Social Engineering: You Have Been A Victim

By: Darren Miller
Submitted: 2007-01-17 13:46:44
Print this article | Tell a friend | For publisher | Social Bookmarking
Rating:
 

Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week. Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoffs are floating around.

You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.

And The "Social Engineering" Game Is In Play:

People Are The Easiest Target
--------------------------------------------
You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk. You have just become a victim of social engineering.

When Did I Become a Victim of Social Engineering?
--------------------------------------------
Ok, let's take a step back in time. The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of my employees. You see, my firm has been hired to perform a Network Security Assessment on your company. In reality, we've been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.

The spreadsheet you opened was not the only thing executing on your computer. The moment you open that file you caused a script to execute which installed a few files on your computer. Those files were designed to call home and make a connection to one of our servers on the Internet. Once the connection was made the software on our servers responded by pushing (or downloading) several software tools to your computer. Tools designed to give us complete control of your computer. Now we have a platform, inside your company's network, where we can continue to hack the network. And, we can do it from inside without even being there.

This is what we call a 180 degree attack. Meaning, we did not have to defeat the security measures of your company's firewall from the Internet. You took care of that for us. Many organizations give their employees unfettered access (or impose limited control) to the Internet. Given this fact, we devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network. All we had to do is get someone inside to do it for us - Social Engineering! What would you have done if you found a CD with this type of information on it?

What Does It Mean to Be "Human"
--------------------------------------------
As human beings we are pretty bad at evaluating risk. Self preservation, whether it be from physical danger or any other event that could cause harm, like the loss of a job or income, is a pretty strong human trait. The odd thing is, we tend to worry about things that are not likely to happen. Many people think nothing of climbing a 12 foot ladder to replace an old ceiling fan (sometimes doing so with the electricity still on), but fear getting on a plane. You have a better chance severely inuring yourself climbing a ladder than you do taking a plane ride.

This knowledge gives the social engineer the tools needed to entice another person to take a certain course of action. Because of human weaknesses, inability to properly assess certain risk, and need to believe most people are good, we are an easy target.

In fact, chances are you have been a victim of social engineering many times during the course of your life. For instance, it is my opinion that peer pressure is a form of social engineering. Some of the best sales people I've known are very effective social engineers. Direct marketing can be considered a form of social engineering. How many times have you purchased something only to find out you really did not need it? Why did you purchase it? Because you were lead to believe you must.

Conclusion
--------------------------------------------
Defining The Term "Social Engineering": In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information. Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible. Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task.

The main thing to remember is to rely on common sense. If some one calls you asking for your login and password information and states they are from the technical department, do not give them the information. Even if the number on your phone display seems to be from within your company. I can't tell you how many times we have successfully used that technique. A good way of reducing your risk of becoming a victim of social engineering is to ask questions. Most hackers don't have time for this and will not consider someone who asks questions an easy target.

About The Author
----------------
Darren Miller is an Industry leading computer and internet security consultant. At the website - http://www.defendingthenet.com you will find information about computer security specifically design to assist home, home office, and small business computer users. Sign up for defending the nets newsletter and become empowered to stay safe on the Internet. You can reach Darren at darren.miller@paralogic.net or at defendthenet@paralogic.net

Article source: Expert Articles

Most Recent Articles in Security category

  • Essential Tips For Secure Online Trading - By: Liam Derbyshire
    Conducting business on the internet is fraught with numerous perils. From identity theft to elaborate scamming schemes, criminals are out there in cyberspace trying their best to rob you out of your hard earned cash. A few simple tips give you all the protection you need from the vile schemes of these con artists.
  • Discover the joys of anonymous proxy servers. - By: Kulveer Singh
    As Google Adwords and Google Adsense becomes more mainstream, the rate of fraud from self-clicking (commonly called Google-bation), and click-draining (clicking on competitors ads), will increase exponentially. The problem is that the electronic antichrist has an obvious conflict of interest in eliminating fraud. Like most web site owners running Google Adsense, you probably are tempted to just "test" ads to make sure all the html you have embedded on your site is working. In some markets these little "tests" can reward the web site owner over $20 per click. Drugs, bank loans and obesity cures pay pretty well I'm told.
  • Stepping Up Your Security - By: Scott Jarvis
    Many online businesses have been using this method of security for over ten years and still have not upgraded to a better form of online security. Though many smaller businesses have yet to adopt a more advanced technology, several high profile companies have begun using some form of two factor authentication both on their websites and in their offices.
  • You Can't Do Without Search Engine Optimization - By: Naman Jain
    No websites can ignore the importance of search engine optimization to their website. It is the most essential tool, which will helps them grow their Online business.
  • Identity Theft - Don't blame The Internet - By: Kavita B
    Identity theft - also known as ID theft, identity fraud and ID fraud - describes a type of fraud where a criminal adopts someone else's identity in order to profit illegally. It is one of the fastest growing forms of fraud in many developed countries.
  • AllAnonymity - anonymous browsing solutions - By: Ionel Orza
    In our days identity protection has become increasingly important, because any time someone could be watching what you do on your computer through online spying. Someone like your boss, someone trying to hack your system, or even the government may be on your track while you peacefully surf the web.
  • 8 Simple Ways to Defend Against Evil Doers Both Online and Off - By: Dan Preston
    There once was a time when the only option people had when shopping was to either call in or snail mail in a catalog order form or to jump in the family car, fight through traffic, and wait in long checkout lines to complete the purchase.Well, nowadays there’s still a few major mail order catalogs floating around and we all still visit our local retail outlets, but time has also introduced the internet as one of our options to shop from the comforts of home.The internet has made shopping at home a breeze and along with it has unfortunately brought the so called ”Evil Doers” who I believe have such little happiness in their own lives that they must leech pleasure from the hardworking and innocent individuals of our wonderful and surrounding nations.
  • Dirty Little Computer Viruses and How To Protect Yourself - By: Dan Preston
    Whether you have learned your lesson from a past experience with a nasty computer virus or have been pressing your luck by surfing the web and downloading various files or opening those email messages sent to you by people you don’t know without any real understanding of just how vulnerable you really are each time you log onto your computer you now have the opportunity to discover what steps you can take to avoid such an annoying and many times destructive infestation.Listed below are some of the guidelines you can follow in order to keep those nasty viruses from making a mess out of your computer and your life.•Purchase and install a well respected antivirus software program and be sure to set it up so that it automatically runs when the computer starts up each time.
  • Protect Your Little Black Book - By: Rick Cooper
    The movie Little Black Book features a young woman, Stacy, who is frustrated when her boyfriend refuses to share information about his past relationships. When his PDA, a Palm Tungsten C, falls into her hands, she is faced with a conundrum. Does she give it back, or does she explore it?
  • Can I Guess Your Password? - By: David Congreave
    We all know that it’s dangerous to use the same password for more than one program. If you sign up for a program run by someone of low moral fibre, what is to stop them running through various programs with your username and password to see what they can access? But of course remembering all the different passwords can be a headache.