In the movie, Jumpin’ Jack Flash, Whoopi Goldberg’s character dons a blue sequined formal gown and high heels, charms her way into the computer room at the British Consulate, and punches up an exit code for a spy stranded in the former Soviet Union. That’s “social engineering” in high style. It’s less stylish when someone walks away with your customer database, prints checks on your company’s bank account, or copies of patients’ confidential records. Social engineers can do all that and more without much technical skill. They manipulate people to get into tech systems like the janitor who lets someone back in for a forgotten coat, the receptionist who will show any repair person to the network closet, or the boss who complains about program XYZ causing so many problems.
Social engineering happens more often than you think.
Security engineer Justinn Washington, who heads Rockville, Maryland-based ELS Global Inc. (www.elsgolbal.com), knows how easy it is to crack a company’s network. In 1999, he took over management of a network operations center (NOC) for a company with a high turnover rate, little or no maintenance documentation, and lots of fires to put out. Soon after Washington arrived, the NOC got a call from someone requesting the IP address for a Hewlett-Packard printer. “He presented himself to one of our engineers as a contractor providing service,” says Washington. “The NOC engineer knew there was a history of maintenance and repair with the printers, so she followed his instructions to print out a statistics page, [which gave him the] IP address, machine name, etc.”
But this wasn’t about printing. On the network, the print server doubled as a backup domain controller. Bottom line: The imposter could use the statistics supplied to scan for more information, then masquerade as an internal user on the network and potentially gain access to the company’s database of customer phone numbers, social security, and credit card information. Washington monitored the IP address and brought in a forensics analyst to track down the impostor. “He hopped from three other companies to a university, which was the last place he could be traced,” says Washington.
To prevent this from happening again, Washington instructed all employees to direct questions regarding hardware and software to the IT director. “If you don’t know the potential consequences of giving out that information, then you could be socially engineered,” he says.
BUT, ALL I SAID WAS….
“Employees often reveal information without realizing it. If someone riding home on the bus says, ‘Our Exchange Server was acting up today, you’re letting others know that your operating system is Windows and you use Exchange Server,” says Washington. “That information can be used to plan attacks and to [help crackers] make calls for further information.” It’s just a matter of using known exploits to a given piece of software when the administrator hasn’t patched them or doesn’t know about them yet.
But businesses aren’t the only ones that are vulnerable; government agencies also fall victim to such practices. “In many agencies, employees are trained