Excuse me, but we are offering a pen in exchange for your passwords |
Article is yet to be rated |
|
| Author:
| Prothis
|
|
| Submitted: |
31-Dec-2003 12:14:54 |
| Imported From: |
zZine (original author: Prothis)
|
Excuse me, but we are offering a pen in exchange for your passwords.
|
|
These people actually traded important personal info for a brand new Parker-like Pen. These passwords varied from e-mail passwords, dial-up login passwords and other account passwords which could be used to harm someone or to have fun at the expense of someone, not to mention all the other possibilities.
Now one would question himself, were the passwords real Well, I'm certain many wouldn't work if they had tried them out, but I'm pretty some would really work. But just the single fact that someone would be willing to even say they had a password is troubling. Not only would the inquirer know that person had a password but that given password could give a small hint on what other passwords (of the same person) could possibly look like.
A way of asking for things, a way of tricking people in order to get things, is what has been troubling the internet and some companies for some time now. What should one do when the flaw is not the machine but the person who runs it
Nowadays Social Engineering is gaining enormous proportions and is taking over the place of real hacking tactics, when still by many social engineering isn't yet considered a threat compared to hacking techniques. To hack a company's computer (and remember this is literately) one would have to simply (well not that simply) have to find a flaw in one of the employees of the company (for example secretaries and phone operators usually have large quantities of information about the company in their hands and they don't usually know if they are being hit by social engineering) and you could get information such as the phone numbers of all the offices in the company, the building structures, the employees list, the employees shifts and salaries, and much more.
People complain about security holes in programs meant to protect, when the simple presence of these programs can be eliminated by a security hole in a person. Remember, Errare Hummanum Est (It's only human to make a mistake).
These, so called social engineering techniques, are finding new and more improved ways of spreading their effect and to trick people. For example, e-mail worms, spam and viruses are one of the most common means to find social engineering at use, and it has been there where social engineering has seen its biggest evolution. Now social engineering in e-mails is not only used to trick people but also filters. For example we can take a look at several Spam messages. In the old days spam messages were direct and straight to the point, just by looking to the subject and the from address we could know if it was an important e-mail or just junk. Nowadays spam messages have evolved in a stunning manner by making from addresses and the subjects much more convincing.
For example, imagine a spam message from address loan@loanoffice.org and with the subject Re: Loan Proposal, someone who was desperate for a loan (which are a lot of people) would take a look at it and in that split second social engineering would have worked. Even if the spam message had no interest (which all don't) or didn't even result in anything, social engineering's mission had been fulfilled. Here is another example of social engineering in spam messages: imagine you would receive an e-mail from address offer@zone-alarm.net with the subject Free Zone Alarm Update to Pro. Now, since many people use zone alarm as their firewall they would be intrigued to know what would that e-mail had to offer them. And then social engineering would triumph once again. These examples are getting more common as I write but on specific case where quantity is overruled by quality are viruses and worms.
You all remember the I love you e-mail don't you Yes, that old e-mail that spread fear and chaos over the internet. Well a portion of the virus's success was due to social engineering techniques. People would receive this e-mail from someone in their address book and so that is one step towards not getting suspicious. Furthermore, the subject would strongly appeal the opening of the attachment because with that subject and such a romantic text, innocent users would want to see what their beloved friend had sent in the attachment. But that e-mail is old and that means that today's e-mail viruses using social engineering are much, much more dangerous and convincing, if not even appealing.
Let's take the example of a little bug that came out, not long ago, which consisted of an e-mail supposedly by the Microsoft Company, alerting their users of the existence of a dangerous virus roaming the net and that a security patch had been released to avoid it (which they had included in an attachment). This is incredibly stunning, because the e-mail was in the shape, size, form, and vocabulary of what a Microsoft e-mail would look like. The e-mail even had pictures of the Microsoft logo to convince people of its authenticity. Later on, a modified version of the e-mail rose up which directed the users to a supposedly Microsoft patch download site, which impressively looked just like the real Microsoft site, the author even updated the news and dates to make it more authentic.
The whole system and the architecture of both the e-mail and the webpage were similar or equal to the ones used by Microsoft.
This is one of the finest examples of mass social engineering in the world, which sometimes even some experienced users can't even predict or avoid. But what can be used to fulfill harmful means, can be used also for fun as a very recent e-mails showed.
Some weeks ago, I got word of an e-mail circling around hotmail which consisted of an e-mail simulating (if not imitating due to its perfect details) a Hotmail Staff e-mail alerting to the amount of unused accounts among the Hotmail Servers, and that because of it everyone who got that e-mail should send it to at least 15 people to make their account active. This e-mail said, in a very formal way much like people are used to by the hotmail staff, that it contained a little program (notice it had no attachment whatsoever) that had the ability to detect if the e-mail hadn't been sent to 15 hotmail e-mails and in that case that is had the ability to delete the hotmail account. Now people would get these e-mails from other Hotmail accounts and not from the Hotmail Staff (which was what I think the only flaw in that e-mail among with the non existence the program). This e-mail used the same type and size of letter, the same format, the same images and logos and even the same signatures as the Hotmail Staff e-mails which would very much convince people of its veracity. But what I think most troubling in this e-mail was that I was done for fun.
This only demonstrates that social engineering can be used in such a way that people don't even know about it.
Let's give 2 successful examples I tested in 2 victims:
1- What I did to my friend (a.k.a. victim n1) was first find out that she had an e-mail account @portugalmail.pt and then simply create an account much like this security-services@portugalmail.pt. Then what I did was send an e-mail to her explaining that for security reasons and maintenance of the servers, this e-mail had been sent to everyone that had a portugalmail.pt account and that they should temporarily change their passwords. This would be done by sending an e-mail with the following information username:password:newpassword. In the e-mail I also explained that it didn't matter whether the old and the new passwords were the same, as long as you provided enough information for the staff to temporarily change it. The e-mail was written in a formal way and simulating a staff e-mail with images and signatures.
I was a bit surprised when I received an e-mail from her containing the exact information I had requested. As you can see this wasn't that impressively done as the Microsoft fake but it worked. To do this you just need 2 things: to be slick and cunning and to have a believable plot.
2- This second example exploits the vulnerabilities of people relating to security questions. All I had to do was find out that my friend (a.k.a. victimn2) had an e-mail account @portugalmail.pt and then go to the password recovery pages and answer the question imposed by the account server and the secret question that she had sent when she registered. The problem with this is that most people forget what the question was and so when we ask them they tend to ask with no reluctance. So, the password recovery page had three stages, one where I would state the username and the date of birth, one where the security question would be asked, and one where I could choose either to make a new password or to continue with the same password. Naturally I didn't know the answer to the date of birth (I just knew the username) so I want to have a little chat with her and then mixed among other routine questions I asked Hey When's your Birthday and very quickly she answered me without even asking why. So step one had been completed, now all I had to do was to answer the secret question.
The only difficulty I had was that it could be a very specific question like How much did I weight when I was born where I had to pull the conversation to babies and then make a reference on how I was thin back then followed by the question Do you remember how much you weighted when you were born. Luckily it was an easy question so I had moved on to step 3 where I had been given the option to change or keep the password. If want to keep unnoticed and perhaps come back later to take another peek at the e-mails then don't change the pass but if you want to piss off the victim or just tease her then change the password to the old one and with the security-services@portugalmail.pt account send an e-mail to the victim's e-mail address saying that they had successfully completed the password recovery test and that their new password was reset. Then when the victim went to check their e-mails she would find the actual staff e-mail saying the password had been reset and your e-mail saying the password had been reset (that is what I did to victim2).
The problem with Social engineering is that, unlike hacking techniques, everyone can use it in efficient ways if they just put a little work in it.
It's much easier to trick a person than to trick a computer and remember that tricking a person, unlike tricking a computer, isn't a crime.
This article was written by: PaPaParleone
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|
You must be logged in to vote on an article
|
About Us | Privacy Policy | Mission Statement | Help
|