Mitnick advocates the introduction of red and yellow "flags" to help staff determine when they're being suckered in. "If you're talking to someone and they're over-flattering you... they tell you you're the only one smart enough to do what they say, that may be a red flag," he explains.
It's the human tendency to automatically trust rather than distrust strangers that gives social engineers their influence. How many times have you held a door open for a stranger in your building, letting them into the building without swiping their card? People want to be liked, even by strangers, so they do favours for them. And of course it's polite to return a favour where possible. That human tendency is a big loophole for sophisticated attackers, Mitnick says. Exploiting this trait was one of his most successful techniques.
"When somebody does you a favour it is the rule of every human society that you reply in like kind. That's ingrained in every society, especially in the US," he says. "An attacker will purport to be helping you to solve a problem. Or they'll make up a problem and pretend they're helping you."
An attacker may ring a helpdesk and ask the staff about trouble tickets, pretending they're doing a management survey. Once they have the details of a trouble ticket, the social engineer can pose as a helpdesk operator and call the user experiencing problems and help them solve it. Why? So when the attacker calls them back a few hours later and says: "Hi, this is Bob from the helpdesk, I helped you with your e-mail before. If I send you a diagnostic tool by e-mail could you run it for me? It would really help me out a lot," the user will naturally cooperate. It's a fairly simple ruse, but one that could sucker in many intelligent, but unsuspecting, users.
Another psychological technique used by social engineers is called "reciprocal concession". "This is where the attacker asks for a favour that will take to much time or is too sensitive... they'll ask for an unreasonable request," Mitnick explains. Then the attacker will move on to a "if you can't help me do this, can you help me with this?" type of approach. "They will feel it necessary to compromise," Mitnick says.
The master social engineer says tricking someone into disclosing information or performing an action on behalf of the attackers is similar to good salesmanship.
"It's using sales and marketing tactics and applying them in a negative way," he says. "You want to have a set of red flags or yellow flags that are indicative of people using these tactics."
Train your people, Mitnick says, and audit them. The risks can't be eliminated, but they can be minimised. The proof? The master himself was recently taken in. A reporter recently told Mitnick his publisher had authorised him to discuss details of his new book. Mitnick believed him without verifying the request. "I was socially engineered," he admits.
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian