Social engineering

February 2, 2009 – 9:00 am Chris Steenkamp

A
We have all heard about social engineering in some context. According to Collins Dictionary Social Engineering is

“ n the manipulation of the social position and function of individuals in order to manage change in a society “

The information security hype about social engineering was originally started by Kevin Mitnick and was further fuelled by Hollywood in a movie about Kevin Mitnick called Takedown based on a book by the same name.

Isn’t this all old news? We all know how to manage and mitigate our Social Engineering risk these days don’t we? Well apparently we don’t.

Most of us are on Facebook, Linkedin, Plaxo, etc. and don’t think twice about publishing confidential information about ourselves on these sites even our CV is out there for the world to see. Some of these documents include a lot of “juice” and private information about us. We provide our name, date of birth, address, phone numbers, favourite pet’s name etc. (Some of which can be used to recover your password, for example what secondary school you went to etc. – Remember what happened to Sarah Palin’s Yahoo account.

Well, I’m on Linkedin and recently forgot the password. My attempt to recover it was thwarted because I had changed ISP and hadn’t updated my Linkedin account with my new email address I requested Linkedin to change it for me but for my own privacy they won’t help me recover the page! Don’t you just hate having so many passwords? Thank heavens for the GLS! Anyhow back to the point at hand.

So, with Kevin Mitnick’s arrest everything went quieter again around social engineering right? Well no, not really. We all became a bit more aware of what we say and to who we say it especially around passwords and other confidential information. But have you ever wanted to talk to a politician or a movie star but just can’t get access to them through your own social circle? Well apparently it’s quite easy to remedy, just open up a Facebook account, and claim the identity of someone else and Bob’s your aunty! (Please don’t do this it’s against the End User License Agreement (EULA) of all of these sites and you may just land in hot water)

While attending the Black Hat (that’s geek speak for bad hackers) Conference in Japan recently, one of the briefings was around the topic of social engineering and how today’s social media networks can be exploited to gain the trust of individuals using these social networks as a contact point. The presentation in question was titled Satan is on My Friends List: SNS Survey in the presentation the presenters demonstrated how they established a fake identity for a well known security expert and how they managed to get the security expert’s sister (this was a side issue, their main target was going after other security experts) to believe the page to be legitimate when she contacted them via the Facebook page and congratulated him for finally joining up to Facebook.

This briefing clearly shows the security risk and implications these social media sites have. Even though it’s against the EULA of all of these sites to establish a fake identity, there is nothing out there other than your conscious from preventing it. This made me think about the implications of someone establishing a fake identity on a social media site and going after specific individuals that they may wish to contact for whatever reason and normally will not be able to get to. Using these sites it would be possible to introduce new “private” email addresses that will enable further communication with a targeted individual at a later stage as the Facebook page would be used to legitimise the email address and coming from there it has to be real right?

Should people with a high profile position within government consider creating a Facebook page? Is it prudent to do it on all social networking sites? Might this proactively prevent someone else from creating a fake site as part of a social engineering attack and using the fake page as an attack vector against one of our government colleagues that’s less aware of these security risks?

These questions could spark some discussion but in the meantime I need to follow my own advice and recreate my Linkedin page and try to remember the password in future. Maybe I should write my passwords down, umm …. Then again maybe not!

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google

Technorati Tags: , , , , ,

This entry was written by Chris Steenkamp, posted on at 9:00 am, filed under Security and tagged , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

One Comment

  1. if you need social engineering services in Nz check out this webiste (still ongoing)

    Gareth Williams
    Posted November 4, 2009 at 8:33 pm | Permalink

Post a Comment

Please note that, in adding a comment, you will be taken to have read and agree to In Development's Terms of use.
Be constructive, keep it clean, stay on topic, no spam.

Your email is never published nor shared.