Social Engineering

One method of attack is decidedly low tech: Manipulate users into revealing passwords or other information that can be used to compromise a computer. This approach is known as social engineering. On the surface, it seems unlikely to succeed; but social engineers use deception to trick users into divulging their passwords or otherwise performing actions that aid the social engineer. Sometimes they need only look on as users perform some common activity. Ultimately, social engineering relies on misplaced trust. Some specific examples of social engineering include:

Impersonating a Sysadmin Social engineers sometimes pose as system administrators. The social engineer telephones, sends e-mail to, or otherwise contacts a user and claims to be a system administrator. The social engineer may ask for the user's password using some pretext, such as a need to re-initialize a password database. If successful, the social engineer may collect quite a few passwords in this way. The social engineer might use a similar ploy to get users to run software designed to compromise the computer.

Impersonating a User Users aren't the only ones who can be scammed by social engineers. Social engineers can pretend to be users who've forgotten their passwords. System administrators and help desk personnel may then let the social engineer change a user's password. Unless you know all your users by sight, you should implement a policy requiring the presentation of photo IDs before you allow people to change the passwords on "their" accounts.

Dumpster Diving Sometimes people throw away paper that contains passwords or other sensitive data. Social engineers may paw through the trash to find such scraps of paper, which may be worth many times their weight in gold to the cracker. Even less sensitive documents, such as organizational charts, can be used by social engineers in designing more elaborate attacks. Crackers may also obtain sensitive data from used hard disks or even floppies, so you should be cautious when discarding these items or sending them to others.

Shoulder Surfing This technique involves peering over a user's shoulder as the user types a password or other sensitive data. This type of attack is particularly likely to occur in public settings such as university computer labs. A higher-tech variant of this approach uses devices that record information that users type on their keyboards. Some of these devices are small enough that they can be mistaken for keyboard adapters, such as those used to plug older keyboards into modern PS/2 keyboard sockets.

Trojan Horse Programs Some programs claim to do one thing but in fact do another. For instance, a program might claim to be a tool to help you clean up unused files, but in fact e-mail your password or other sensitive data to the social engineer. An Internet-specific variant of this theme is a website that requires a password but that's run by a cracker. Because many users employ the same password on many websites, a social engineer can use the information gleaned from a fake website to gain access to users' accounts on more sensitive websites.

Fake Login Screens In public computing centers, one specific type of program combines the features of a Trojan horse and shoulder surfing: a program that presents a fake login screen. Such a program looks like an ordinary login screen but in fact does nothing but record the username and password, present a fake error message, and then call the normal login routine. A miscreant can leave such a program running on a public terminal, and victims believe they've mistyped their passwords. A variant on this theme is a network-enabled popup window that requires a password. For instance, if your X server's security is lax, a miscreant can display such a window on your X terminal, making it look like a password request from a web page or user program.

Borrowed Accounts A social engineer may befriend a legitimate user of a computer system and then ask to "borrow" the account—say, to browse the Web. In reality, the social engineer uses the account for a more sinister purpose, such as exploiting a local vulnerability or installing a fake login screen.

E-mail Viruses and Worms In the past few years, a large number of viruses and worms have spread across the Internet via e-mail. Many spread by relying on users to run attached programs, which may be disguised as something else. This type of attack has almost always targeted Microsoft Windows systems, but in theory such an attack could target Linux users.

Social engineering is a very broad field, and the key to defending against such attacks is skepticism. Don't trust that the person on the other end of the phone is who he or she claims to be; don't trust that the e-mail attachment really is a great new song from your favorite band; don't trust that you mistyped your password when you see a login failure message. Buy a paper shredder to destroy paper documents with even slightly sensitive information. Do a low-level format on floppy disks (using fdformat) before sending them off-site, and wipe hard disks clean by using dd to copy zeroes to all sectors before discarding them. (Even more drastic measures may be in order when handling extremely sensitive data; for instance, some government agencies crush used hard disks to protect the data they once stored.)

Many social engineering techniques can be used to steal sensitive data unrelated to your Linux system. For instance, shoulder surfing for automatic teller machine (ATM) passwords is common, and dumpster diving is a popular means of obtaining social security numbers, credit card applications, and other data needed for identity theft.

0 0

Post a comment