- Innovation, regulation and research on tap at RSA 2008
- Researchers uncover 100 VoIP vulnerabilities
- Badware not pushing users offline
- Web attacks won't stop
- Most sites still hack-able
- Tips on employee monitoring
- Research: IT security maturing, but misaligned
- Clarke sharply criticizes Bush cyber-security plans
- Conference seeks to bridge risk, research
- Core finds new CEO
December 09, 2006 | Comments: (0)
Is social engineering always used to commit fraud?
When I was describing social engineering to my latest VoIP class this week, one of the students asked the very relevant question, "isn't that just another name for fraud?"
Yes, Virginia, in most cases, social engineering is used to commit some type of misrepresentation or fraud. Especially in the context I was using it in, where I was describing how Kevin Mitnick used the 'art' of social engineering to find out if the FBI was bugging his phone (that and numerous other tricks) back in the day.
I was also describing the use of the 2600Hz tone to get free long distance when in-band signalling was still used by telephone companies. Draper was famous for his Captain Crunch escapades as well, and while this wasn't technically part of the social engineering discussion, it did act as a segue into how people are socially engineered all the time, even today. Case in point is the latest HP scandal where social engineering was used and for some reason is now called 'pretexting'.
What's the remedy for social engineering, you ask? Education.
Education of your employees is paramount to stop social engineering attacks.
Education in your tech support department is especially important, where an outsider acting as an employee can sometimes gain corporate access by gaming an unknowing (or overly trusting) tech support person.
In other words, when it comes to your support department - trust, but verify.
During class I couldn't think of a use for social engineering which didn't end in some type of fraud.
Let me know if you can think of any way that social engineering can be used for non-nefarious purposes. Right now I can't seem to think of any...
Posted by Victor R. Garza on December 9, 2006 03:56 PM
RATE THIS ARTICLE:
-
- COMMENTS
Education and well defined processes. If a company has very well defined processes for what kinds of things can be communicated over the phone, email, and chat then the company is a lot safer. The book goes into great detail in explaining that if many of those people simply knew what they could and could not say over the phone the scam would never have happened.
Posted by: Bob Balfe at December 10, 2006 04:22 PMAssessment as well as security education. Companies should conduct tests on their staff to check the level of security awareness, before an attacker does so. The objectives of these tests should be to raise awareness and not make an example of some poor person who has just been scammed.
When it comes to education too often companies carry out once-off workshop, the essence of which get lost to the ordinary employee a few months later. This as well needs to be an ongoing practice. Agreed, well defined processes are an absolute must.
> Let me know if you can think of any way that social engineering can be used for
> non-nefarious purposes. Right now I can't seem to think of any...
I would say it depends both on your definition of "social engineering" and "nefarious purpose".
For example, pretending to be someone who you are not is a common social engineering technique. It's also valuable for salesmen and job-hunters trying to gather information about who are the decision makers.
Shmoozing the secretary or receptionist is also a time tested technique for salesmen and for job-hunters, and is used by the fraudster.
Just as reverse-engineering publicly visible code and communications protocols is useful for both fraudsters and those trying to extend the life of old, crufty applications.
Certainly using these techiques to glean passwords, etc is nefarious; what about using these techniques to try to determine if a prospect is really planning to purchase a product, or just window-shopping? Of if the job is really going to go to the person with "proven C++ skills" or the friend of the CEO's nephew with no skills and a large supply of BS?
Ah, the difference between a white lie and true deception. I would follow along with the common consensus (maybe not common, but general feeling) that as long as the lie doesn't hurt anyone, then it's still not true deception. I don't subscribe to that definition personally, and I'm sure that others would agree that honesty is the best policy, but then again, I'm not in any profession that may require deception as a means to an end.
Posted by: Victor R. Garza at December 16, 2006 10:14 AM"Education of your employees is paramount to stop se attacks" That is defintive true, but defence must start from company security policy
Posted by: AZOR at December 28, 2006 10:20 AMIf you were honest with yourself and your students, you would have brought up the "pretexts" that investigators used to out an HP board member... and which point you should have reminded the students that state/authority commited fraud is, well, in it's own machavellian way OK... life is full of little contradictions and hypocracies like that.
Posted by: anonymoustroll at January 14, 2007 05:14 AMActually, I did point this out and I also referenced this post...
http://weblog.infoworld.com/zeroday/archives/2006/09/hp_made_me_do_i.html
| ZERO DAY PODCAST |
| Listen to the latest podcast: |
MP3
•
•
•
Archive
•
![[VoiceIndigo Mobilize - Listen to podcasts on your mobile phone]](http://www.voiceindigo.com/ht/images/mobilize_logo_sm.gif){kind=logo}
|
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
