Social Engineering
Overview
In social engineering attacks an attacker persuades users, who have
rights to the system which the attacker does not, to exercise those rights on
behalf of, or transfer those rights to, the attacker. The attacker may be able
to use this to gain access to user accounts, admin accounts or to perform a
wide range of malicious actions.
What makes a
site vulnerable?
Social engineering attacks are, by definition, the result of the use
of humans as part of the system. The vulnerabilities arise when humans are put
in positions where they can perform actions which would be undesirable for the
security of the system and they can be persuaded by others to take those
actions.
Impact of the
attack
At its worst, a social engineering attack may result in a user
either fully exercising the rights he has on behalf of an attacker or
conferring on the attacker the full ability to use those rights. If the user
has administrative rights to the website, then the attacker may be able to gain
full control of the website.
Preventing the
attack
Social engineering attacks can be reduced by educating your staff
and users about the risk of such attacks. They can also be reduced by putting
procedures in place which make such attacks more difficult. For example, if you
allow users to phone up and request a password reset, an attacker may be able
to convince your help-desk operator to perform a reset on some user’s account
and to divulge that password over the phone. This can be reduced by putting a
policy in place which states that the operator must hang up and then call the
user back on the phone number stored on file (and only that number), before
giving out the password. In this way, the attacker will not be successful if he
uses any other phone than that of the user. Social engineering attacks can also
be defended against by removing unnecessary rights held by users.
The attack in the real world
In September 2007 the high-profile security surrounding the Sydney
APEC conference was socially-engineered by comedians posing as a Canadian convoy.