Rice University logo
 
Top blue bar image Comp327: Introduction to Computer Security
Blog and homepage for Rice's Comp327
 

Archive for the ‘Social Engineering’ Category

Security Topics: Social Engineering – Practical Applications

Tuesday, February 15th, 2011

Currently in the course we are now dabbling in social engineering. This topic is usually the least technical but the hardest to execute successfully due to the amount of homework the attacker has to perform of the target before execution. It is more of a combination of Psychology, Sociology, and a little of “The Art of War” mixed together with some dumpster diving.  Now there are degrees of success after execution, though most of the time this attack is used for intelligence gathering to defeat a physical/technical defense. Currently this attack has proven to have significant gains.

Proof of  how much you can get by this type of attack is the current attack that has effected one company. To keep search engines off this blog and to keep this discussion educational the players will be Actor, Corp X, and Attacker Y.

The story starts where an Actor for Corp X doing research using Social Sites in to Attacker Y. One day a news outlet interviews Actor. During this interview Actor decides to state that he has the leaders for Attacker Y and later on down the road he will be turning over the people to a three-letter agency. Attacker Y finds out and is not too happy, so they get access to Actor’s personal web site through Social Engineering an e-mail to reset the password to the system and open up a port. This did break the policy for the company where the web site was being hosted. To gain access to Actor’s company website, it is looking as there was a XSS issue. This allowed Attacker Y to gain access into the company while using Actor’s password from his personal web site.

Right now the biggest take away that needs to be educated to anyone that has an account across multiple computer systems is Password Reuse. This was first thought to be a small problem, but after this massive data breach, it is proven to be a bigger problem.

The other issues from this will be how the law of the land will handle Attacker Y and Actor from their actions. This is a good conversation of debate and learning. Though this is not finished.

Now to read up on the story:
The beginning  
Act 1  
Act 2
The biography
The Conversation
The list of pawns