Recently the IT Security office received a call from a software developer on campus. The developer had been asked to create a temporary account in the campus wireless system for a visiting administrator from another university who was giving a presentation on cammpus. The urgent request hadn't come through normal channels because the people who would normally answer the request were unavailable.

Should the developer have given the requestor access? Obviously more information was needed to make the right decision. Did the request come from an authorized individual on the visiting administrator's behalf? Was this authorized requestor available for a call back at his desk? For how long would the access be needed?

This instance may not have been an attempt to gain illicit access to the campus wireless network, but it is a typical tactic used in social engineering attacks.

Hackers are stereotyped as caffeine fueled misfits with poor social skills who spend hours hunched over keyboards, staring into computer screens finding ways to overcome their target's technological defenses.

However, some hackers manipulate people in order to bypass those defenses. Using a technique known as social engineering, the attackers appeal to a person's desire to be a part of a solution. A social engineer's tool of choice is not found on any computer, but rather in the willingness of others to help. It is the soft science of getting people to divulge information or grant access to systems the hacker doesn't rightfully have.

Commonly the attacker will claim to be someone further up in the organization's ranks and having an urgent need for help. Another common guise is a vendor or service provider needing access to fix a problem, upgrade a system, check email or voice mail. Some of these requests may come over the phone, or the attacker may make a personal appearance dressed appropriately; in a suit as an administrator from another department or in a logo embossed polo as a visiting vendor or service technician.

Common targets for social engineers are Help Desks or support staff with the ability to grant access or give information. Because most people are good natured and want to help others, they are all too willing to comply.

Social engineering practitioners may soften up their targets via a series of pleasant interactions over an extended period of time. These exchanges build trust between the target and the attacker. Social engineers may study the structure of the organization so they can drop names in an effort to gain credibility.

Another technique used by social engineers is dumpster diving. Hackers using this technique will dig through trash looking for paper containing passwords, disposed computer systems, CDROMs, manuals, anything that may help them gain access or damage the organization.

Other forms of social engineering can come via email or through pop-up windows on desktop computers. Typically these email messages will take on the familiar phishing techniques, claiming that a problem has occurred with the user's account and that they need to go to a particular web site and provide sensitive information such as a username and password. The message may claim that the user has won something, etc.

In the case of desktop pop-ups, a poorly configured system may present the user with a pop-up dialog box, claiming they've been disconnected and that they need to re-authenticate by providing their username and password.

• Attacker is unwilling to show ID, or unwilling to be called back.
• Attacker requests sensitive information or unusual access.
• Attacker's need is urgent.
• Attacker attempts to intimidate by claiming to be in a position of authority.
• Attacker drops names of others in the organization.

If someone comes to your desk or dorm room and claims to be from a campus support organization or a vendor saying they need to upgrade your computer system, use the phone, check their email, etc., ask for ID and call the organization or company that they represent and confirm that their request is legit before granting access.

If you receive a request for access make sure it is coming from a person authorized to make such a request. For campus systems such requests should come from the Technical Liaison for the department where the requestor is located. NTS, LSS and other campus service organizations typically provide advanced notice to affected users prior to showing up on site.

Papers containing sensitive or confidential information should be shredded before being discarded. Computer hard drives should be securely erased using a utility like sdelete (available at sysinternals.com). CDROMs containing confidential or sensitive information should be destroyed before being discarded.

In general, Help Desk and Information Services support staff should not ask users for passwords in order to troubleshoot problems. If you receive a call from someone claiming to be from the Help Desk, LSS, Resnet or other support staff and they request your password, ask if you can call them back at their office. Verify that the phone number they give you is the real phone number for that office.

Before replying to email messages claiming to need sensitive information, verify that they came from a legitimate source. If you're not sure, forward the message to itsec@ku.edu and have it checked out.

If an unusual pop-up window appears on your desktop claiming to need your username and password, report it to your IT support staff.

Social Engineering, Aaron Dolan, February 10, 2004.

The use of Social Engineering as a means of Violating Computer Systems, Malcolm Allen, August 13, 2001.

Email and Phishing Scams, Jeff Perry, November 11, 2004.

Social Engineering Fundamentals, Parts I and II: Hacker Tactics, Sarah Granger, December 18, 2001.