|
Tutorials: How to outsmart the silver-tongued hacker |
|
|
 
Hackers will try to trick your users into revealing their
passwords. They call it "social engineering", we call it a security risk. Here's
how to fight it.
Brien M Posey
April 28, 2003
While security officers focus on firewalls and intrusion detection
systems, a far more dangerous avenue often lies open to hackers. In most cases,
it is far more easy to trick innocent users to give up their passwords by
phoning them up. Most people would refer to this as "lying", "trickery", or
"deception", but security people prefer to use the term "social
engineering".
In the past, social engineering schemes have traditionally revolved around a hacker posing as someone from the support department and either trying to assist the user with a problem or getting the user to help the hacker run a "test". These have been frighteningly effective, and are getting increasing publicity: former exponents such as Kevin Mitnick have argued that social engineering is more worrying than tech-based attacks.
Hackers like to break with tradition, and current social engineering methods are all about defying expectations. To help you understand the new face of deception, here are some of the new ways that hackers are manipulating expectations to get what they want -- access to your data. By reading through these new schemes, you can better educate yourself and your staff about the techniques being used, which in turn will help everyone in your company avoid falling prey to these security breaches.
Relationship social engineering
I had the chance to watch first-hand a social engineering stunt using common conversation to obtain password information. This particular job wasn't an illegal hack, but rather a situation in which a client paid a security company, Relevant Technologies, to see if its employees would fall victim to a trick. The company felt it better to find out its security holes under controlled conditions than to be exploited by someone who really did have malicious intentions. Unfortunately, the scheme went off without a hitch, and the company's owner realised that he needed to place a greater emphasis on employee training.
For this particular scheme, the security company hired a woman with a sexy voice to call sales representatives at the company and pretend to be interested in buying the company's product. Part of the conversation went something like this:
Social Engineer: "My kids will love this product. I have a two-year-old named Fred and an eight-year-old named Beth. Do you have any kids?"
User: "Yes, I have a four-year-old son named Shawn."
This is seemingly innocent chitchat, but in organisations that don't enforce strict password policies, employees often use their kids' names as passwords. In this particular case, the employee used his son's name, Shawn as his password. Of course, that was a lucky guess, but the security company's social engineer was able to worm other personal information out of the employee as well.
For this particular job, the woman never asked for a password -- or anything else related to the computer system. What she did do was to build a relationship with the victim. Even if nothing on the password list had matched, she had built the guy's trust enough that on a future call she would be able to get something more useful out of him.
| |
|
Article Source
ZDNet - TechUpdate |
 | |
|
|
|
 |
| "Tutorials: How to outsmart the silver-tongued hacker" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
