More About Social Engineering
Did you know the most common tool used by scam artists and
hackers attempting to gain access to your system or credit
card data has nothing to do with a computer? In fact, it has
nothing to do with the internet, and it actually older than
civilization.
This technique goes by the glamorous name of Social
Engineering. What this means is someone will attempt to gain
your trust in some way in order to get you to perform an
action for them. Generally, this method is used to bypass
security systems, encryption schemes and passwords. Sounds
very powerful, doesn't it? Must be pretty complex?
Actually it's incredibly simple. One of my co-workers is in
charge of the phone system. It's his job to examine the phone
bills. One day he was looking through a bill which seemed
unusually large and found some very suspicious charges. He
investigated and determined that someone had called the
receptionist saying, "I am from the phone company and we are
testing some equipment. Can you please press ...". The
receptionist was obedient and did so - and gave the guy access
to outgoing phone lines - he was able to rack up over $50,000
in a month in free international calls.
Another example involved America Online. One day my kid
came up to me and asked if I could enter my credit card
information for him. I asked why, and he told me he had
received an email from AOL asking him to visit a website to
"validate his identity" so his account would not be canceled.
Naturally my kid did exactly what was asked, and if he had had
his own credit card I'm sure the entire remaining balance
would have disappeared. This is a very common way to
fraudulently gain credit card, passwords and account numbers.
I've been told by some friends of mine that they recently
found a hole in their company security. What had happened was
someone called an accounting clerk, claiming to be from MIS.
This guy called just before the Year 2000, and claimed he was
making sure the computer would work properly after the new
year. He wanted to send a floppy disk to the clerk overnight.
Would the clerk be so kind as to insert it immediately upon
receipt so his hardware would be tested? Naturally the clerk
agreed and actually did as he was instructed. The result? A
hacker gained access to the entire network at this company,
requiring a full security audit to determine exactly what was
done.
I even heard of a security manager who discovered that
someone had left business cards with all of the users at his
company (hundreds of them). These cards claimed to be from a
warranty group and left a phone number to call for support.
Each time a machine broke down a user obediently called the
phone number on the card, and each time someone dialed into
his system and fixed the problem. While the person was dialed
in, he installed a set of tools to allow him to gain access to
normally secure databases, including payroll, legal and
accounting information.
As you can see the concept is very simple. A person
contacts you somehow (via email, in person, on the phone) and
talks you into doing something for him. There is no reason not
to assume the person is legitimate, so naturally you just do
what he says. He always sounds very friendly and helpful.
Sometimes he will sound like he's in a hurry or asks for your
help to complete some task. The main thing is he is normally
someone you would trust, because he seems to be doing the
correct tasks.
So what can you do about it? What I've done in the past is
given short classes to groups of people where I work. In these
classes I demonstrate exactly how social engineering works and
why it is often successful. Education does wonders for
preventing these kinds of things from happening.
I've also run "fire drills", where I (or one of my
co-workers) will call our own company and attempt some social
engineering of our own. If we can get the person on the other
end of the phone to do something, we make sure he spends some
time in training to learn what not to do next time.
You must be aware that social engineering exists, is very
common, and often works very well. When you receive a
communication asking you to do something look it over and
determine if it "feels right". Look over phone numbers,
addresses and website URLs. Are they actually the company's or
a clever modification. A good example was the America Online
scam which I mentioned earlier. In this scam, we were told to
go to a website which had nothing to do with AOL although it
did include the word AOL in the URL. It was pretty obvious to
me that AOL didn't need me to enter my credit card data at a
GeoCities site, since AOL has it's own servers and it's own
domain.
Something I've found useful is to validate it with a third
party. For example, one day I received a notice from my ISP
asking me to proceed to a web site and change my password.
This is a classic tactic used by social engineers all over the
internet. It seemed legitimate, but I wanted to be absolutely
sure. So I called my ISP directly and asked their technical
support people to help me with the instructions (playing
stupid, like I need help). As it turned out, the letter was
fake and did not come from my ISP.
If someone comes to your door or desk and asks to get
access to your computer, check it out. I always ask for (and
keep) business cards and identification. I may even call their
company asking about them (but be sure NOT to use their
business card for the phone number - get it from someone else
that you do trust.)
The important point here is simply to validate the
credentials of anyone who is attempting to get you to do
something or to gain access to your computer system. You don't
need to be paranoid, just cautious. You wouldn't hand your car
keys to someone you don't know, so why would you open up your
computer to a complete stranger without checking him out
first?
Themestream Comments
Ace article, Richard. I hope everyone reads it and takes
notes. - bethaustin
This is excellent Richard. More people have to be aware of
this. Jean Levack - jlevack
Top notch. Connie McClellan - connies
Thanks for the alert! I'm probably one of the people that
could have been had. Judith McIntosh - jinx |
