The safest and most secure network on the planet can always be hacked or penetrated when humans are still involved.  I will site several examples from the field and from my own research as my second installment of social engineering.

Wikipedia defines Social engineering as "the art of manipulating people into performing actions or divulging confidential information.  While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim."

I have shown some videos of Kevin Mitnick using a phone to use a form of social engineering called pretexting to acquire personal information from employees without their knowledge.  Today I would really like to focus on Baiting.  Defined by Wikipedia, baiting is the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.

Keeping that in mind I would like to share a story I originally learned from my good friend and Senior Engineer from SSE, Inc., Vince Sechrest, and to which I have read several instances of this baiting technique.

A financial institution decided to spend a huge amount of money on building a system that was to be impenetrable!  The hardware purchased and installed, the procedures implemented and followed, and the with the system completely locked down the IT firm tried to find a vulnerability.  To no avail, the IT firm wanted to try one more thing, he wanted to try and bait the employees.



Purchasing a few USB flash drives, also called key drives or thumb drives, the IT firm was able to load a program that would auto-load as soon as the drive is inserted into a system.  Physically taking these drives and dropping them into the parking lot, the arrival of the employees went exactly as planned.  The limited knowledge and curiosity got the best of the employees and they not only picked up the drives but carried them in and plugged the drives directly into their machines wondering what information was on them, probably hoping to use them for their own personal use.  That innocent act was enough to give the IT firm keys to the kingdom and for the institution to fail the hack proof test, due to the human variable.  The system was impenetrable, technically, but once an employee brought hackers in with them, their fate was sealed.

Baiting always involves the attacker leaving a malware infected media, such as a floppy disc, CD ROM, or USB flash drive in a location sure to be found.   A bathroom, elevator, sidewalk, parking lot are often high yield locations and with a legitimate looking and curiosity-piquing label, the media simply waits for the victim to use the device.

For example, an attacker might create a disk featuring a corporate logo, readily available off the target's web site, and write "Executive Salary Summary Q2 2008" on the front. The attacker would then leave the disk on the floor of an elevator or somewhere in the lobby of the targeted company. An unknowing employee might find it and subsequently insert the disk into a computer to satisfy their curiosity, or a good samaritan might find it and turn it in to the company.

In either case as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network.

Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.

                                                                

Seams almost too easy doesn't it..  here's a link to a very similar scenario as Vince's:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1


References:

SirRoss. January 20, 2005. A Guide to Social Engineering, Volume 1 A Guide to Social Engineering, Volume 2. Astalavista. 

Kevin Mitnick, William L. Simon, Steve Wozniak. 2002. "The Art of Deception: Controlling the Human Element of Security". John Wiley & Sons.