Comp-U-News from Comp-U-Talk
August  2013

Human beings make life so interesting. Do you know, that in a universe so full of wonders, they have managed to invent boredom..- Terry Pratchett

This newsletter is the second of a two part series educating about the dangers of social engineering. The original article can be found here:  My smaller "chunk size" versions can be found here:  Read. Learn. Practice.

You may not be aware that there is a scale of seven deadly vices connected to social engineering. The deadliest social engineering attacks are the ones that have the highest success rates, often approaching 100%. What is the secret of these attacks, how come they succeed so well?

Your own observations show you that people are very different. Some are always enthusiastic and willing to learn something new. Others are more conservative but courteous to their co-workers. A bit further down this scale are people that always looks like they are bored with life and then at the bottom are those who just don't care and basically are in apathy about everything.

Successful social engineers first determine where their target is on this scale, and then select an attack that will have the highest degree of success with that person, trying to closely match their target's look on life.

This scale of vices can be approached from either a negative or positive side. You can either call it gullibility or you can call it trust, call it greed or self-interest, but since we're talking vices here we'll stick to the negative labels.

Here are seven social engineering attacks that I hope are a good example of each one of the deadly vices, but note there is always overlap and things are not that clear-cut. We are dealing with humans after all!

Thoughtlessness: The combined U.S. and Israeli intelligence arms created the Stuxnet malware which sabotaged Iran's Natanz uranium enrichment centrifuges. It was carried in via a simple USB attack on one of their scientists. The Mossad slipped a USB drive to the scientist who plugged the stick in his laptop at his house, went to work and there connected the laptop to the internal Natanz network. Social Engineering jumped the air-gap due to a scientist who should have known better.

Shyness: A Brad Pitt look-alike walks up to the internal reception of the Human Resources Department of a French multinational's Boston office. He profusely apologizes for being a few minutes late and shows a piece of paper with coffee stains. He explains he spilled coffee over his resume and if the receptionist "pretty please with sugar" can print a fresh copy for his interview? He hands over the USB drive, the shy receptionist does not confront him with the company policy that no foreign devices are allowed on the network, quickly prints a new copy and hands him the stick back. The young man disappears to the rest rooms and the network is so owned.

Apathy: Q: Which is the most useful to a social engineer? Ignorance or apathy? A: I don’t know and I don’t care

The three employees of the shipping department all got the same generic phishing email from UPS popping into their inbox more or less at the same time. None of them took the time to hover their mouse over the link and see that the link really went to a Slovak site with '.cz' at the end. Furthermore, not one of them 'prairie-dogged' up from their cubicle to warn the others. Two of the three clicked on the link and got their workstation infected with nasty malware that required a wipe-and-rebuild of their machines.

Have a Safe & Happy Summer.