The Psychology of Social Engineering

by

Introduction

Good security is there to maintain a network’s confidentiality, integrity, and availability. IT service providers work around the clock to identify and head off vulnerabilities and threats before they happen, and if that’s not enough, to stop damage before it is catastrophic. One of those threats is social engineering. There is very little that can be done on the technology side to prevent these threats, because they attack points outside of the network itself: your employees, and you. A social engineering attack can hand over the keys to the kingdom, and circumvent hardware firewalls, passwords, and really anything else. I’ll be summarizing this paper, which talks about the psychology involved.

First, some background.

Social engineering is very similar to traditional fraud. Social engineering deceives people into giving out information or access. A lot of the tools are the same, which you can read about below. Without a good security policy in place, the tools that your organization uses to run smoothly – like authority, a chain of command, and uniforms or badges – can be turned inside-out to trick people. I’ve written about good policy, and the paper linked above has its own prescriptions. Here are seven tools that social engineering provides, and why they work according to psychology.

1. Strong Affect

Affect is what psychologists call emotion. A strong affect can be used to override people’s logical centers – hence the phrase “blinded by rage” and the numerous people you’ve encountered who are too afraid or excited to act rationally. A hacker can call someone on the phone and tell them, “you have won a million dollars, give me your credit card number and I’ll wire you the money”, or “I am with Microsoft, and we have detected your PC is infected with a virus.” The second example also uses authority, which comes up at point number 6.

Having a strong affect interferes with the logical brain. You can’t make rational counterarguments or evaluate claims properly if you’re affected like that. Hackers are also fond of catching you by surprise, by calling very early or very late, or by using emotionally charged material.

2. Overloading

Have you ever been the victim of fast talk? A salesman can trick you into signing on the dotted line by presenting you with a lot of information very quickly, and a hacker will do the same. You don’t have the time or the presence of mind to challenge a premise if it’s presented quickly and sandwiched between truisms. Effectively, people can be forced to mentally shut down if you make them process too much. Analysis paralysis is another name for this phenomenon. If you have too many options, you can’t decide on any of them. That’s why restaurant menus have been shrinking over time, except for some places like The Cheesecake Factory and other places that put emphasis on quantity and options.

Arguing from an unexpected perspective can also cause one to feel overloaded. You’re spending so much time trying to understand the new perspective that you can’t interact logically with the argument itself. The principle of overloading is based on limiting your ability to scrutinize and process information. If you’ve ever seen a professional debate, there’s a chance you’ve seen a “Gish Gallop” take place. One contestant keeps throwing arguments out without regard for their opponent and the opponent inevitably misses something, and that’s used as a “gotcha”.

3. Reciprocation

It’s only polite to give back when people provide you with a gift. Hackers take advantage of this principle, giving you some small tidbit and expecting to be paid back. The tidbit could even be a promise of giving you something, and that’s how they get you. This works even if you didn’t request anything from them. They promise you something, so you promise something in return. The problem is, you were making that promise in good faith, and they weren’t.

One insidious tactic, known as reverse social engineering, means that a hacker harms your system in some way, and then calls you up wondering if you need help with your computers. This tactic takes advantage of reciprocity, even though you never asked for their help, and they’re the ones who caused the problem. You don’t know that, of course, so they are elevated in your eyes. You’re indebted to them, because they came in your hour of need. This is obviously an ideal situation for the attacker.

Behavioral experiments have shown that if you have two people in disagreement, if one yields on one point, no matter how small, the other will feel compelled to do the same. A hacker makes more than one request, yields on one, and then the target yields another. This system works on corporate environments, too! There is an unwritten bartering system between employees and departments that can be tapped into by an attacker. This system is invaluable to an employee who wants to succeed, and invaluable for an attacker who takes part in bad faith.

4. Deceptive Relationships

Hey, everyone likes friends. But sometimes people are wanting you to think you both are friends, but they just want to take advantage. For example, well-known hacker Kevin Mitnick conned someone by sharing information and technology, and bad-talking “Kevin Mitnick”. The target, of course, didn’t know that he was talking to Kevin Mitnick. Another example is when AOL was attacked. Someone called in and talked to technical support for over an hour. Over that time period, the hacker mentioned that their car was for sale. The tech provided his email address, and when he opened the email from the hacker, the system was compromised and a backdoor was implemented.

Another way a hacker can quickly form a relationship is by making it seem that they have a lot in common with their target. Believing that someone is similar to you provides a strong incentive to treat them favorably. People use commonality all the time when forming relationships; consider how easy it is to make friends at church, or at your workplace, compared to strangers off the street.

5. Diffusion of Responsibility and Moral Duty

If someone believes they will be held accountable, it will make them more conscious of what they are doing. So, a hacker makes targets feel like it won’t be their fault for giving out information. Moral duty is a common trigger, too: the target is made to feel like they are doing something to save another employee or help the company. In effect, the target is forced to believe it is their moral duty to perform the requested action, and that they won’t be held personally responsible for anything bad happening.

6. Authority

People respond to authority. A study was done in which nurses were instructed over the phone to provide incredibly high doses of medications that patients weren’t supposed to get in the first place.  The orders were said to be from a physician that the nurses had, of course, never met. These orders should not have been carried out. They went against the Hippocratic oath and company policy. 95% of the nurses went for it and had to be intercepted. All a hacker has to do in a lot of cases is just tell the target that they are acting for their boss.

An environment where there can be no questioning of authority is a security risk, but that’s not to say that you can allow employees to do whatever they want. So what you want to have is an environment where orders from above are verified. A call-back procedure, as detailed in Anatomy of a Social Engineering Attack, also linked above, is instrumental.

7. Integrity and Consistency

Everyone wants to have integrity. We want to follow through with things we promise even if those commitments weren’t entirely wise. This tendency is so strong, that we’ll even follow through for our coworkers. We may not even necessarily like them. Another feature of this is that people will believe others, according to how honest they, themselves are. If a hacker were to get a hold of a vacation schedule, they could spoof a coworker that’s on vacation and have a target fulfill a “request” that never existed.

Conclusion

I hope you enjoyed this writeup. If you’d like to learn about defending against these things, please read “Multi-Level Defense Against Social Engineering“. It is not a very long read, but its second half is very useful if you are concerned about your vulnerability to social engineering attacks, and you should be.

3 Tools that Hackers Use to Assault Your Computer

by

The best defense is a good offense. Security experts are expected to not only know how to keep your computers safe, but how a computer could be unsafe. It’s really the only way to keep up with vulnerabilities and threats. Here are three tools that can be used to break into your computer.

Fuzzers

A fuzzer is a kind of program that seeks to crash another program based on inputs. Think of it in terms of a sweater: it starts smooth, but as time goes on it becomes fuzzier. Fuzzers have legitimate uses, too: like many other tools that hackers use, security auditors can use them to discover vulnerabilities and issue patches accordingly. There’s a very technical blog article which talks about using fuzzers to create images from scratch. For fun, here’s an animation that shows a fuzzer trying to generate its own logo.

time lapse of fuzzed input

american fuzzy lop’s logo stitched together from fuzzed input.

Rainbow Tables

If you’re doing good security, then your passwords are stored in an encrypted format. That means that the way it is stored is not the same as how you type it in. So, in order to retrieve passwords, having the secure versions of them isn’t good enough. A rainbow table is a very large file, containing hundreds of thousands of potential passwords. They are text files, but they are a thousand times larger than a regular document, unless your document is somehow longer than the Affordable Care Act and the Dodd-Frank Law put together. Using a rainbow table takes a while, but it is easy. Just a simple script – a list of computer instructions that are run – and you can compare the useless, encrypted password with hundreds of thousands, or potentially millions, of potential matches. If you have a ton of passwords, like if you’ve made off with someone’s user database, you’ll probably have some number of hits.

If you are concerned that your password has been leaked, I invite you to check out this tool, which compiles publicly-leaked information and tells you if your email address or user name is in it. My email address is out there, as a result of leaks from Adobe, Yahoo, and a video game forum.

Buffer Overflow

This is a pretty common vector. Basically, computers have limited amount of memory – who hasn’t experienced a total freeze because a program decided it wanted ALL the memory available? This is just a bit more insidious. Because computers have limited memory, when a program is run it is given a certain amount of memory. A buffer overflow occurs when memory outside of its pool is accessed. Normally, the operating system will assign it more memory when it’s running low, but it is possible to skip over that process and see what’s next. Say you start your web browser, like Firefox. Earlier, you started up a compromised program that is vulnerable to buffer overflows. While that program is chugging along, someone initiates the overflow, and suddenly that program is accessing Firefox’s assigned memory! In effect, this is an attack that breaks a common expectation, that a program only does its own thing and doesn’t interfere.

Buffer overflows are solved all the time – we can manage your updates with our Premium tier of remote management software. $5 a month and you don’t have to worry about out-of-date software breaking your computer.

Anatomy of a Social Engineering Attack

by

Social engineering can be difficult to deal with. People inherently want to give out information, especially to Human Resources or the executives. Ira Winkler and Brian Dealy have written an excellent paper, available here. In this article, I want to unpack some of the security implications, and reiterate the “lessons learned” for my readers.

[Read more…]

How to End the Threat of Social Engineering

by

Ok, so what is social engineering? Social engineering is a special kind of cyberattack where the attacker doesn’t have to gain access to your systems first. Instead, they pretend to be someone trustworthy in your organization and just ask employees for the information they need to hurt you. They can spoof email or gain access to the phone systems, but at the end of the day the attack vector is not through technology, but through people. Great, so how do you stop them? The short answer is education. The longer answer is below.

[Read more…]

Why Do Hackers Want MY PC???

by

A hacked computer can be worth a lot. Think about it: under your desk, on your lap, or even in your pocket, there’s as much computing power as there used to be in an entire room full of hot, heavy machinery. You use your devices to connect to the internet, perform calculations, store information, and a thousand other things that you probably don’t even realize. If you are familiar with the inner workings of modern computers, then it may not be as big of a surprise as this is to other people. But any general purpose computer is a powerful piece of hardware, and if you can make it work for you, the return on investment can be thousands of times the risk you take as a hacker.

The simplest reason someone would want your computer is for your data. If you use the internet for anything important (and what’s important to a hacker might not be that important to  you), then it’s probably got a lot of stored passwords. Or, they can install a keylogger to capture the passwords as you type them in. It doesn’t matter if you’re hacked. They can use your Facebook or other social media accounts to extract money from people you know, like the case of a fellow who got his account hacked and the hacker told his grandmother that he needed money for bail in a foreign country. Naturally, he was still at home, and answered her phone call when she called to see if it was true. Banking passwords are obviously valuable, since a hacker can get your money directly with those. But, any password or file could be used to get personally identifying information to initiate identity theft. With that out of the way, we can talk about some of the more esoteric things that can be done with access to your machine.

You have an internet connection, right? How much more valuable is your computer to you having access to the internet? It’s an insane amount of value. To the point that you are legitimately and justifiably upset if you don’t have internet access. Simply put, anything you can do, a hacker can do, and anything you don’t know you can do a hacker can still do. They can use your machine to route internet traffic and obfuscate criminal activity. They can do this, sometimes, even without full access to your machine. They can hack a web page, again without full access, to tell your computer what to do. This isn’t necessarily dangerous in the sense that losing data is, but it still feels gross to be used in this way. You might never know they’re doing this, either, because the computer may still be usable with little change in performance. If they have full access to your machine, they can do more – use it as a personal vault for stolen data, or take its computing power and use it with a number of other hacked machines to carry out destructive acts and harm businesses with your processing power.

Maybe your reputation is worth something. You might own a business in a competitive market, you might be a Fortune 500 CEO, you might be a community leader. A hacker with control of your PC can get your social media passwords and say things in your name that you would never say. Maybe you’re just a regular person, with no special access to anything, but a hundred or so friends. A bad actor could use your page to share a link to a web site that just so happens to be full of viruses. Part of your internet security plan should be not clicking on weird links posted by your friends. If you don’t know the provenance of the link it could do you some harm. Lastly, a hacker might make you follow a fake page, again with the intent of spreading other sorts of malware.

Lastly, maybe your reputation, social media, computing power, and data aren’t worth anything to a particular hacker. They just want to extort you. With access to your machine, they can encrypt your hard drive (usually a good thing, when you have the password to decrypt it) and hold your files hostage. They can do the same with your email or any other sort of account. No access, they’ll say, unless you pay up. This is called ransomware. It’s become very popular, and people need to be educated on it. You can avoid it, though. You might have The Computer Specialist keep your data safe and just restore your machine to before the infection. This is why crisis plans are so important. Sometimes you take files for granted, which is forgivable for a home user. A business losing customer data? That’s pretty bad. It doesn’t matter who you are, ransomware can strike. They’ve attacked colleges, individuals, politicians, and even hospitals.

Contact us today to learn what you can do to prevent this from happening to you! You can also book an appointment or view our services.

Cyber Risk for Small Businesses

by

Cyber risk is the risk of damage due to failure in your information technology systems. It covers finances, reputation, and disruption of any kind. It’s not a new concept, but it seems to be regarded by many as something for big businesses to worry about. Just think: how would your customers and employees feel if some or all of your confidential information was leaked? It’s a nightmare scenario, but so many small businesses don’t think it concerns them. I’m not a big target, they think. I don’t need to worry that much about cyber security. That’s the wrong way to think about it.

[Read more…]

Case Study: What Is a Virus?

by

Last Friday, 3/31/2017, we had an issue with a client who was reporting that antivirus had picked up a particular kind of virus, called a worm, which was called Bluber.A. The problem had arisen after a routine software update, so we told the client our tech would roll back that last update and try to figure out where the worm had come from. After that was a success, we pushed the update out again, and the worm did not return. What happened?

[Read more…]

VISIT US

FOLLOW US

The Computer Specialist

405-627-3168
218 1/2 East Main St. Suite "B"
 Norman, OK 73069

Testimonials

  • Over the last twenty years I have served both small and large business clients as a contract accountant. When there has been a need for computer technical assistance in these offices or in my own business office, I have used John Williams, dba The Computer Specialist. I have found that he makes himself available to... Read More
    Kathy F
  • John spent several hours setting up my new home computer system. He took out the hard drive and installed a 500GB SSD. He needed some special installation pieces and went to a local source without billing me for his travel time there and back. He did a great job and I have his number in... Read More
    Dr. Robert G
  • We've been very impressed with the whole process of top to bottom site system security monitoring of our computers as well as the installation, maintenance, and upgrades done with our surveillance platform for our commercial property. From consulting to quote to execution and beyond we have been very pleased with every aspect of the business!... Read More
    Andrew R.
  • very nice man to deal with, came a day earlier than he said he would. gave me a call to let me know. he did a great job and it looks very nice as well. I now have internet in my shop as fast as in my house. thanks John for a job well done Read More
    Gary H.
  • You recommended them. They picked up my computer and determined the hard drive crashed. They replaced it and were able to save all my docs and photos. Extremely pleased. Read More
    Larry C.