t really a breakthrough of the 21st century. It has been around since the 1990s and it is the dramatic improvements and innovation to previous networking services that helped along services such MySpace to rapidly become a global phenomenon. The year of 2004 brought the launch of the all-time favorite Facebook, the creation of Harvard Graduate, Mark Zuckerberg. This networking site was instantly gaining popularity thanks to the incorporation of externally developed add-on applications, which in turn enabled the graphing of a user’s own social network, thus linking social networks and social networking. 

Because of our busy routines – by the way, when was the last time you sent a hand-written letter? – social network websites have become the foundation on which we build and maintain relationships with friends, family and even clients. The online communities are where we go to meet new people, explore our interests and activities and share all sorts of information, in other words, stay in touch with everything that’s shaking in the world.

Basically, what social networking really means is grouping people or organizations with specific profiles and interests together. While many social networking websites are focusing on specific interests, there are others that don’t. Social communities without a specific focus on certain topics of interest are known as “general” social networking websites and they usually have open memberships, meaning that anyone can become a member, no matter what their interests or beliefs are. But once you become part of this online community, you will start creating your own network of friends and you can select the people you want to connect to, based on your hobbies, preferences and common interests.

The new social networking players, including Cisco, the leading supplier of networking equipment and network management, and a multitude of other start-ups like Ning consider that social networks will soon be as ever-present as the rest of the websites. They are starting to create tools that allow every day people, big companies and even politicians create their social websites specially customized for their own clients, friends, fans and partners. It’s not that the existing social networks aren’t great, but they tend to put their users in a rather limited space, by being somewhat restrictive about what they can and can’t do and they were not designed to be flexible. These social networking sites don’t really let people build and customize their own worlds as they please – which is the nature of what people want to do online anyway.

It’s possible that of all services in the new social spectrum, the social networking sites are more promising. Maybe the reason for this is that these community-driven sites have the ability to introduce their user base to other social web services. Just think about it, Facebook is also a photo-sharing service, MySpace also offers music sharing and LinkedIn is also a search engine for jobs. MySpace stays on top of them, but Orkut is rapidly coming from behind and Facebook is doing great. An interesting thing to watch is whether LinkedIn intends to expand its user base and broaden the offer. Right now, TagWorld doesn’t look very good, while Bebo isn’t all that strong, as it has been recently portrayed. The veteran Friendster network is not out of the game yet and it seems to be doing just fine. Anyways, it seems very clear that the battle for the winning places (MySpace, Orkut) is going to heat up, which can only mean bring more diverse offers and services for the users.

 Visit our website – http://www.arnima.com/Services/SEO.asp