

	Security Information

Social Engineering: You Have Been A Victim

Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week. Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoffs are floating around.

You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.

And The "Social Engineering" Game Is In Play:

People Are The Easiest Target
--------------------------------------------
You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk. You have just become a victim of social engineering.

When Did I Become a Victim of Social Engineering?
--------------------------------------------
Ok, let's take a step back in time. The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of my employees. You see, my firm has been hired to perform a Network Security Assessment on your company. In reality, we've been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.

The spreadsheet you opened was not the only thing executing on your computer. The moment you open that file you caused a script to execute which installed a few files on your computer. Those files were designed to call home and make a connection to one of our servers on the Internet. Once the connection was made the software on our servers responded by pushing (or downloading) several software tools to your computer. Tools designed to give us complete control of your computer. Now we have a platform, inside your company's network, where we can continue to hack the network. And, we can do it from inside without even being there.

This is what we call a 180 degree attack. Meaning, we did not have to defeat the security measures of your company's firewall from the Internet. You took care of that for us. Many organizations give their employees unfettered access (or impose limited control) to the Internet. Given this fact, we devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network. All we had to do is get someone inside to do it for us - Social Engineering! What would you have done if you found a CD with this type of information on it?

What Does It Mean to Be "Human"
--------------------------------------------
As human beings we are pretty bad at evaluating risk. Self preservation, whether it be from physical danger or any other event that could cause harm, like the loss of a job or income, is a pretty strong human trait. The odd thing is, we tend to worry about things that are not likely to happen. Many people think nothing of climbing a 12 foot ladder to replace an old ceiling fan (sometimes doing so with the electricity still on), but fear getting on a plane. You have a better chance severely inuring yourself climbing a ladder than you do taking a plane ride.

This knowledge gives the social engineer the tools needed to entice another person to take a certain course of action. Because of human weaknesses, inability to properly assess certain risk, and need to believe most people are good, we are an easy target.

In fact, chances are you have been a victim of social engineering many times during the course of your life. For instance, it is my opinion that peer pressure is a form of social engineering. Some of the best sales people I've known are very effective social engineers. Direct marketing can be considered a form of social engineering. How many times have you purchased something only to find out you really did not need it? Why did you purchase it? Because you were lead to believe you must.

Conclusion
--------------------------------------------
Defining The Term "Social Engineering": In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information. Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible. Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task.

The main thing to remember is to rely on common sense. If some one calls you asking for your login and password information and states they are from the technical department, do not give them the information. Even if the number on your phone display seems to be from within your company. I can't tell you how many times we have successfully used that technique. A good way of reducing your risk of becoming a victim of social engineering is to ask questions. Most hackers don't have time for this and will not consider someone who asks questions an easy target.

About The Author
----------------
Darren Miller is an Industry leading computer and internet security consultant. At the website - http://www.defendingthenet.com you will find information about computer security specifically design to assist home, home office, and small business computer users. Sign up for defending the nets newsletter and become empoweredto stay safe on the Internet. You can reach Darren atdarren.miller@paralogic.net or at defendthenet@paralogic.net

MORE RESOURCES:
Unable to open RSS Feed $XMLfilename with error HTTP ERROR: 404, exiting

RELATED ARTICLES

Hacking the Body Via PDA Wireless Device
First I would like to stress I am condoning the art of hacking. Nor am I condoning the control and manipulation of the human race by way of frequencies interacting with the biological systems, which run the human body.

Another Fine Mess!
I'm in the Anti-Spyware business, and I'm doing a lot of advertising to promote my website, but here I am online and on the phone, giving my personal information to..

Parental Control - Dangers To Your Child Online & Internet Child Safety Tips
Did you know..

Virus and Adware - Fix them Both!
We all get the odd virus now and then, but sometimes that one virus could cause so many problems. In this article I shall be going though just some of the problems that these virus software programs can do, and how to fix them.

Protecting Your Home Both Inside and Out
If you are a parent, you have probably wondered at one time or another, what more you can do to protect your children and yourself, not only physically but emotionally, mentally, spiritually etc. Today many parents and families are discouraged.

Email Hoaxes, Urban Legends, Scams, Spams, And Other CyberJunk
The trash folder in my main inbox hit 4000 today. Since I never throw anything out, I know that what's in there is courtesy of my email filter which is set to automatically delete anything that is forwarded from my work account from a certain person.

IPv6 - Next Step In IP Security
IPv6, IntroductionThe high rate at wich the internet continualy evolves forced the Internet Engineering Task Force(IETF) to find IP solutions to handle the grouth. Designed to handle the fast paced growth of the Internet, the IPv6 (Internet Protocol version 6) is the new version that will replace the widely used IPv4(Internet Protocol version 4) which is already obsolete.

Phishing: A Scary Way of Life
The Federal Bureau of Investigation has identified "phishing" as the "hottest and most troubling new scam on the Internet."What is Phishing?Phishing is a scam initiated via e-mail.

Online Shopping: 10 Tips For Safe Online Shopping
Have you ever bought a product or service from the internet?Yes? Me too. You're not alone?Some of the reasons why most people are shopping online are: they can buy anything at anytime because Internet shopping is available 24 hours, all the time.

How To Clean the Spies In Your Computer?
Manual Spy Bot Removal > BookedSpaceBookedSpace is an Internet Explorer Browser Helper Object used to show advertising.Free PC Health Check - find bad files fast! How many corrupt and redundant files are lurking inside your PC ready to cause harmful errors? Find these harmful "time-bomb" files instantly and keep your computer ERROR FREE 24 hours a day!VariantsBookedSpace/Remanent : early variant (around July 2003) with filename rem00001.

From Spyware with Love!
It's late. You've been scouring the web for that perfect present for your Aunt Bess in Idaho.

Phishing - Its Signs and Your Options
Phishing is the act of some individual sending an email to a user in an attempt to scam the user to release personal information. Is it easy to determine if it's a scam? Sometimes - but not always.

Computer-Virus Writers: A Few Bats In The Belfry?
"Male. Obsessed with computers.

Watch Out For That Scam
The IFCC (Internet Fraud Complaint Center) received over 200,000 complaint submissions for 2004, an increase of 66.6% from 2003.

Is My PC Vulnerable on the Internet?
No longer are viruses the only threat on the internet. In recent years other threats have evolved which include spyware, adware, hacking, identity theft, information theft, pop-ups and the loss of information.

Don't Become An Identity Fraud Statistic!
"You've just won a fabulous vacation or prize package! Now, if you'll kindly give me your credit card information and social security number for verification purposes, you will receive this awesome gift!"Now why would they need my credit card or social security number to send me a freebie? Can you say, "identity theft?"Although there are legitimate reasons for people to need that information, such as a purchase or job application, thieves need it to steal your life and money from you!Crime officials are reporting that this kind of theft is becoming quite common. Don't be a victim! Follow a few common-sense suggestions to avoid finding out someone else has taken over your life-along with your bank account!-Do not allow anyone to borrow your credit cards! Your best friend may be trustworthy, but her boyfriend may not be!-Don't provide personal information such as date of birth, credit card numbers, your pin number, mom's maiden name, or social security number over the telephone unless you initiate the call.

How To Avoid Hackers From Destroying Your Site?
Recently, my site and other internet accounts ( http://www.nabaza.

Protection for Your PC - Painless and Free!
Viruses, Bugs, Worms, Dataminers, Spybots, and Trojan horses. The Internet is a veritable minefield of things that can invade your PC and affect it's Security and Performance.

Is Your Email Private? Part 1 of 3
In a word, no - an email message has always been nothing more than a simple text message sent unencrypted to a recipient we choose. So all the email that we so blithely send all over the Internet everyday is neither private nor secure.

Its War I Tell You!
There are ways to insure security though. You can get the Windows Update CD from Microsoft and install that before you get online, You can also get most Antivirus Definitions downloaded and save them to disk, then install those before you go online, (of course you have to be using that Product in the first place), and you can get Anti-Spyware on a disk and do the same.

home | site map | contact us