It’s All About The Social Engineering, Baby!
I’ve said it a number of times, and at the risk of sounding like a complete cynic, I will say it again: The biggest threat to computer (and information) security is the people who use them. Or, more appropriately, people who use computers and information technologies in a significantly “unaware” state. To give you an idea what I mean, let’s take another fairly ubiquitous implement in our society, the automobile. Why are there so many accidents? It’s not the bank robbers or the murderers and rapists (in other words, “criminals”) causing them. They are caused by everyday people not paying attention to those around them, people who think that rules of the road don’t apply to them, and even, dare I say, people who just don’t give a damn about those around them. I mean, why is it that people can get into horrific accidents driving down a completely straight piece of highway, like I-25 here in Colorado? It’s because people jump in those 2,000 pound pieces of hardware and just blast off down the road as if they were the only ones on it, completely oblivious to anyone else who may be around. As long as they get where they are going, they don’t care how they got there, and as long as no one else causes them inconvenience, whatever they do is fine.
Well – our love of computers is the same way as our love of the automobile. Computers and communications devices (such as cell phones) are such a ubiquitous and necessary part of our daily lives, that to go without email or our phones for even one minute would be disastrous. And our ability to click on any Internet link we want, and forward every email joke we get had better not be impeded in any way. This idea is at the very heart of many cyber-attacks these days. The bad guys know that people can be duped into just about anything – spreading email here, clicking on a link there, giving out information over the phone. It is very easy for the bad guys to plant a very innocent looking email, spam it out to the whole world, and then sit back and watch as the ignorant masses of scurrying mice blindly follow the bread crumbs. This, in essence, is what “social engineering” is all about. Social engineering encompasses a wide variety of things, such as me pretending to be the help desk and calling you up to get you to give me your network account password. Or diving through your trash to find out what usernames and passwords you had scribbled down and unknowingly thrown away. Or, how about me the nosey passerby shoulder surfing while you arrogantly (and show-off-ishly) flaunted your laptop in a busy airport or coffee shop? You know, in all my journeys through airports, I have gathered more information from listening to people yell into their cell phones that, if I were a bad guy, could be used against them (and their companies). I sat waiting for a flight from Rochester, NY one time and listened to some guy give an entire performance review over his cell phone – he wasn’t discreet or quiet about it at all. Social engineering is what gets you to give up your social security number and birth date when you reply to some scam offering you a refund from the IRS or an online deal that you just can’t refuse.
The above are all examples of social engineering, and there are many more. The bad guys rely on egos and ignorance getting in the way of security awareness. Those that would attack you know that you are either trying to show off how important you are or that you are just plain ignorant of information security techniques. They will use a variety of very simple techniques against you to steal your data, launch code to wreck your computer, or turn your computer into a zombie to proliferate other attacks. The bad guys use clever emails and lures to malicious web sites to launch attacks more often these days than most any other types of attack. In fact as of this week, there is a new flaw in Internet Explorer, and according to this article at ZDNet, porn sites are already exploiting it. The really stupid and lazy attackers will just get you to do their work for them and simply tell you that there is a security vulnerability or virus on your computer, and tell you to delete certain files. They will then get you to email all your friends and tell them delete these same legitimate files (this is known as a virus hoax) which will then render all of your computers unusable the next time you reboot. Essentially, social engineering (in the bad sense) is all about getting people to do things that the attacker wants them to do.
If you were to look at the majority of the descriptions for most vulnerabilities that are fixed by recent patches, you would see that the patch itself fixes a vulnerability caused by a programming flaw, but that it is only exploited when the victim opens an infected email, opens an infected email attachment, or is lured to a malicious web site. In many cases, the exploit is not “WORMABLE” and simply relies on a cleverly crafted email, attachment, or image file getting onto the victim’s computer so that it can do its thing. The attackers know that they can get you to visit a web site or open an email, and that they can certainly rely on you to forward it to all your friends.
So lets talk about “good” social engineering. One of the greatest challenges facing IT security professionals is to get people to change their behavior and attitudes towards information security. To most people, the security people are just the Gestapo out to spoil their fun and keep them from doing their job. We are the source of inconvenience because it just doesn’t seem reasonable that the threats really are out there. It’s all a big myth. I’m here to tell you that the only myth is believing in the false sense of security because of the “it can’t happen to me” syndrome. When your IT support people or your friendly bloggists bombard you every day with hints and tips about locking your keyboard when you get up from your computer, telling you not to open email attachments, or not to write down your password on sticky notes – that is the form of social engineering we are trying to use to get you to change your habits a little. We aren’t trying to keep you from being productive. On the contrary, we are trying to keep you from becoming a victim.
Bottom line – the bad guys are trying to “social engineer” your behavior so that you will fall into their trap. They can then laugh at you while they point you out to all their friends (and get the news media attention they crave), telling them how they “stuck it to the man” and screwed up a bunch of computers. The IT security people are trying to “social engineer” your behavior so that you won’t make an ass of yourself, or worse yet destroy the company’s network or compromise proprietary information. If you get attacked at home because you were complacent about your own computer security, then it may take you awhile to get back your system up and running. And it might take awhile for you to get over the embarrassment that you feel because you unknowingly passed along the attack vehicle to your friends. But if you get attacked at work because you just didn't care to be bothered by computer security requirements and even spread the attack to the entire network, embarrassment will be the least of your problems. The security people have an obligation to keep you informed. You have an obligation to heed the warnings and do the right thing. In other words, you have an obligation to stop being ignorant and be as vigilant with your information technology as you should be while driving down the road in that 2,000 pound weapon of yours. Use some due diligence, as we call it, and be aware. Security is everyone’s business!