It’s Easier To Hack You Than Your Computer
There are two aspects to using a computer:
- The computer
- You
That means there are two ways to get data off of your computer, either by hacking the computer … or hacking you. It’s often easier to hack you than your computer.
Don’t worry – nobody is going to come along and chop of bits of you or try to plug a keyboard into an available port on your body. What I’m talking about is referred to as social engineering. Social engineering is the process by which information is gleaned from you by someone giving you a false impression of the situation or flat out lying to you.
A common technique is called phishing. An example of phishing is when you receive an email that looks like it came from your bank that may indicate their records show a foreign address tried to access your account and you should verify your activity. It will provide a link to get to the bank site to perform your login. The trick is that the link doesn’t go to your bank website but a fake website that just looks like your bank site. When you enter your ID and password, it will be recorded and now you’ve just given your login credentials for your bank to someone.
Luckily, newer browsers like Firefox 2+ and Internet Explorer 7+ help detect some phishing attempts but they can only do so much – it’s up to you to watch out for these types of things. Pay attention to the details like the URL of the site you arrive it or how it looks compared to when you normally go to your bank site.
So phishing uses technology to fake you out, but what about person to person fake outs?
Here is a simple example of how I could use social engineering to get access to your work computer. I can go to your company website and get some basic information (usually bigwig names, partner or subsidiary companies, etc) and then call the receptionist and ask to speak to someone in accounting to help with an invoice – usually using a name from the website or other company info like “In so-and-so’s department” helps. Once I get to that person, I ask for some basic information like addressing and also ask for an email address in case I have another question. I’ll then wait a day or two and then call that person directly and say I am from the Help Desk and I need to confirm some information because of a network issue. I’ll walk them through confirming their email address and then ask them to confirm that they use the first part of the email address as their logon name. If it is or isn’t I’l say “Oh, that may be it then” … and then ask them to confirm their login ID (if it’s different) and then confirm the password. Once they do – I just say “Yup, that took care of it. Thanks!”. I now have their ID and password with no computer hacking.
That’s a really simple example, but sometimes that’s all it takes to get that information. There are all sorts of levels to this type of trickery and some ways are harder than others to detect. One thing to always remember is that almost nobody official will ever require your password. Ever. There are times in a company when it may be easier for someone else to know it – but it should never be necessary. Also be careful of surveys or questions regarding common password hint or validation information such as mother’s maiden name, first pet or birthdays.
So how do you get informed or protect yourself? Here are a few links to some helpful information:
Article from Security Focus – dated but still good information
Mitnick Security -Security consulting and workshops available from the security company founded by one of the most well known hackers (offers CSEPS)
The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers by Kevin Mitnick does an excellent job of explaining different types of social engineering and how to prevent them.
AntiPhishing.org – details of current scams running and a place to report found phishing
If you have any other questions about social engineering please contact me via comments or email. This can be a rather dry topic but hopefully it was more informative than boring.
Related posts:
The government puts out training called Lethal Keystrokes as part of its opsec (operational security) which we have to follow at work as well.
good article, I typically have users give me their password when I remote desktop into their machine so I can be logged into their pc under their profile, most settings I have found to be profile specific so it requires getting logged in under the users ID…unless there is another way
How do you connect to users machines remotely?
Yeah. The profile specific stuff is where it gets tricky. For remoting in, using a screen sharing program instead of an RDP client can make it easier (netmeeting is built into Windows XP/2000 so that one works pretty easily). Plus – one of the main reasons IT doesn’t usually ask for a password is that we can usually change it ourselves. If necessary we can change a users password, work on the machine, and then have the user pick a new password. It all just depends on the situation really.
That’s a good example though of how security is really not about making something impregnable but making it too much of a hassle to break into it.
I wish someone was interested in my stuff at work…I hate my life