"Social Engineering" just a new twist on an old con game

Editor's Note: This article was adapted from one that appeared in the July 5, 1994 issue of the U.S. Department of Energy's Computer Incident Advisory Capability (CIAC) Information Bulletin.

In today's world of computer crime, all perpetrators don't have to come in over the Internet; they may just as easily get information simply by asking. Beware of the friendly insider or the official sounding outsider; they may be playing on your good will or naiveté to get what they need. A few examples should help...

A department secretary answers the telephone, "Josie Bass. May I help you?"

"Hello. This is Martin White with the computing center. We think someone may have broken into the file server. Can I talk to the technical person in charge?"

"It's Friday afternoon. I'm the only one here," Josie says.

"How're you doing, Josie?"

"Good. And you?"

A deep breath. "Not too bad, except that it's Friday afternoon and I think we're going to have to wade through a mountain of paper. Anyway, as I was saying, we think your file server has been compromised."

"What makes you think so?"

"Your account name is jbass, isn't it?"

"Yeah."

"We've been seeing unusual traffic coming and going on your server."

"Well, can't you tell for certain what's going on?" Josie asks.

"Sure, I'm searching now, but it's so much paper." The sound of a page being flipped. "What scares me is that while I'm doing this, the bad guys could be downloading or changing information on your server. Maybe you ought to take your server off the network or change your system password."

"Jeez, I don't know how to do that."

Martin sighs. "That's too bad. The intruders may not have even entirely cracked your system." The sound of another page being flipped and then fingers snapping. "Josie, I just thought of something. I have all this on line. It would just take a minute to check if I had your password." A heavy sigh. "Why didn't I think of this before? It's been a long week - too many hours looking at numbers." A pause. "Okay, what's your password?"

"I...er," Josie hesitates.

"Oh, yeah, you shouldn't give it out. I understand." The sound of another page being flipped. "It was such a good idea, too." Pause. "These guys sure tried a lot of different ways to break in..." Another page.

"Hey," Josie says, "we could be here all night. Forget I told you this: my password is Jb2cats."

"Thanks. Great. Hold on." The sound of keys being typed. "Okay. Let me double check." More typing. "That's it. Good news, they never got in to your system." Pause. "Thanks a lot, Josie. We would have been here half the night for a non-event. By the way, once they pass you by, it's very rare that they'd come back. You're in good shape. "

"Thanks. You have a good weekend," a relieved Josie responds.

"You too."

"Martin White" and his confederates will have a good weekend changing the grades of students who are taking classes from that department - for a fee, of course.

This is one (fictionalized but only too realistic) example of what's called "social engineering," an ironic characterization of the nontechnical aspect of Information Technology (IT) crime. In other human interactions it's called a "con (or confidence) game" where Martin is the "con artist." The underlying idea is simple: deceive the victim into revealing secret information or taking inappropriate action for the attacker's benefit.

Most of us are helpful and trusting - it's human nature. We want to be good neighbors and have good neighbors. Social engineers exploit this cooperative inclination. They also employ intimidation and impersonation as well as plain old fashioned snooping and eavesdropping.

As the theft of information increases, we need to increase our awareness of the indirect methods used by information pirates.

For example:

Unlike the technology it targets, social engineering is an old profession with a new name. It succeeds frequently because our culture has not caught up with its own technology. A social engineer would have a much more difficult time getting the combination to a safe than getting a password, or even the combination to a locker at the health club. The best defense is simple: it's education, training, and awareness.

Remember: A password is like a toothbrush. Change it every three months and never, never let anyone else use it (not even someone claiming to be from CERT).