6/28/2006

Phishing as an Art - The Art of Social Engineering

Spotted this interesting story on CMPnet

Hook, line and sinker
Kelly Jackson Higgins, 28-Jun-2006

The receptionist lets the “consultant” into the conference room, where he hacks the network. Just another social engineering ruse that companies are falling for.

Here’s a new phish: An attacker recently created a fake phishing message and, posing as a bank customer, forwarded it to the bank’s security officer. When the security manager clicked the link to find the alleged phishing site, the message secretly launched malware that highjacked his workstation for a month.

Walk-in phishing and hacking is actually pretty common. It’s even easier when the company has an insecure WiFi network. When I was doing a lot of direct security consulting with companies, I asked them to let me have their conference room gor one hour and I’d tell them ten things they didn’t know about their network. And if I couldn’t, I’d go away and never take any more of their time. Nine times out of ten, I got a contract with that company. Only once did I actually encounter a company that had the wall jacks disabled when not in use. Once.

Crafting a psuedo-phishing message, posing as a customer, and usign it to lure the bank staff is a creative approach. Phishers, hackers, those who would gain information, are nothing if not creative.

Social engineering isn’t new. It’s based on simple psychological realities. People want to be liked. Because of this, they are generally helpful when they can be. Present a plausible distuation, and most people will try to be helpful. Simple trust in human nature. Perhaps just in nature. There are other species that act wounded to draw in prey. Or use bait. It’s baiting, just like real world fishing.

The story, like most, fails to emphasize enough that the weakest point in any security solution is people. Real security involves a corporate culture of ownserhip or stewardship of every company asset and resource, physical and digital. Companies that have that kind of culture also don’t let people “shoulder surf” through security doors on someone else’s badge. Security is a people problem and can’t be solved by technology alone. You cannot write a check for security and buy it. It’s learned, socialized and ingrained over time. Otherwise, security is an illusion.

Technorati Tags: , ,

* Filed by Ken at 4:10 pm under InfoSec

No Responses to “Phishing as an Art - The Art of Social Engineering”

  1. Doug Alder
    June 28th, 2006 | 5:49 pm

    Yup - one of the most interesting non-fiction books I’ve read in the last few years was Mitnick’s “The Art of Deception” - a little tedious and repetitive but the information on social engineering was a real eye opener.

  2. Ken
    June 28th, 2006 | 6:06 pm

    Yeah, I agree. I find Mitnick harder than hell to read because his ego is always in the forefront and he repeats himself constantly. But the point of the book is that people are the weakest link. He does make that point well and repeatedly. And at least some of the stories are interesting. ;-)

  3. Security Incite: Analysis on Information Security
    June 29th, 2006 | 5:56 am

    The Daily Incite - June 29, 2006…

    June 29, 2006 Good Morning: No more Spanish today, I promise. And true to my word, there wasn't a lot of activity yesterday, so I picked a fight. Actually the fight came to me in the form of Eric Ogren trying to convince me that Microsoft usua…

Leave a reply