Impersonating a huge corporation, or induc-ing people to mail you their passwords under false pretenses, can get you into big trouble. The Post Office considers such activity postal fraud, even if you're just doing it for laughs. These ideas are provided to stimulate your imagina-tion - not to encourage you to do anything illegal.
Before you go and do something stupid, you might want to read Chapter Fourteen.
When you social engineer there are many factors that inhibit the person you speak with from giving out security data. Consider, when you social engineer someone, that person
• may have been warned about security leaks
• may be knowledgeable about social engi-neering tactics
• can not verify your claimed identity
• might know you are not who you claim to be
• has no reason to assist you, and can give you wrong or misleading information
• can report your call to a security manager.
For all these reasons, a person you try to social engineer may not want to or may not be able to tell you passwords and other information that you request.
Considering the above list, would you divulge confidential information to someone asking you for it over the telephone?
That's the problem.
The solution?
See you in the next chapter!
Showing posts with label Chapter 5. Show all posts
Showing posts with label Chapter 5. Show all posts
Wednesday, 30 November 2011
Message From God
Dear User:
This is most embarrassing.
As the director of PinkyLink, America's largest on-line information service, I was shocked to discover that a theft of several backup tapes took place over the July 6th weekend.
Contained on one of those tapes was, among other things, the personal security data on a small percentage of our customers.
While your name was, luckily, not on that stolen tape, there is still some threat to you. As of now we are uncertain whether any users with programmer-level computer access were backed up on the stolen tape. Therefore, we request you fill out this application and mail it back immediately in the postage paid envelope
provided.
Fill out the form and return it to us as soon as possible. Once received, we will update you to this new, secure ID.
Thank you for your cooperation, and to offset any trouble this may cause you, we will be subtracting 75% off your August bill.
Name
Address
Zip
Day Phone(_)
Night Phone(_)..-
Old (Invalid) Password
New (Updated) Password
PinkyLink, America's Largest On-Line Information Service, guarantees that the above personal data will be inputted no later than September 1, 19--, (following verification), and will be kept confidential before and after such time.
Please keep a copy of this for your records.
Imagine Joe User gets this letter in the mail. It looks authentic, having the logo and letterhead of the service, and arriving in a metered, typed en-velope. But will Joe believe that PinkyLink actu-ally sent this to him?
The whole situation is preposterous! Any real life computer service with a password problem would require that all password updating occur on-line. It's simply the cheapest and easiest way to update hundreds or thousands of pieces of user information. Still, when Joe User looks at this letter, he will notice that he isn't in
immedi-ate danger as some other users of the system are; unlike those other poor losers who got their passwords stolen, Joe doesn't have to be con-cerned that he'll start getting huge bills in the mail from the criminal charging system usage to Joe's account.
And what about that 75% deal at the bottom? That makes Joe twice as likely to respond to the letter. Not only does he have a responsibility to himself to make his account secure again, he has a responsibility to the database: if they were nice enough to warn him of this and pay him for it, the least he can do is comply with
them. And the return envelope is postage paid!
Of course, PinkyLink probably has an on-line way for users to change their password, but you don't have to mention that when you write a letter like this. Remember, the style is more important than the wording of the letter. Before you send out something like this, be sure to look at real examples of PinkyLink's correspondence, to get an idea of the kind of paper and printing used, sizes of fonts, coloring, etc.
You should expect high returns from this swindle, especially if the people you send the letters to are absolute rookies. Later we'll talk more about how monitoring BBS activity can pay off.
This is most embarrassing.
As the director of PinkyLink, America's largest on-line information service, I was shocked to discover that a theft of several backup tapes took place over the July 6th weekend.
Contained on one of those tapes was, among other things, the personal security data on a small percentage of our customers.
While your name was, luckily, not on that stolen tape, there is still some threat to you. As of now we are uncertain whether any users with programmer-level computer access were backed up on the stolen tape. Therefore, we request you fill out this application and mail it back immediately in the postage paid envelope
provided.
Fill out the form and return it to us as soon as possible. Once received, we will update you to this new, secure ID.
Thank you for your cooperation, and to offset any trouble this may cause you, we will be subtracting 75% off your August bill.
Name
Address
Zip
Day Phone(_)
Night Phone(_)..-
Old (Invalid) Password
New (Updated) Password
PinkyLink, America's Largest On-Line Information Service, guarantees that the above personal data will be inputted no later than September 1, 19--, (following verification), and will be kept confidential before and after such time.
Please keep a copy of this for your records.
Imagine Joe User gets this letter in the mail. It looks authentic, having the logo and letterhead of the service, and arriving in a metered, typed en-velope. But will Joe believe that PinkyLink actu-ally sent this to him?
The whole situation is preposterous! Any real life computer service with a password problem would require that all password updating occur on-line. It's simply the cheapest and easiest way to update hundreds or thousands of pieces of user information. Still, when Joe User looks at this letter, he will notice that he isn't in
immedi-ate danger as some other users of the system are; unlike those other poor losers who got their passwords stolen, Joe doesn't have to be con-cerned that he'll start getting huge bills in the mail from the criminal charging system usage to Joe's account.
And what about that 75% deal at the bottom? That makes Joe twice as likely to respond to the letter. Not only does he have a responsibility to himself to make his account secure again, he has a responsibility to the database: if they were nice enough to warn him of this and pay him for it, the least he can do is comply with
them. And the return envelope is postage paid!
Of course, PinkyLink probably has an on-line way for users to change their password, but you don't have to mention that when you write a letter like this. Remember, the style is more important than the wording of the letter. Before you send out something like this, be sure to look at real examples of PinkyLink's correspondence, to get an idea of the kind of paper and printing used, sizes of fonts, coloring, etc.
You should expect high returns from this swindle, especially if the people you send the letters to are absolute rookies. Later we'll talk more about how monitoring BBS activity can pay off.
Request For Information
And now, back to some pure social engineer-ing through the mails... Scan all the computer mags and journals fu-riously, even the bad ones, for warnings about product failures and security loopholes. Journal-istic morality generally prevents dangerous se-crets from making their way to the mass media, so the exact details of system security failings won't make it to print. You'll see things like, "Four hackers were caught yesterday, after ex-ploiting a loophole in the V software on the W machine at X Military Base." Or you'll see things like,
"Company Y has released a warning about its Component Z, which is supposed to keep unauthorized users from penetrating a system...... What you do is, go print yourself up some official looking stationery, mail a
concerned let-ter to the folks at the company, and wait for their speedy reply. You can try the annoyed approach:
Dear Mr. Abel Jones:
It has come to my attention that there are serious shortcomings in your product, Component Z.
My business operates under the assumption that our data is secure because of Component Z.
Seeing as how we have been misled for six years, I expect either: details on the flaws which inhibit Component Z, or reimbursement for six years of twelve nonfunctioning Component Zs, the cost of which amounts to $14,000. I expect a quick reply.
Or the "Let's work together to make this world a better place to live in," approach:
Dear Mr. Abel Jones:
I was dismayed to read in Friday's edition of Computer Magazine that your Component Z is defective.
My business uses twelve of these devices, and I would regret very much if we experienced a data loss due to their not working.
Please send an explanation of the problem in the enclosed envelope, so that my technicians may remedy the problem as soon as possible.
Thank you for your help.
Sincerely,
I'm divided as to whether or not you should mention specific threats in your letter to the company or organization. On one hand, you don't want them to suspect your letter is phony. But on the other hand, they're going to be receiv-ing many letters similar to yours, most of which are legitimate. You shouldn't have any problem as long as you type the letter on good quality paper, with either a real or imagined letterhead on top. For added effect, type the address on the envelope, and instead of stamping it, run it through a postage meter. You may also slip in a business card of your own design; they are cheap to obtain.
If the company refuses to help you without proof of purchase, well then, you're on your own. You can always try to social engineer the company technicians into revealing the security flaws. There are also plenty of computer security associations, organizations and other groups which will have the particulars of the
loophole.You might also make an attempt to get the juicy details by calling the publication in which you read about the security failing. Try to speak to the person who reported the story. People at magazines and newspapers are surprisingly easy to reach on the phone, but getting them to talk is a different matter!
"Company Y has released a warning about its Component Z, which is supposed to keep unauthorized users from penetrating a system...... What you do is, go print yourself up some official looking stationery, mail a
concerned let-ter to the folks at the company, and wait for their speedy reply. You can try the annoyed approach:
Dear Mr. Abel Jones:
It has come to my attention that there are serious shortcomings in your product, Component Z.
My business operates under the assumption that our data is secure because of Component Z.
Seeing as how we have been misled for six years, I expect either: details on the flaws which inhibit Component Z, or reimbursement for six years of twelve nonfunctioning Component Zs, the cost of which amounts to $14,000. I expect a quick reply.
Or the "Let's work together to make this world a better place to live in," approach:
Dear Mr. Abel Jones:
I was dismayed to read in Friday's edition of Computer Magazine that your Component Z is defective.
My business uses twelve of these devices, and I would regret very much if we experienced a data loss due to their not working.
Please send an explanation of the problem in the enclosed envelope, so that my technicians may remedy the problem as soon as possible.
Thank you for your help.
Sincerely,
I'm divided as to whether or not you should mention specific threats in your letter to the company or organization. On one hand, you don't want them to suspect your letter is phony. But on the other hand, they're going to be receiv-ing many letters similar to yours, most of which are legitimate. You shouldn't have any problem as long as you type the letter on good quality paper, with either a real or imagined letterhead on top. For added effect, type the address on the envelope, and instead of stamping it, run it through a postage meter. You may also slip in a business card of your own design; they are cheap to obtain.
If the company refuses to help you without proof of purchase, well then, you're on your own. You can always try to social engineer the company technicians into revealing the security flaws. There are also plenty of computer security associations, organizations and other groups which will have the particulars of the
loophole.You might also make an attempt to get the juicy details by calling the publication in which you read about the security failing. Try to speak to the person who reported the story. People at magazines and newspapers are surprisingly easy to reach on the phone, but getting them to talk is a different matter!
Written Engineering
Social engineering may be done through the mail or through other forms of written contact with users of a system. For example, the survey method can be altered such that the human ele-ment is eliminated. If you don't want to wait around in a lobby all day, just leave out stacks of the forms with either a drop-box or an
address to mail them to. Expect minimal response.
Other written ruses take the form of adver-tisements. Put up a notice in a computer room, saying that paid volunteers are needed for a special project. "Become a System Manager' Great Experience!" Have interested folks mail you a post card with their name, address, de-sired password, and possibly the machines they
currently have access to on the net. While mak-ing the ads you'll say to yourself, "Sheesh! This is so obvious!" But you won't believe how many people fall for it. Have them address the post-cards to something like "X University, Computer Science Department, Roger Hamm's Office" fol-lowed by your address. If your
address is thirty miles away from the university, forget about it.
Two Manhattan hackers tried this stunt. They noticed there was a blank space at the bot-tom of a particular magazine advertisement for one of the popular pay-forplay information sys-tems. They went to local area libraries and bor-rowed all magazines they could find that had this ad in it. Using a "sideways printing" utility,
they fed the pages into their printer, which printed out, "Manhattan Area Residents, Call [phone number] For Free Six Month Member-ship." Then they returned the magazines to the library.
When people called them up, they would begin by playing a corny recorded message: "Welcome to X-Net's Free Six Month Member-ship Program! Listen to all these great things you can do with X-Net ... !" When that was done, one of the hackers would come on and ask the caller a few questions: "Where did you hear
about this program?" "Have you ever subscribed to X-Net in the past?" "What other fee-based bulletin boards, or other computer networks do you belong to?" "When you call up X-Net, what would you like your sign-in name to be?" "And your secret password?" "Are you sure you're going to remember that password? Perhaps you'd like to choose something else?"
In this way, they ended up with a dozen names, computers they visited, and one or two passwords to try out. You won't get as big a response if you don't live in a big city, but it's worth a shot. Advertising can also be done by slipping a printed card into the magazine, or by advertising on BBSs.
A similar ruse is to advertise your phone number as a local call switcher, especially in places where there isn't already a Telenet or Tymnet link. When users log on they will see what appears to be the usual opening screen, but is in reality a simulation which you programmed. From hacking, you should be familiar with
which networks have which addresses, so your program can simulate appropriate login screens for each of them that a caller might try. (Otherwise, respond with a message like, "Line is busy" or "Connection can not be established." Look at actual call switchers, to see not only what messages are displayed, but to get the timing down right.)
After "connecting" to a computer or network, the program continues its simulation, collects the user's name and password, then aborts due to erratic line noise or some other ghastly prob-lem. If the user tries calling back immediately, a message can be put up that warns certain transmission routes are undergoing mainte-nance, or similar baloney.
address to mail them to. Expect minimal response.
Other written ruses take the form of adver-tisements. Put up a notice in a computer room, saying that paid volunteers are needed for a special project. "Become a System Manager' Great Experience!" Have interested folks mail you a post card with their name, address, de-sired password, and possibly the machines they
currently have access to on the net. While mak-ing the ads you'll say to yourself, "Sheesh! This is so obvious!" But you won't believe how many people fall for it. Have them address the post-cards to something like "X University, Computer Science Department, Roger Hamm's Office" fol-lowed by your address. If your
address is thirty miles away from the university, forget about it.
Two Manhattan hackers tried this stunt. They noticed there was a blank space at the bot-tom of a particular magazine advertisement for one of the popular pay-forplay information sys-tems. They went to local area libraries and bor-rowed all magazines they could find that had this ad in it. Using a "sideways printing" utility,
they fed the pages into their printer, which printed out, "Manhattan Area Residents, Call [phone number] For Free Six Month Member-ship." Then they returned the magazines to the library.
When people called them up, they would begin by playing a corny recorded message: "Welcome to X-Net's Free Six Month Member-ship Program! Listen to all these great things you can do with X-Net ... !" When that was done, one of the hackers would come on and ask the caller a few questions: "Where did you hear
about this program?" "Have you ever subscribed to X-Net in the past?" "What other fee-based bulletin boards, or other computer networks do you belong to?" "When you call up X-Net, what would you like your sign-in name to be?" "And your secret password?" "Are you sure you're going to remember that password? Perhaps you'd like to choose something else?"
In this way, they ended up with a dozen names, computers they visited, and one or two passwords to try out. You won't get as big a response if you don't live in a big city, but it's worth a shot. Advertising can also be done by slipping a printed card into the magazine, or by advertising on BBSs.
A similar ruse is to advertise your phone number as a local call switcher, especially in places where there isn't already a Telenet or Tymnet link. When users log on they will see what appears to be the usual opening screen, but is in reality a simulation which you programmed. From hacking, you should be familiar with
which networks have which addresses, so your program can simulate appropriate login screens for each of them that a caller might try. (Otherwise, respond with a message like, "Line is busy" or "Connection can not be established." Look at actual call switchers, to see not only what messages are displayed, but to get the timing down right.)
After "connecting" to a computer or network, the program continues its simulation, collects the user's name and password, then aborts due to erratic line noise or some other ghastly prob-lem. If the user tries calling back immediately, a message can be put up that warns certain transmission routes are undergoing mainte-nance, or similar baloney.
In-Person Engineering
Any instance of impersonation is a form of social engineering. The impersonation may be of an individual person (the president of a com-pany who demands to know why his password isn't working) or of a generic person Gill Tech-rucian, calling to ask if any computer problems have come up). The telephone is normally used because it enables a hacker to reach distant businesses without travel, as well as creating a defensive barrier between the hacker and the people he or she calls. If the conversation starts to go sour, a telephone can be hung up; if a face-to-face talk gets out of hand, it could be dif-ficult to get out of the building.
A good rule of thumb when doing in-person social engineering is to always wear a suit - a good suit, one that fits properly. Make yourself look like you just stepped out of a fashion magazine. At the very least, wear a shirt and tie. Females, wear suitable business attire
Many kinds of SE that work over the phone, won't work in person. You can't pretend to have an office, or pretend to have a computer termi-nal. Because of this the information you get from bullshitting in person may be minimal or only peripheral. You will probably end up with more background material than immediately useful information. Pretending to be interested in wanting a job at the firm, or going on a tour of the place, or simply squeezing in and wandering around on your own, provide lots of good data on how employees interact among themselves. Hackers and crackers have also impersonated mainte-nance workers, painters, and other workers to get inside a company. Being a security guard is also a nice ruse.
The prototypical in-person social engineer is the survey taker. You make up a survey, and stand in the lobby of the building with a pen and clipboard, and get people passing by to fill one out for you. The survey asks for name, spouse's name, hobbies, pets and pets' names, and similar info. Then you go home and try all that
stuff as passwords. You might want to say there's some prize involved. For example, that completely filled out forms will be entered in a raffle; winners get tickets to a local show, or a free meal at a nearby restaurant. (Hint: Don't ask people to fill out surveys in the morning when they're late getting to work.)
A good rule of thumb when doing in-person social engineering is to always wear a suit - a good suit, one that fits properly. Make yourself look like you just stepped out of a fashion magazine. At the very least, wear a shirt and tie. Females, wear suitable business attire
Many kinds of SE that work over the phone, won't work in person. You can't pretend to have an office, or pretend to have a computer termi-nal. Because of this the information you get from bullshitting in person may be minimal or only peripheral. You will probably end up with more background material than immediately useful information. Pretending to be interested in wanting a job at the firm, or going on a tour of the place, or simply squeezing in and wandering around on your own, provide lots of good data on how employees interact among themselves. Hackers and crackers have also impersonated mainte-nance workers, painters, and other workers to get inside a company. Being a security guard is also a nice ruse.
The prototypical in-person social engineer is the survey taker. You make up a survey, and stand in the lobby of the building with a pen and clipboard, and get people passing by to fill one out for you. The survey asks for name, spouse's name, hobbies, pets and pets' names, and similar info. Then you go home and try all that
stuff as passwords. You might want to say there's some prize involved. For example, that completely filled out forms will be entered in a raffle; winners get tickets to a local show, or a free meal at a nearby restaurant. (Hint: Don't ask people to fill out surveys in the morning when they're late getting to work.)
Other Roles
Social engineering in its most important sense refers to the obtaining of personal or group passwords by making up a story about yourself and role playing it, hoping that who-ever you end up speaking to will play along. But the goal of social engineering doesn't just have to be passwords. And the method of engineering doesn't just have to be over the telephone. Con-versations may take place in person or through the mail. The first requires strong nerves and greater acting ability. The second is more suited to those who find it difficult to ad lib telephone
SE conversations.
SE conversations.
Miscellaneous Social Engineering Tips
To improve your chances of getting in with social engineering, here are some tips. Notice how the person you speak to reacts to your questions. If you speak to a receptionist or other worker on the bottom of the pay ladder, he or she may not want to chit chat or fool around with computers if he or she's being monitored, or if
calls are being screened by the boss.
Go to some public place where they have terminals hooked up, and look at the wall where the terminal is connected to the phone box. Write down the four digits that appear on the box (these are the last four digits of the phone line that the terminal is hooked to). Guess the first three digits of the number by looking at a directory for the "public place" in question. Call a couple times at different times of day to make sure the line is always busy. Keep some of these "leased line" phone numbers handy when you social engineer to give to people who want to call you back. This is especially true of sysops who suspect you're a hacker and want to see if you're brave enough to give them personal identification information about yourself. This is better than just making up a phone number out of thin air, because if they do call up, the busy signal will at least create some reassurance in their mind that you weren't a complete fake.
Just giving them a number will usually relax them enough so they feel you are one to be trusted.
Confront people in a lighthearted way when they give you a password. Say, "Are you sure that's really the one you use?" Secretaries may have two passwords. One is their own, which grants them access to a low-level group account. The other is their boss's password, a higher level one that they know about because, frankly, sec-retaries know everything about an organization.
Challenging someone in a non-accusatory way about the password you are given may also cause them to fess up if they had indeed given you an invalid password to get you off their backs. Second guessing them shows that you al-ready knew the correct password, and that you caught them in a lie.
If they are bewildered when you ask for a higher password, just say, "Didn't they upgrade your access yet? They just bought this whole new system that's supposed to work fifty times faster and everyone's saying how wonderful it is...... Then quickly change the subject.
Have a background tape playing with office sounds or whatever is appropriate for the num-ber you call. Before using this tape, try to take a tour of the company and listen to the real sounds made during the work day. Also, play the tape for a friend over the telephone, and similarly have a friend play the tape while you listen over the phone - trying to adjust the tape to a realistic sound level. Remember that if you're the "first one in the office" as with our naive user example, you don't want the tape to include background chatter or typing!
When you're talking to people, even if it's just over the telephone, keep a smile on your face and act in a jovial, friendly manner. Pretend you're that person's best friend. If the person picks up the phone with a, "Hello, General Widgit Corporation, Lulu speaking," you re-spond with, "Hi Lulu! This is..." and go on with your spiel.
Now Lulu doesn't know if you two have met before, and as you continue with your friendly attitude, she will begin to treat you more like a friend. Try looking through some books on voice marketing, telephone selling, etc., to get more ideas.
The way in which your phone call is re-ceived can also affect your credibility. Often a company telephone will make a different sort of ring, depending on whether the caller is on an inside or outside line. Since you are pretending to be an inside caller, you will want your tele-phone ring to reflect that. To fix that, call a wrong
office or department in the company, and have them transfer you to the number you're after. For instance:
PERSON ON OTHER END: "Advertising. May I help you?"
YOU:"I'm sorry, I guess I dialed wrong. Would you mind transferring me to extension 4358?
Now you'll get that in-house ring, and with it, an air of authority (and maybe even a special inside caller light will flash on the telephone, too).
Another way to get that desirable inside caller ring/light is to dial, not the listed number, but one next to it. Any organization with more than one phone line almost certainly owns a block of phone numbers. So if the listed number to call is 123- 4567, try calling 123-4568, or some-thing a few digits higher or lower. Your call
will usually go through, and it will take on the clout of having been placed by someone who is ap-parently a company insider - anyone else would have dialed the listed number.
Another thing to consider is if you're trying to reach a higher-up in the corporation, you may only end up contacting secretaries, receptionists and/or other underlings. A good trick is to call an office of higher or similar prestige as your goal office, and let the secretary transfer you over. For example, suppose I want to try social engineering Mr. Palooka - a middle manager who runs the shoe division. But I can't get through to speak with him personally. What I do is, I call up Mrs. Colt, who is either a same-level, or higher-level manager, and I ask her secretary to connect me with Colt person-ally. Colt's secretary asks what I wish to speak to Colt in reference to, and I say, "Shoes!" But Mrs. Colt handles only the rubber band accounts, not shoes. So Colt's secretary says, "Well, you'll have to speak to Mr. Palooka about that one; would you like me to connect you?" She will then trans-fer your call to Mr. Palooka's secretary. Pa-looka's secretary comes on the line, and you say to her, "Hello. This is so-and-so. Mrs. Colt's of-fice suggested I speak with Mr. Palooka about shoes." Here you have a recommendation from another company member! You're now much more likely to get in to bullshit Mr. Palooka. Happy engineering!
calls are being screened by the boss.
Go to some public place where they have terminals hooked up, and look at the wall where the terminal is connected to the phone box. Write down the four digits that appear on the box (these are the last four digits of the phone line that the terminal is hooked to). Guess the first three digits of the number by looking at a directory for the "public place" in question. Call a couple times at different times of day to make sure the line is always busy. Keep some of these "leased line" phone numbers handy when you social engineer to give to people who want to call you back. This is especially true of sysops who suspect you're a hacker and want to see if you're brave enough to give them personal identification information about yourself. This is better than just making up a phone number out of thin air, because if they do call up, the busy signal will at least create some reassurance in their mind that you weren't a complete fake.
Just giving them a number will usually relax them enough so they feel you are one to be trusted.
Confront people in a lighthearted way when they give you a password. Say, "Are you sure that's really the one you use?" Secretaries may have two passwords. One is their own, which grants them access to a low-level group account. The other is their boss's password, a higher level one that they know about because, frankly, sec-retaries know everything about an organization.
Challenging someone in a non-accusatory way about the password you are given may also cause them to fess up if they had indeed given you an invalid password to get you off their backs. Second guessing them shows that you al-ready knew the correct password, and that you caught them in a lie.
If they are bewildered when you ask for a higher password, just say, "Didn't they upgrade your access yet? They just bought this whole new system that's supposed to work fifty times faster and everyone's saying how wonderful it is...... Then quickly change the subject.
Have a background tape playing with office sounds or whatever is appropriate for the num-ber you call. Before using this tape, try to take a tour of the company and listen to the real sounds made during the work day. Also, play the tape for a friend over the telephone, and similarly have a friend play the tape while you listen over the phone - trying to adjust the tape to a realistic sound level. Remember that if you're the "first one in the office" as with our naive user example, you don't want the tape to include background chatter or typing!
When you're talking to people, even if it's just over the telephone, keep a smile on your face and act in a jovial, friendly manner. Pretend you're that person's best friend. If the person picks up the phone with a, "Hello, General Widgit Corporation, Lulu speaking," you re-spond with, "Hi Lulu! This is..." and go on with your spiel.
Now Lulu doesn't know if you two have met before, and as you continue with your friendly attitude, she will begin to treat you more like a friend. Try looking through some books on voice marketing, telephone selling, etc., to get more ideas.
The way in which your phone call is re-ceived can also affect your credibility. Often a company telephone will make a different sort of ring, depending on whether the caller is on an inside or outside line. Since you are pretending to be an inside caller, you will want your tele-phone ring to reflect that. To fix that, call a wrong
office or department in the company, and have them transfer you to the number you're after. For instance:
PERSON ON OTHER END: "Advertising. May I help you?"
YOU:"I'm sorry, I guess I dialed wrong. Would you mind transferring me to extension 4358?
Now you'll get that in-house ring, and with it, an air of authority (and maybe even a special inside caller light will flash on the telephone, too).
Another way to get that desirable inside caller ring/light is to dial, not the listed number, but one next to it. Any organization with more than one phone line almost certainly owns a block of phone numbers. So if the listed number to call is 123- 4567, try calling 123-4568, or some-thing a few digits higher or lower. Your call
will usually go through, and it will take on the clout of having been placed by someone who is ap-parently a company insider - anyone else would have dialed the listed number.
Another thing to consider is if you're trying to reach a higher-up in the corporation, you may only end up contacting secretaries, receptionists and/or other underlings. A good trick is to call an office of higher or similar prestige as your goal office, and let the secretary transfer you over. For example, suppose I want to try social engineering Mr. Palooka - a middle manager who runs the shoe division. But I can't get through to speak with him personally. What I do is, I call up Mrs. Colt, who is either a same-level, or higher-level manager, and I ask her secretary to connect me with Colt person-ally. Colt's secretary asks what I wish to speak to Colt in reference to, and I say, "Shoes!" But Mrs. Colt handles only the rubber band accounts, not shoes. So Colt's secretary says, "Well, you'll have to speak to Mr. Palooka about that one; would you like me to connect you?" She will then trans-fer your call to Mr. Palooka's secretary. Pa-looka's secretary comes on the line, and you say to her, "Hello. This is so-and-so. Mrs. Colt's of-fice suggested I speak with Mr. Palooka about shoes." Here you have a recommendation from another company member! You're now much more likely to get in to bullshit Mr. Palooka. Happy engineering!
Sample Social Engineering Situations
It's easy to get yourself into awkward situ-ations, especially at the beginning of your social engineering career. You will speak to reception-ists and other company insiders who know the lingo, know policies and screen setups, and know how to spot a fake. Whether intentional or not, you will be asked questions to which the
answers are not readily apparent, due to the fact you are an impostor. Here are some samples" and possible solutions.
RECEPTIONIST: "You're Charles Green? But there is no Mr. Green in our computing department. "
YOUR RESPONSE: 'I've just been here a few days- "
RECEPTIONIST: 'That's funny, I didn't see your picture hanging up on the New Staff bulletin board. "
YOUR RESPONSE: 'Yes, I know. What's-her-name hasn't had a chance to take my picture yet. Maybe
later today.
RECEPTIONIST: "What do you mean, 'What's-HER-name'? lack's the one who takes staff pictures.
YOUR RESPONSE: "Oh yeah, Jack -right!"
RECEPTIONIST: "I won't be able to help you until I have your staff ID. What is your employee ID num
ber, please?'
YOUR RESPONSE: "Oh, I don't have one. I'm just a temp. I'm filling in for someone who went off to have a
baby.'
RECEPTIONIST: "Just read the number off your ID badge.
YOUR RESPONSE: "I didn't get my badge yet there was some mix-up or something.
My supervisor said
she would give it to me tomorrow, maybe. You know how it is, no one knows what they're doing, and all that..."
RECEPTIONIST: "Who's your boss/supervisor/manager?
YOUR RESPONSE: "M______,Do you know any-thing about him1her? "
(You should've done your research, so you should know the answer to this sort of question. If you don't know and it's a large company, or a large building, you can try either answering with a false but common name, or try the old, "Uhm.... Something with an 'S' - Schindler? Schindling? Schiffer? Schifrin?")
Here's a different situation:
RECEPTIONIST: "But I don't have a computer!"
YOUR RESPONSE: 'I'm sorry. I must've dialed wrong. Is M- available? '
(M_______,is the name of the receptionist's boss.)
If you can manage to work in some company news or personal tidbits in an
unobtrusive way, then do so- if the person you're speaking to seems friendly. This is just another way of
gaining credibility points.
YOU: "Sorry, I didn't hear that last thing you said. It's really loud here with that construction they're
doing next door."
YOU:"By the way, does M have a kid in the Little League? My son has a friend named
Note that for maximum benefit, credibility questions, should be worked in before asking about login procedures.
answers are not readily apparent, due to the fact you are an impostor. Here are some samples" and possible solutions.
RECEPTIONIST: "You're Charles Green? But there is no Mr. Green in our computing department. "
YOUR RESPONSE: 'I've just been here a few days- "
RECEPTIONIST: 'That's funny, I didn't see your picture hanging up on the New Staff bulletin board. "
YOUR RESPONSE: 'Yes, I know. What's-her-name hasn't had a chance to take my picture yet. Maybe
later today.
RECEPTIONIST: "What do you mean, 'What's-HER-name'? lack's the one who takes staff pictures.
YOUR RESPONSE: "Oh yeah, Jack -right!"
RECEPTIONIST: "I won't be able to help you until I have your staff ID. What is your employee ID num
ber, please?'
YOUR RESPONSE: "Oh, I don't have one. I'm just a temp. I'm filling in for someone who went off to have a
baby.'
RECEPTIONIST: "Just read the number off your ID badge.
YOUR RESPONSE: "I didn't get my badge yet there was some mix-up or something.
My supervisor said
she would give it to me tomorrow, maybe. You know how it is, no one knows what they're doing, and all that..."
RECEPTIONIST: "Who's your boss/supervisor/manager?
YOUR RESPONSE: "M______,Do you know any-thing about him1her? "
(You should've done your research, so you should know the answer to this sort of question. If you don't know and it's a large company, or a large building, you can try either answering with a false but common name, or try the old, "Uhm.... Something with an 'S' - Schindler? Schindling? Schiffer? Schifrin?")
Here's a different situation:
RECEPTIONIST: "But I don't have a computer!"
YOUR RESPONSE: 'I'm sorry. I must've dialed wrong. Is M- available? '
(M_______,is the name of the receptionist's boss.)
If you can manage to work in some company news or personal tidbits in an
unobtrusive way, then do so- if the person you're speaking to seems friendly. This is just another way of
gaining credibility points.
YOU: "Sorry, I didn't hear that last thing you said. It's really loud here with that construction they're
doing next door."
YOU:"By the way, does M have a kid in the Little League? My son has a friend named
Note that for maximum benefit, credibility questions, should be worked in before asking about login procedures.
Tuesday, 29 November 2011
Other Hints
If it's possible to research the place, do so be-forehand. Do as much as you can to find out about busy hours and what kinds of problems they might experience with the system. If it's a public place like a library, for example, then try to figure out which people working there know nothing about computers. Try to get those people on the phone. Also, make sure you identify yourself as so-and-so from the computer de-partment (or computer division, or section; if the person answers the phone, "Hello, registration office," then use the same terminology - com-puter office). And when you do so, use a com-mon, everyday first name, and also a
familiar last. If you can't get the login information the first time, try again at a different time, on a dif-ferent day. Don't speak to the same person, however.
A friend of mine, Bill, told me this story. One summer day he called up a mail order place to buy some electronics equipment. As the woman was taking his order, she casually mentioned that she was doing everything by hand because the computers were down. Bill asked if she knew why they were down. She said she didn't know, but she was pissed about it because com-puters in other parts of the building were
working fine. Well, as soon as Bill got off the phone, he called back and hearing a different operator on the line, proceeded to have this con-versation:
OPERATOR: 'Shark's Radio Supplies, Pam speak-ing. May I help you?"
BILL: "Yes but actually I called to help you. This is Bill Robinson, in the computer department. Are you still having problems with the computers?'
OPERATOR: 'We sure are!"
BILL: 'Oh, okay. What's the computer showing right now?"
OPERATOR: "Nothing, we have them all turned Off. "
BILL: "Oh I see. I thought you were having problems with it, but I guess you're in the part of the building where they're not working at all.
OPERATOR: "Yeah."
BILL: "Well, have you tried turning them on lately?
OPERATOR: "No - oh, are they back on again?
BILL: 'I think they might be. Now would be a good time to try."
OPERATOR: "Okay.... Nothing came on the screen.'
BILL: "Can you type in anything?'
OPERATOR: "Lemme see.... No.
BILL: "Sometimes, even if it doesn't look like the letters are going to the screen, they still go there. Try typing in all the stuff you usually type in when you first turn on the computer.
OPERATOR: "Okay.
The operator went on to give Bill all the in-formation he needed to know. When the opera-tor was finished "logging on," Bill gave a re-signed sigh and said, "Oh well, it was worth a shot. I'll go back and tinker around some more. Thanks anyway." Of course, he still didn't have a phone number to call. He didn't even know if the computer system was connected to outside lines - after all, this all happened on account of a freak accident, his finding out about the downed computers. But now he knew how to go about logging in to Shark Radio Supplies's com-puter system, and he had made a friend on the inside. The login information was important in case he did find a phone number, or if another hacker needed the information.
Having an in-side friend was important because now Bill could use her as a further information source, if the need ever arose.
familiar last. If you can't get the login information the first time, try again at a different time, on a dif-ferent day. Don't speak to the same person, however.
A friend of mine, Bill, told me this story. One summer day he called up a mail order place to buy some electronics equipment. As the woman was taking his order, she casually mentioned that she was doing everything by hand because the computers were down. Bill asked if she knew why they were down. She said she didn't know, but she was pissed about it because com-puters in other parts of the building were
working fine. Well, as soon as Bill got off the phone, he called back and hearing a different operator on the line, proceeded to have this con-versation:
OPERATOR: 'Shark's Radio Supplies, Pam speak-ing. May I help you?"
BILL: "Yes but actually I called to help you. This is Bill Robinson, in the computer department. Are you still having problems with the computers?'
OPERATOR: 'We sure are!"
BILL: 'Oh, okay. What's the computer showing right now?"
OPERATOR: "Nothing, we have them all turned Off. "
BILL: "Oh I see. I thought you were having problems with it, but I guess you're in the part of the building where they're not working at all.
OPERATOR: "Yeah."
BILL: "Well, have you tried turning them on lately?
OPERATOR: "No - oh, are they back on again?
BILL: 'I think they might be. Now would be a good time to try."
OPERATOR: "Okay.... Nothing came on the screen.'
BILL: "Can you type in anything?'
OPERATOR: "Lemme see.... No.
BILL: "Sometimes, even if it doesn't look like the letters are going to the screen, they still go there. Try typing in all the stuff you usually type in when you first turn on the computer.
OPERATOR: "Okay.
The operator went on to give Bill all the in-formation he needed to know. When the opera-tor was finished "logging on," Bill gave a re-signed sigh and said, "Oh well, it was worth a shot. I'll go back and tinker around some more. Thanks anyway." Of course, he still didn't have a phone number to call. He didn't even know if the computer system was connected to outside lines - after all, this all happened on account of a freak accident, his finding out about the downed computers. But now he knew how to go about logging in to Shark Radio Supplies's com-puter system, and he had made a friend on the inside. The login information was important in case he did find a phone number, or if another hacker needed the information.
Having an in-side friend was important because now Bill could use her as a further information source, if the need ever arose.
Peak Hours
Don't use the above mentioned sort of ploy around lunch time or early in the morning. It'll be harder to work effectively. Let the ressures of the work day start to pile up before you call.
If the system you're breaking into is a place you have access to, such as a library, dentist's office, bank or school, you should do a little re-search and figure out when the best time is to make your call.
At one of the libraries I belong to, the com-puter system has a "3 o'clock slow down." At around 3 o'clock every afternoon, the computers suddenly slow down to half their usual speed. This leads to various other computer problems and, ultimately, very frustrated library workers. I don't know why the computers slow
down; maybe the system gets the most use at 3 o'clock, or maybe at that time information is forced to travel through an alternate route to get from the library's terminals to the mainframe located at a college on the other side of town. If I were to try some social engineering on the library, I would do it during the 3 o'clock slow
down, when most problems occur.
I've noticed another thing: The library pa-trons who don't realize that there's nothing wrong with computers (who don't know that they always slow down around that time) call up the "computer roomit at the college and ask why their computers are down. Don't you think it would be a pleasant surprise, if one day they got a call from the "computer room" (i.e., me or you), asking if there's anything we could do to help? Surely they'd be more than willing to tell you the logon procedures they use, if only you'd speed up the system for them!
Computers tend to be at their slowest to-ward the middle to end of the day, when the most people are on the network. Especially in university settings, this is true. Frequently stu-dents and faculty will log on in the morning, then stay connected throughout the day, regard-less of whether they're using the system. On the other hand, some systems will actually getfaster as the day proceeds, so research is always a must. For example, the Prodigy service is proud of the fact that toward the end of the day and into the night, as usage increases, system speed also increases. This is because data is stored on a dual-tier basis. There are the
mainframes situ-ated in Prodigy headquarters somewhere on the globe, and various minicomputers scattered about the country. Users connect to the semi-local minicomputers, called Local Site Con-trollers, and as they use the system, data is cop-ied from the far away mainframes, to the local minis. By the end of the day, most of the data a user would request to view will have already been transferred to the closer computer, making for less waiting time.
It's good to be aware of pace trends in the places you intend to social engineer. If you can find a noticeable difference in pace (like a 3 o'clock slow down) naturally you will want to work your magic around that time. Good times don't have to just be when the computer changes pace; if the workload, noise-level, number of
customers, or some other aggravating condition worsens during a particular time, that is gener-ally a nice time to social engineer. To find these times, try to visit your target's office at various times throughout the day. Find out when the office is busiest. If it's something like a library or travel agency, go visit the building or make some phone calls. Ask a question about some-thing, and if they seem to be having trouble when they look it up in the computer, call back as the guy from the computer department. Re-member, offices will be at their most hectic after being closed one or two days, so Monday morning is always a good shot. Just make sure
they're not so busy that they don't have time to schmooze on the phone with you. Social engineering will work with any com-puter system, of course, but you will naturally find it a lot more difficult to fool a system ad-ministrator at the community college, than a teenage bank teller. Social engineering has been successfully used to gain access to corporate networks, schools, government offices, and other systems. Social engineering is a powerful tool, but you have to be a good actor to use it prop-erly.
If the system you're breaking into is a place you have access to, such as a library, dentist's office, bank or school, you should do a little re-search and figure out when the best time is to make your call.
At one of the libraries I belong to, the com-puter system has a "3 o'clock slow down." At around 3 o'clock every afternoon, the computers suddenly slow down to half their usual speed. This leads to various other computer problems and, ultimately, very frustrated library workers. I don't know why the computers slow
down; maybe the system gets the most use at 3 o'clock, or maybe at that time information is forced to travel through an alternate route to get from the library's terminals to the mainframe located at a college on the other side of town. If I were to try some social engineering on the library, I would do it during the 3 o'clock slow
down, when most problems occur.
I've noticed another thing: The library pa-trons who don't realize that there's nothing wrong with computers (who don't know that they always slow down around that time) call up the "computer roomit at the college and ask why their computers are down. Don't you think it would be a pleasant surprise, if one day they got a call from the "computer room" (i.e., me or you), asking if there's anything we could do to help? Surely they'd be more than willing to tell you the logon procedures they use, if only you'd speed up the system for them!
Computers tend to be at their slowest to-ward the middle to end of the day, when the most people are on the network. Especially in university settings, this is true. Frequently stu-dents and faculty will log on in the morning, then stay connected throughout the day, regard-less of whether they're using the system. On the other hand, some systems will actually getfaster as the day proceeds, so research is always a must. For example, the Prodigy service is proud of the fact that toward the end of the day and into the night, as usage increases, system speed also increases. This is because data is stored on a dual-tier basis. There are the
mainframes situ-ated in Prodigy headquarters somewhere on the globe, and various minicomputers scattered about the country. Users connect to the semi-local minicomputers, called Local Site Con-trollers, and as they use the system, data is cop-ied from the far away mainframes, to the local minis. By the end of the day, most of the data a user would request to view will have already been transferred to the closer computer, making for less waiting time.
It's good to be aware of pace trends in the places you intend to social engineer. If you can find a noticeable difference in pace (like a 3 o'clock slow down) naturally you will want to work your magic around that time. Good times don't have to just be when the computer changes pace; if the workload, noise-level, number of
customers, or some other aggravating condition worsens during a particular time, that is gener-ally a nice time to social engineer. To find these times, try to visit your target's office at various times throughout the day. Find out when the office is busiest. If it's something like a library or travel agency, go visit the building or make some phone calls. Ask a question about some-thing, and if they seem to be having trouble when they look it up in the computer, call back as the guy from the computer department. Re-member, offices will be at their most hectic after being closed one or two days, so Monday morning is always a good shot. Just make sure
they're not so busy that they don't have time to schmooze on the phone with you. Social engineering will work with any com-puter system, of course, but you will naturally find it a lot more difficult to fool a system ad-ministrator at the community college, than a teenage bank teller. Social engineering has been successfully used to gain access to corporate networks, schools, government offices, and other systems. Social engineering is a powerful tool, but you have to be a good actor to use it prop-erly.
Hacker As Helper
This type of role playing is like reverse social engineering without the sabotage (see next chapter). Here you pretend that something has gone wrong with a place's computers, and you are the technician who is calling to fix it.
Let's say you want to break into the computers at the mayor's office. You call up his secre-tary, and you say something like this:
"Hello, this is Jake McConnel from Computers. We were wondering, have you been having any problems with the computer system? "
Of course she's been having some sort of problem with it - there's always some problem with computers!
The secretary answers: 'Why yes! First this was happening, then blah blah blah...'
You say, "Yes! That's exactly it! That wasn't your fault - there's something wrong with the computers, and we're having troublefixing it. When you first turn on the computer, what do you type in to get it started? One of the other guys here was screwing things around last night and we think that has something to do with it. "
The secretary will not be suspicious; after all, you've identified yourself. Even if you hadn't, what harm could possibly come from telling someone a password over the phone? You see, the secretary, or any other underpaid, over-worked, menial user of the system, is a very weak link in the chain of security. The secretary
doesn't understand computers and doesn't want to. All she knows is something's going wrong and you're going to fix it for her. This is a very effective ploy.
Let's say you want to break into the computers at the mayor's office. You call up his secre-tary, and you say something like this:
"Hello, this is Jake McConnel from Computers. We were wondering, have you been having any problems with the computer system? "
Of course she's been having some sort of problem with it - there's always some problem with computers!
The secretary answers: 'Why yes! First this was happening, then blah blah blah...'
You say, "Yes! That's exactly it! That wasn't your fault - there's something wrong with the computers, and we're having troublefixing it. When you first turn on the computer, what do you type in to get it started? One of the other guys here was screwing things around last night and we think that has something to do with it. "
The secretary will not be suspicious; after all, you've identified yourself. Even if you hadn't, what harm could possibly come from telling someone a password over the phone? You see, the secretary, or any other underpaid, over-worked, menial user of the system, is a very weak link in the chain of security. The secretary
doesn't understand computers and doesn't want to. All she knows is something's going wrong and you're going to fix it for her. This is a very effective ploy.
Hacker In Power
If appealing to a technician's sense of godli-ness won't work in your situation, perhaps it's time to become a god. In a military setting, pre-tending to be a high ranking officer can put fear into the hearts of any lowly receptionist. Just call up, saying either that you are the general, or you're the general's personal secretary.
In either case, both of you are pissed off that your computer isn't starting up the way it should. Demand to know why your account isn't being accepted as valid.
Don't whine or complain just make angry demands. You will get results. In a corporate milieu, pretend to be the CEO or the president, or secretary of a CEO or presi-dent, especially in organizations where it is well known that the leader is a hothead. No one wants to get fired or demoted. The anger routine is useful
because the person who picks up will want to be rid of you as fast as possible, and will do anything to get you off his or her back.
Presidents, leaders, military officers, CEOs and the like, don't have to be angry, however. Just the mention that you are whoever you say you are will work wonders for your credibility (who else would possibly dare to proclaim themselves General So-And-So?). But if you act as a high-up without being angry, make sure you've
done your research beforehand and know what your name is.
This is a sample encounter:
PERSON ON OTHER END: "Good afternoo -
YOU: "THIS IS GENERAL FROBBS. I AM AP-PALLED BY THE CAVALIER WAY IN WHICH THIS PLACE IS BEING RUN! I WENT AWAY FOR TWO DAYS AND WHEN I RETURN I FIND I HAVE BEEN ERASED FROM THE COM-PUTER! WHO'S IN CHARGE OF THESE COMPUTERS? I'M
APPALLED! I DEMAND YOU RESTORE MY ACCOUNT. I HAD MANY IMPORTANT DOCUMENTS SAVED THERE!"
PERSON ON OTHER END: "Did you try typing 'GROUP.1,' 'SEC'? That still works.' YOU: "THAT'S THE DAMNED GROUP CODES! I NEED MY OWN PERSONAL
ACCOUNT BACK! I
AM APPALLED!
PERSON ON OTHER END: 'I'm sorry, I can't help you with your own codes. Would
you like me to find
Notice in this example conversation you have managed to procure a usemame/password combination which, while not too powerful, at least will gain you access. Even if the person on the other end never does manage to find the general's password, at least you've ended up with not just one, but several accesses to the sys-tem. After all, if there's a GROUPA, there must be a GROUP-2, right?
In either case, both of you are pissed off that your computer isn't starting up the way it should. Demand to know why your account isn't being accepted as valid.
Don't whine or complain just make angry demands. You will get results. In a corporate milieu, pretend to be the CEO or the president, or secretary of a CEO or presi-dent, especially in organizations where it is well known that the leader is a hothead. No one wants to get fired or demoted. The anger routine is useful
because the person who picks up will want to be rid of you as fast as possible, and will do anything to get you off his or her back.
Presidents, leaders, military officers, CEOs and the like, don't have to be angry, however. Just the mention that you are whoever you say you are will work wonders for your credibility (who else would possibly dare to proclaim themselves General So-And-So?). But if you act as a high-up without being angry, make sure you've
done your research beforehand and know what your name is.
This is a sample encounter:
PERSON ON OTHER END: "Good afternoo -
YOU: "THIS IS GENERAL FROBBS. I AM AP-PALLED BY THE CAVALIER WAY IN WHICH THIS PLACE IS BEING RUN! I WENT AWAY FOR TWO DAYS AND WHEN I RETURN I FIND I HAVE BEEN ERASED FROM THE COM-PUTER! WHO'S IN CHARGE OF THESE COMPUTERS? I'M
APPALLED! I DEMAND YOU RESTORE MY ACCOUNT. I HAD MANY IMPORTANT DOCUMENTS SAVED THERE!"
PERSON ON OTHER END: "Did you try typing 'GROUP.1,' 'SEC'? That still works.' YOU: "THAT'S THE DAMNED GROUP CODES! I NEED MY OWN PERSONAL
ACCOUNT BACK! I
AM APPALLED!
PERSON ON OTHER END: 'I'm sorry, I can't help you with your own codes. Would
you like me to find
someone who can?
Notice in this example conversation you have managed to procure a usemame/password combination which, while not too powerful, at least will gain you access. Even if the person on the other end never does manage to find the general's password, at least you've ended up with not just one, but several accesses to the sys-tem. After all, if there's a GROUPA, there must be a GROUP-2, right?
Hacker As Neophyte
Here you play the role of a new user. Let's say you're trying to get into a company's com-puter system. The time is 8:55 in the morning. You call up the computer department (from your home or wherever) and this is the conver-sation that follows:
PERSON ON OTHER END: "Hello; Jack Chipper, Computing Department. "
YOU: 'Hello, Jack, this is Gary Harris from the Researching Department. Maybe you could help me with a problem?'
JACK: 'Maybe... What is it?"
YOU: "Well I'm the first one here, and I can't seem to get things started up. Will you talk me through it?"
JACK: 'Sure. You by your computer?"
YOU: 'Yes."
JACK: 'Okay. Turn on the red switch on the floor. You see it there?'
YOU: 'Yes, okay. I see it... Okay.
JACK: 'It'll take a few minutes for everything to boot up.'
YOU: "To what?"
JACK: 'Uh, boot up. I mean, it'll take a minute or two for the computer to set itself, to get ready to use.
YOU: "Okay, it stopped.
JACK: 'What do you see?
YOU: "Just what you always see. It worked up to here fine before, but after this, it didn't work. What do I do when it doesn't work here?
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said someone would tell me!
JACK: 'Okay, press Enter.
YOU: "Enter... Okay.
JACK: 'Now type 'TEMP'spacebar 'PUPPY."'
YOU: "Okay... Oh!"
JACK: "See?
YOU: "Thank you, lack - I don't know what went wrong before!'
Now I want to run through this conversation again, this time pointing out some of the essential components of all successful social engi-neers.
PERSON ON OTHER END: "Hello; lack Chipper, Computing Department. " YOU: "Hello, lack, this is Gary Harris from the Researching Department. Notice here, how you begin your conversa-tion by mimicking the technician's words, intro-ducing yourself in a way similar to the way the technician introduced him or
herself. This is done to make the person on the other end feel more comfortable talking to you, and to show that you're not afraid to reveal who you are or what business you do for the company. If Jack had said he was from the Computer Room, then you would say you were from the Research Room. Unless you have a company di-rectory as reference, you won't know the exact names insiders use for each of the various seg-ments of the corporation. Thus, it's usually a safe bet to talk like the insider in this case, the technician. Even if you say "department" when you should have said "committee" or "room," the fact that the technician used that term will make you sound, in his ears, like an employee.
YOU: "Maybe you could help me with a problem?
This appeals to the technician's sense of computer godliness. Also piques his curiosity as to what could be wrong with his system, or your use of his system. Saying "maybe" will get the technician somewhat flustered - you should know better than to question his ability to han-dle computers. He will then go overboard to show you how smart he is. Knowledgeable users love to show off their computing skills (I know I do, don't you?), especially technicians whose job it is to help the multitude of non-experts get through the day.
Also, notice the mention of the word problem." Computer people love solving problems. Mention in a vague way that there's a problem with his system, and he'll go crazy: just open your ears and let the passwords roll right in! YOU: "Well I'm thefirst one here...
Notice at the beginning I mentioned that the time was 8:55 in the morning. It won't always be possible to call before the workday begins, but it sure does help if you can. Doing so gives you a valid excuse to call a technician for help; after all, if you're the first one there, there's nobody else to ask. But technicians won't always be available before anyone else at the office, so this won't always work.
Consequently, you may want to try making a phone call at the end of the workday. Then you'll be able to say that the other people in the office shut off the computers and went home be-fore you had a chance to finish your work. YOU: "...and I can't seem to get things started up.
Will you talk me through it?
Now that he knows he's the superhero, you immediately identify the problem, while still being vague enough to not alert suspicion if your assumptions about the login procedures are wrong. After all, dialing into the company's computer system from your house could look very different from actually being there, using it in person.
You're better off staying with general questions, and allowing the technician to men-tally picture the specifics of your trouble. The will you talk me through it?" request begs him to do something he does by rote every day.
Again, it is important to request that he do something specific (such as talk you through the setup procedures) but not so specific that you blow your cover by making yourself seem suspiciously knowledgeable. For example, if you had simply said, "Can you help me?" he might want to walk over to your office to help you out.
Since you are not actually in an office, this will definitely tip him off to your deceit. JACK: "Okay. Turn on the red switch on the floor. You see it there?"
YOU: "Yes, okay. I see it... Okay."
You have to pretend to be doing what the technician asks you to do, because remember you're not actually in the office, and perhaps the reason you are social engineering is because you don't even have a dial-in number. It's good to have an actual computer next to you, so he or she can hear the power being turned on and you clicking away at the keyboard.
JACK: "It'll take a few minutes for everything to boot up.
YOU: 'To what?"
JACK: "Uh, boot up. I mean, it'll take a minute or twofor the computer to set itself, to get ready to use."
YOU: "Okay, it stopped.
"To what?" shows your complete helplessness when it comes to computers. You don't want to pretend you've been living in a cave the last three decades, however. Saying, "What's a keyboard?" will only provoke utter disbelief, not sympathy for your naivet6.
Don't forget that the conversation has a plan to it - you're trying to steer the conversation to your benefit, so make sure you stay in control of where it's heading. "Okay, it stopped," reassures the technician that the computer is working fine, and that his or her ability to give instructions over the phone has not faltered. But
above all, it keeps you on track so the conversation can con-tinue toward its ultimate reward.
JACK: 'What do you see?'
YOU: "Just what you always see. It worked up to herefine before, but after this, it didn't work. What do I do when it doesn't work here?'
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said someone would tell me!"
Boy! This guy isn't letting up! You can either try for another generic answer ("Usually I type my password here..."), but what if you guess wrong? What if at this point an office worker is placed at the DOS prompt or Macintosh Desk-top? You see, it could be that dial-in lines are password protected while in-house computers are not. In-house computers might be protected by trust, physical keys, or biometric devices.
In this instance, you've used the "new per-son" ploy. It's usually a good bet to pretend you're a new person, unless it's widely known that the company is actively firing employees, or is ready to go bankrupt. Saying you're from a temporary agency may or may not be a good idea. Temps will generally have a site contact or
local supervisor to whom they report and ask questions. The technician might not know that, however, and in any case you can always say that your supervisor is in a meeting and told you to call the computer department for advice.
JACK: 'Okay, press Enter.'
YOU: 'Enter... Okay.'
JACK: "Now type 'TEMP'spacebar 'PUPPY.
YOU: "Okay... Oh!"
JACK: "See?"
YOU: "Thank you, lack - I don't know what went wrong before!
The "Okay..." is said as if you've tried this same thing a million times, but it's never worked. Thank the technician profusely for his help, and reassure him that you are a genuinely naive but responsible member of the company (in this case, by saying you don't understand what went wrong before).
I based this sample script on hundreds of real-life conversations that technicians have with legitimate users who have the similar problems. I can recall dozens of times when I personally have been asked how to do some-thing that the user has' already done before, without getting it to work. Usually all it takes is a run-through and everything works fine. My experience has been that these calls usually end with the person who has been helped grouchily saying, "But I tried that before! It didn't work be-fore!" So make sure that you are nice to your technician - you may be needing help from him or her again and it will certainly boost his or her ego to know you appreciate the help you have received.
Here's another example of how a hacker can pretend to be helpless when it comes to comput-ers, but still make off with vital information. When a new computer system has been installed in an office, there will often be business cards or phone numbers taped near the terminals which are used to contact someone from the
technical department of the company which supplied the computers, to deal with bugs that haven't yet been worked out.
The business cards (or you may just find a phone number on a slip of paper) may also be taped to a section of wall devoted to important messages, or they may also be hidden someplace behind a clerk's desk or counter. Crane your neck if you must to get the name and number off the card (or simply ask the person, we don't al-ways have to do everything on the sly!).
Let's say you managed to get Frank Smith's number at Corny Computing while you were doing some business at a branch of an insurance company. Call the number and say, "Hi, this is Lauren from Booboo, Insurance. There was some weird stuff going on with the computers and I had to shut them off, and now I'm stuck...... And let them lead the way.
One time I saw such a business card taped to a public access terminal at a library. I copied off the information, then called up, saying, "This is Jack [a guy named Jack really worked at the li-brary] from Whoopie Library. I'm having trouble getting into the circulation system from public access mode. The computer's behind the counter, so I don't know what it was doing in PA mode to begin with, but..."
PERSON ON OTHER END: "Hello; Jack Chipper, Computing Department. "
YOU: 'Hello, Jack, this is Gary Harris from the Researching Department. Maybe you could help me with a problem?'
JACK: 'Maybe... What is it?"
YOU: "Well I'm the first one here, and I can't seem to get things started up. Will you talk me through it?"
JACK: 'Sure. You by your computer?"
YOU: 'Yes."
JACK: 'Okay. Turn on the red switch on the floor. You see it there?'
YOU: 'Yes, okay. I see it... Okay.
JACK: 'It'll take a few minutes for everything to boot up.'
YOU: "To what?"
JACK: 'Uh, boot up. I mean, it'll take a minute or two for the computer to set itself, to get ready to use.
YOU: "Okay, it stopped.
JACK: 'What do you see?
YOU: "Just what you always see. It worked up to here fine before, but after this, it didn't work. What do I do when it doesn't work here?
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said someone would tell me!
JACK: 'Okay, press Enter.
YOU: "Enter... Okay.
JACK: 'Now type 'TEMP'spacebar 'PUPPY."'
YOU: "Okay... Oh!"
JACK: "See?
YOU: "Thank you, lack - I don't know what went wrong before!'
Now I want to run through this conversation again, this time pointing out some of the essential components of all successful social engi-neers.
PERSON ON OTHER END: "Hello; lack Chipper, Computing Department. " YOU: "Hello, lack, this is Gary Harris from the Researching Department. Notice here, how you begin your conversa-tion by mimicking the technician's words, intro-ducing yourself in a way similar to the way the technician introduced him or
herself. This is done to make the person on the other end feel more comfortable talking to you, and to show that you're not afraid to reveal who you are or what business you do for the company. If Jack had said he was from the Computer Room, then you would say you were from the Research Room. Unless you have a company di-rectory as reference, you won't know the exact names insiders use for each of the various seg-ments of the corporation. Thus, it's usually a safe bet to talk like the insider in this case, the technician. Even if you say "department" when you should have said "committee" or "room," the fact that the technician used that term will make you sound, in his ears, like an employee.
YOU: "Maybe you could help me with a problem?
This appeals to the technician's sense of computer godliness. Also piques his curiosity as to what could be wrong with his system, or your use of his system. Saying "maybe" will get the technician somewhat flustered - you should know better than to question his ability to han-dle computers. He will then go overboard to show you how smart he is. Knowledgeable users love to show off their computing skills (I know I do, don't you?), especially technicians whose job it is to help the multitude of non-experts get through the day.
Also, notice the mention of the word problem." Computer people love solving problems. Mention in a vague way that there's a problem with his system, and he'll go crazy: just open your ears and let the passwords roll right in! YOU: "Well I'm thefirst one here...
Notice at the beginning I mentioned that the time was 8:55 in the morning. It won't always be possible to call before the workday begins, but it sure does help if you can. Doing so gives you a valid excuse to call a technician for help; after all, if you're the first one there, there's nobody else to ask. But technicians won't always be available before anyone else at the office, so this won't always work.
Consequently, you may want to try making a phone call at the end of the workday. Then you'll be able to say that the other people in the office shut off the computers and went home be-fore you had a chance to finish your work. YOU: "...and I can't seem to get things started up.
Will you talk me through it?
Now that he knows he's the superhero, you immediately identify the problem, while still being vague enough to not alert suspicion if your assumptions about the login procedures are wrong. After all, dialing into the company's computer system from your house could look very different from actually being there, using it in person.
You're better off staying with general questions, and allowing the technician to men-tally picture the specifics of your trouble. The will you talk me through it?" request begs him to do something he does by rote every day.
Again, it is important to request that he do something specific (such as talk you through the setup procedures) but not so specific that you blow your cover by making yourself seem suspiciously knowledgeable. For example, if you had simply said, "Can you help me?" he might want to walk over to your office to help you out.
Since you are not actually in an office, this will definitely tip him off to your deceit. JACK: "Okay. Turn on the red switch on the floor. You see it there?"
YOU: "Yes, okay. I see it... Okay."
You have to pretend to be doing what the technician asks you to do, because remember you're not actually in the office, and perhaps the reason you are social engineering is because you don't even have a dial-in number. It's good to have an actual computer next to you, so he or she can hear the power being turned on and you clicking away at the keyboard.
JACK: "It'll take a few minutes for everything to boot up.
YOU: 'To what?"
JACK: "Uh, boot up. I mean, it'll take a minute or twofor the computer to set itself, to get ready to use."
YOU: "Okay, it stopped.
"To what?" shows your complete helplessness when it comes to computers. You don't want to pretend you've been living in a cave the last three decades, however. Saying, "What's a keyboard?" will only provoke utter disbelief, not sympathy for your naivet6.
Don't forget that the conversation has a plan to it - you're trying to steer the conversation to your benefit, so make sure you stay in control of where it's heading. "Okay, it stopped," reassures the technician that the computer is working fine, and that his or her ability to give instructions over the phone has not faltered. But
above all, it keeps you on track so the conversation can con-tinue toward its ultimate reward.
JACK: 'What do you see?'
YOU: "Just what you always see. It worked up to herefine before, but after this, it didn't work. What do I do when it doesn't work here?'
JACK: "What do you usually type?"
YOU: 'I don't know. This is my first day here. I'm just a temp - they said someone would tell me!"
Boy! This guy isn't letting up! You can either try for another generic answer ("Usually I type my password here..."), but what if you guess wrong? What if at this point an office worker is placed at the DOS prompt or Macintosh Desk-top? You see, it could be that dial-in lines are password protected while in-house computers are not. In-house computers might be protected by trust, physical keys, or biometric devices.
In this instance, you've used the "new per-son" ploy. It's usually a good bet to pretend you're a new person, unless it's widely known that the company is actively firing employees, or is ready to go bankrupt. Saying you're from a temporary agency may or may not be a good idea. Temps will generally have a site contact or
local supervisor to whom they report and ask questions. The technician might not know that, however, and in any case you can always say that your supervisor is in a meeting and told you to call the computer department for advice.
JACK: 'Okay, press Enter.'
YOU: 'Enter... Okay.'
JACK: "Now type 'TEMP'spacebar 'PUPPY.
YOU: "Okay... Oh!"
JACK: "See?"
YOU: "Thank you, lack - I don't know what went wrong before!
The "Okay..." is said as if you've tried this same thing a million times, but it's never worked. Thank the technician profusely for his help, and reassure him that you are a genuinely naive but responsible member of the company (in this case, by saying you don't understand what went wrong before).
I based this sample script on hundreds of real-life conversations that technicians have with legitimate users who have the similar problems. I can recall dozens of times when I personally have been asked how to do some-thing that the user has' already done before, without getting it to work. Usually all it takes is a run-through and everything works fine. My experience has been that these calls usually end with the person who has been helped grouchily saying, "But I tried that before! It didn't work be-fore!" So make sure that you are nice to your technician - you may be needing help from him or her again and it will certainly boost his or her ego to know you appreciate the help you have received.
Here's another example of how a hacker can pretend to be helpless when it comes to comput-ers, but still make off with vital information. When a new computer system has been installed in an office, there will often be business cards or phone numbers taped near the terminals which are used to contact someone from the
technical department of the company which supplied the computers, to deal with bugs that haven't yet been worked out.
The business cards (or you may just find a phone number on a slip of paper) may also be taped to a section of wall devoted to important messages, or they may also be hidden someplace behind a clerk's desk or counter. Crane your neck if you must to get the name and number off the card (or simply ask the person, we don't al-ways have to do everything on the sly!).
Let's say you managed to get Frank Smith's number at Corny Computing while you were doing some business at a branch of an insurance company. Call the number and say, "Hi, this is Lauren from Booboo, Insurance. There was some weird stuff going on with the computers and I had to shut them off, and now I'm stuck...... And let them lead the way.
One time I saw such a business card taped to a public access terminal at a library. I copied off the information, then called up, saying, "This is Jack [a guy named Jack really worked at the li-brary] from Whoopie Library. I'm having trouble getting into the circulation system from public access mode. The computer's behind the counter, so I don't know what it was doing in PA mode to begin with, but..."
The Noble Form
To those hackers whose sense of ethics does not allow them to use trickery in an attempt to ascertain passwords, one form of social engi-neering still might be used without straying from one's sense of morality: the gentle art of asking, "Please ... ?" I think I've never heard of a verifiable instance where this has worked, though there are rumors that hackers have simply requested -and received - passwords from system users. Usually, the story goes, the system operator is either asked over the telephone, or e-mailed a letter which says something like: "I am a hacker. Give me a low access account and I will use my skills to show you what your
system's weak-nesses are. That way you can correct them and won't be troubled by malicious crackers in the future."
The other way to do this is to call up some-one - anyone - a secretary in an office for in-stance -1 and just ask, "What do you type in to start the computer in the morning?" Will this work? Well, you would have to be lucky enough to call someone who's fed up with his or her job, and who doesn't know any better about security procedures.
Social engineering minus the deceit is not likely to work, and could make it harder for you to get in, in the future. More likely you will want to bone up on your acting skills and try some telephone shenanigans.
system's weak-nesses are. That way you can correct them and won't be troubled by malicious crackers in the future."
The other way to do this is to call up some-one - anyone - a secretary in an office for in-stance -1 and just ask, "What do you type in to start the computer in the morning?" Will this work? Well, you would have to be lucky enough to call someone who's fed up with his or her job, and who doesn't know any better about security procedures.
Social engineering minus the deceit is not likely to work, and could make it harder for you to get in, in the future. More likely you will want to bone up on your acting skills and try some telephone shenanigans.
Social Engineering
It is somehow shocking the first time one hears about "social engineering." At least it was shocking for me. Hacking is thought of as an ac-tivity pursued solely, nocturnally, relentlessly, for hour after midnight hour, by some dazed and nerdish character banging away at a computer keyboard in feverish pursuit of that single
golden word which will grant access to the technological secrets of the universe.
That is how it was at some point in the past, until it became impractical. Those brute force methods are certainly valid, and they are the bread and butter of any well-stocked hacker's arsenal. But there are other ways to learn pass-words; social engineering is one of them.
"Social engineering" is the attempt to talk a lawful user of the system into revealing all that is necessary to break through the security barri-ers. The alternate term for this is "bullshitting the operator."
Social Engineering (SE) appears in a variety of forms and disguises. Here I will list many of them. As you will surely discover for yourself, there is a cornucopia of clever twists and vari-ations to be made on each of these examples. Some twists I will examine, others will be left for you to creatively imagine.
golden word which will grant access to the technological secrets of the universe.
That is how it was at some point in the past, until it became impractical. Those brute force methods are certainly valid, and they are the bread and butter of any well-stocked hacker's arsenal. But there are other ways to learn pass-words; social engineering is one of them.
"Social engineering" is the attempt to talk a lawful user of the system into revealing all that is necessary to break through the security barri-ers. The alternate term for this is "bullshitting the operator."
Social Engineering (SE) appears in a variety of forms and disguises. Here I will list many of them. As you will surely discover for yourself, there is a cornucopia of clever twists and vari-ations to be made on each of these examples. Some twists I will examine, others will be left for you to creatively imagine.
Subscribe to:
Posts (Atom)