Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.
Issue link: http://uscgproceedings.epubxp.com/i/436751
26 Proceedings Winter 2014 – 2015 www.uscg.mil/proceedings Social Engineering Social engineering is an extremely successful attack vector in the private sector. Companies spend millions of dollars securing their technology infrastructure with frewalls, the strongest encryption possible, and passwords that are so complicated that they would be nearly impossible to crack. But all of this means nothing if a clerical worker does the bidding of a stranger. My hacker friend once said to me, "Why try to hack through someone's security when you can get someone to open the door?" Sometimes, in high-security applications relating to gov- ernment or extraordinarily high-valued assets, there are strict processes and procedures in place to deal with per- sonnel authentication. But an expert social engineer knows how to cause a person to toss a l l t ra i n i ng aside by employing two common tech- niques — urgency and fear. Urgency and Fear When a target receives a tele- phone call that is purported to be urgent, there is a natural desire to shortcut things. For example: "Hello, this is Dr. Carter at New York Hospital. Mr. James has been in a horrible accident and we need access to some of his records immediately! Kim James is here with me now, and she says that those records are on his computer, but she doesn't have the password. Can you please change it to something for us?" Assuming Mr. James is the CEO of the company, this lowly worker on the phone faces the dilemma of follow- ing security protocol and potentially challenging the boss's wife, or being a hero and saving the boss's life. Another call might involve masquerading as a huge client, who is threatening to go to a competitor if he can't get access to his account immediately, and there are millions of dollars on the line. You can imagine that, in these scenarios, a low- level employee or call center worker does not want to be the person to cause irreversible damage to a company or organization. Lingo Successful attacks like the TSPS Engineering example show the value of lingo. Urgency and fear are effective, but when combined with lingo, attacks become that much more suc- cessful. I am fascinated with lingo, and my thirst for it never ends. Not because I perform social engineering exploits, but because people feel like they can be closer to you when you speak their language. I call myself a "lingoist," which is a term I invented for someone who studies lingo. When I am near specialists of any kind and they are using any sort of lingo, my ears perk up, and I take mental notes. Later, when I meet the same type of specialist, I throw in the same lingo and watch how it works. However, this can be dangerous. For example, when a relative was in the hospital recently, I liberally used lingo in front of the nurses, asking about "sats" (oxygen saturation), certain heart rhythms, and even asking whether a chest tube happened to be a "32-French." After several minutes of this chatter, the nurse eventually asked me whether she should give the patient 50mg or 100mg of a medication. She assumed that I was a doctor. One would think (as she did) that someone would have to have gone to medical school or at least nursing school to know that lingo. In reality, I learned it all from the televi- sion show ER. Many television shows have producers or con- sultants who ensure that the lingo and technical aspects of the show are correct. Law enforcement has been plagued by the "CSI effect" for years, because the show is so realistic. There are many other sources of lingo, including overheard conversations, radio scanners, and vocational training. All of these methods (including television) have the advantage of being able to hear how words are pronounced. Although the Internet, books, certifcation tests, and training materi- als are a rich source of lingo, pronunciation is usually not a part of those materials. If a social engineer is attempting an attack and mispronounces some lingo, the attack will surely fail more quickly than if lingo had not been used at all. Social engineering: "The practical application of sociological principles to particular social problems." — American Heritage dictionary "Any act that influences a person to take an action that may or may not be in their best interest." — www.social-engineer.org Hlib Shabashnyi / iStock / Thinkstock