Social Engineering xxxi
Introduction
In a recent case [16], conviction was upheld against violators of 18
U.S.C. § 1832 in an appeal of Mr. Pin-Yen Yang and his daughter Hwei
Chen Yang (Sally) for industrial espionage, among other crimes. Mr. Yang
owned the Four Pillars Enterprise Company, Ltd., based in Taiwan. This
company specialized in the manufacture of adhesives. Mr. Yang and his
daughter conspired to illegally obtain trade secrets from their chief U.S.
competitor, Avery Dennison Corporation, by hiring an ex-employee of
Avery Dennison, a Dr. Lee. Lee was retained as a consultant by Yang and
the group conspired to pass confidential trade secrets from Avery to Four
Pillars. When the FBI confronted Lee on the matter, he agreed to be video-
taped in a meeting with Mr. Yang and his daughter. During the meeting,
enough evidence was gathered to effect a conviction [17].
Measures against industrial espionage consist of the same measures that
are taken by companies to counter hackers, with added security obtained
by using data encryption technology. Where this is not possible due to
government regulations (France, for example), proprietary compression or
hashing algorithms can be used, which results in the same effect as encryp-
tion but with a higher chance of being broken by a determined adversary.
Legal protections exist, of course, but were once very difficult to dissect
from the vast amount of legislation in Title 18 of the U.S. Code. Congress
amended the many laws dotted throughout Title 18 code into a compre-
hensive set of laws known as the 1996 National Information Infrastructure
Protection Act.
Social Engineering
The weakest link in security will always be people, and the easiest way to
break into a system is to engineer your way in through the human interface.
Most every hacker group has engaged in some form of social engineering, in
combination with other activities, over the years and they have been able to
break into many corporations as a result. In this type of attack, the attacker
chooses a mark, whom they can scam to gain a password, user ID, or other
usable information. Because most administrators and employees of compa-
nies are concerned with providing efficiency and helping users, they may be
unaware the person they are speaking to is not a legitimate user. And
because there are no formal procedures for establishing whether an end-user
is legitimate, the attacker often gains a tremendous amount of information
in a very short amount of time, often with no way to trace the information
leak back to the attacker.
xxxii Social Engineering
Social engineering begins with the goal of obtaining information about
a person or business and can range in activities from Dumpster™-diving
to cold-calls or impersonations. As acknowledged in the movies, many
hackers and criminals have realized that a wealth of valuable information
is often laying in trash bins, waiting to be emptied by a disposal company.
Most corporations do not adequately dispose of information, and trash
bins often contain information that may identify employees or customers.
This information is not secured and is available to anyone willing to dive
into the Dumpster™ at night and look for it—hence, the term Dump-
ster™-diving.
Other information is readily available via deception. Most corporations
do not contain security measures that adequately address deception. What
happens when the protocol is followed properly, but the person being
admitted is not whom they say they are? Many groups utilize members of
their group in a fashion that would violate protocols, so as to gather infor-
mation about what a corporation’s admittance policy is. Often the multi-
person attack will result in gaining admittance to the company and,
ultimately, the information desired. Using the bathroom or going for a
drink of water is always a great excuse for exiting from a meeting, often
one during which you will not have an escort. Most corporations do not
have terminal locking policies, and this is another way an attacker can gain
access or load software that could pierce the company’s firewall. So long as
the person entering the corporation looks the part, and can act according
to the role the company has defined for access, it is unlikely that person
will be detected.
Remotely, social engineering actually becomes less challenging. There
are no visual expectations to meet, and people are very willing to participate
with a little coaxing. As is often the case, giving away something free can
always be a method for entry. Many social engineering situations involve
sending along a piece of software or something of value for free. Embedded
within the free software, Trojans, viruses, and worms can go undetected,
bypassing system and network security. Since most security that protects
the local machine has a hard time differentiating between real and fake soft-
ware, it is often not risky for the attacker to deliver a keylogger or Trojan to
the victim machine. Equally effective, the customer support or employee
support personnel can be duped into aiding a needy user with their pass-
words and with access to information they do not necessarily know about.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.