Lesson Plan: Social Engineering
What is Social Engineering?
In [d0x3d!], players adopt the role of white-hat hackers working to reclaim valuable digital assets that have been stolen from them. Players can choose one of several hacker roles. The “social engineer” role has a special ability, “As one action, [move] to any compromised node.” While a traditional hacker moves through a network by compromising devices as they travel, a social engineer does not necessarily need to use technical skills to gain access to a system. Instead, they rely on their cunning personality and the cognitive biases of their victims to gain access. The Social Engineer role was inspired by the real life practice of social engineering, in which hackers fool others into helping them by:
This lesson is intended to be taught over four 50 minute class periods and will explore the social engineer’s role in computer security today. Students will learn how a social engineer operates and why they can be so effective despite requiring little technical skill.
Students will learn about social engineering and relate it to their lives and the real world.
This lesson assumes that students have experience using the Internet for personal and academic purposes, and have some experience or knowledge of authentication or password use online.
BACKGROUND FOR TEACHER
You may have read a news article related to social engineering, but may not have recognized it as a trend or as a class of attacks. However, attackers know it is it easier to fool someone into revealing valuable information than it is to directly attack a well-guarded system.
Social engineers use a variety of techniques: some require technical abilities, while others simply abuse the trust of others. For example, a user can be tricked into thinking they are interacting with a legitimate entity (person, company, etc.), and thus be willing to give up confidential information in a “phishing” attack. This may occur when a user receives an e-mail appearing to be from Facebook. In the e-mail, “Facebook” asks to confirm a friend request and includes a link that will lead to an authentic-looking (but fake) login screen run by the attacker. If the user enters their credentials, the attacker now has their username and password!
In another example, a social engineer may collect enough relevant information about a victim to access their online accounts. The engineer may impersonate someone who is typically trusted with sensitive information and thus the victim may be willing to give them the knowledge they need in order to carry out their attack.
A social engineer may not even need to interact with victim in order to be successful. Online access to public information can make social engineering a victim much easier. A quick Google search on a person’s name can reveal enough information to bypass password reset questions, such as “Where were you born?”, “What highschool did you attend?”, or “What is your mother’s maiden name?” The more well known a person is, the more readily information about them can be found.
Another practice social engineers may use is “dumpster diving,” or “trashing,” a method of collecting information from a victim’s refuse. A discarded letter from the electric company could contain valuable information about an individual, useful to attacker.
In this lesson, students will explore the types of online information useful for social engineering and learn how easy it can be for hackers to use non-technical techniques to gain access to other’s personal data and computer systems. Students will learn some technique to protect themselves and their data from social engineering.
These activities are intended to help students connect with the core materials and questions, before any independent work or activities.
In 2008, vice president candidate Sarah Palin was the victim of a social engineering attack. The “hacker” did not infiltrate any GOP governmental database or even steal any of her personal digital devices. Hacker David Kernell simply looked up readily available information about Sarah Palin to reset her Yahoo e-mail password: her birthday, home zip code, and information about where she met her spouse. Kernell, allegedly, took no more than 45 minutes to research the information needed to reset the password and gain access to Palin’s e-mail account. The class may choose to read the following article for more information [Telegraph, 2010].
As homework, or as an in class activity, run the following hacking simulation where students get to research and deploy a social engineering attack. Their goal is to recover the password to a faux e-mail account of a historical figure based on readily available information. Each student will receive a historical figure with a corresponding e-mail. Students must research background information using the Password Reset Handout. When students have correctly found six (6) of the eight (8) questions, they will have gained access to the password reset function, and thus to the e-mail account!
Consider the following quote from former social engineer Kevin Mitnick:
What's important here is to consider the big picture: People use insecure methods to verify security measures. The public's confidence in the telephone system as secure is misplaced, and the example I just described demonstrates the reason why. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information...
From “The Testimony of an Ex-Hacker,” PBS Frontline
Summarize Mitnick’s position. Why are the people “who use, administer, operate and account for computer system” the weakest part of the security chain? Do you agree or disagree? Why?
Play the game [d0x3d!] in groups of three or four. Afterwards, write a short response to the following question:
In the game, each hacker has a unique special ability. The social engineer’s special ability is “As one action, [move] to any compromised node.” Why might the social engineer be able to move so freely throughout the network, while the other hackers require a path through the network?
Have students revisit the password reset question activity. Ask them to consider the following questions:
Have students pretend to be administrators of a system supporting password reset questions. Ask students to create eight password reset questions for a historical figure, with the answers. Then, have students trade password reset questions (without the answer) with each other, and try to hack the historical figure’s account.
Afterwards, have students reflect on the exercise using the following questions:
Students will find a news article related to a social engineering attack and provide a brief summary of why it was a social engineering attack, what it resulted in, and how it could have been avoided.
Teacher may tailor the historical figures and Password Reset Question Bank questions based on thematic goals for the class.
Students will come up with a new/diverse social engineering scenario and act out how it could take place. They can make a movie, write a short story, or even act out a short play about it.