Cryptographers have moved closer to their goal of eavesdropping on cellphone conversations after cracking the secret code used to prevent the interception of radio signals as they travel between handsets and mobile operators’ base stations.
The code is designed to prevent the interception of phone calls by forcing mobile phones and base stations to rapidly change radio frequencies over a spectrum of 80 channels. Without knowing the precise sequence, would-be eavesdroppers can assemble only tiny fragments of a conversation.
The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of this article, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or un-trusted sources or to visit un-trusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.
Below are just a few examples of social engineering methods, many of which rely on direct contact with an individual, along with suggestions to minimize the likelihood that such methods will be successful.
IMPERSONATION
In this situation, the perpetrator pretends to be someone else (i.e., impersonating a senior official or someone from the Help Desk. The impersonation may occur over the telephone, in person, or via email. The perpetrator may try to make you feel obligated to assist, or under pressure to follow their directions. They may use intimidation or a false sense of urgency to seek your cooperation – prompting you to react before you’ve fully thought through the consequences.
PIGGYBACKING or TAILGATING
All too often, people will hold the door open for someone entering a secure area or the building without even knowing who the individual is or asking where they are going. The unauthorized individual may pretend to be a delivery person, a visitor, or even a fellow employee. This is referred to as “piggybacking” or “tailgating.”
Be cautious if an unknown or unauthorized individual is trying to follow you through access doors.
SHOULDER SURFING
This scenario refers to the ability of an attacker to gain access to information by simply watching what you are typing or seeing what is on your computer screen. This is known as “shoulder surfing,” and can also be done by looking through a window, doorway, or simply listening in on conversations. Be aware of your work environment and who is around you when you are working with confidential information, or even when you are typing in your password. Do not let others see you type your password, and protect your computer screen from unauthorized viewing. Computers in public areas should not have the monitors facing outward.
Putting It All Together
The scenarios above represent just a few types of social engineering attempts you may encounter. By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself and your information:
Before releasing any information to anyone, it is essential to at least establish:
the sensitivity of the information
your authority to exchange or release the information
the real identity of the third party (positive identification)
he purpose of the exchange
Be aware of your surroundings. Make sure you know who is in range of hearing your conversation or seeing your work.
The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.
If you’ve been doing some last-minute Amazon holiday shopping on Wednesday evening, you’ve probably noticed that Amazon’s website was sluggish and, at times, completely down. The same fate greeted Wal-Mart, Expedia and a number of smaller sites. The reason? A severe DDoS (Distributed Denial of Service) attack on the servers of Neustar, the company that offers DNS services to many major companies under the name UltraDNS.
Like fraudsters generally, social engineers take advantage of human gullibility.
Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. – Wikipedia
Social engineers manipulate people into revealing or allowing access to information assets by taking advantage of psychological traits (i.e., trust). Social engineering attacks play directly on the most vulnerable part of our information security framework: you and me. We are the weakest link in information security’s chain mail.
In a corporate context, social engineering is a factor in many information security incidents, including (perhaps especially) those perpetrated by insiders. Users have plenty of opportunities to use social engineering on each other, whether under the guise of casual inquiries or even jokes. An example might be (“Oh go on – I bet your password is something easy to guess like your cat’s name…”). They have the perfect cover story and plenty of opportunities to exploit their co-workers if desired.
Social Engineering Impacts
Social engineering techniques give unauthorized access to information.
‘ [1] Pretext calls’ by users can be particularly convincing as they have ready access to vast amounts of internal information to build their credibility. They can browse the email address book for telephone numbers and job titles to pick out suitable targets. Picking up the name of sensitive systems and projects is a breeze for insiders as well.
Finally, we come to the personal impacts of social engineering. Identity theft, for instance, is a fact of modern life. Some identity thieves use social engineering methods such as pretexting as part of their repertoire and [2] phishing methods to actively exploit our gullibility though social engineering.
Pretext — An effort or strategy to conceal something.
Phishing — An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to enter details at a website, although phone contact has also been used.
Example of Social Engineering
Two security consultants walk into an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant says, “Mr. Smith did not tell me about this, and he’s on vacation today and can’t be reached.” They reply, “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. If it burns up because we were not allowed to work on it, somebody’s going to get fired. Are you sure you didn’t forget the order?” The assistant nervously lets them in.
- Dr. John Orlando
Network World
In part two of this series, we will wrap up social engineering by discussing the risks, threats, and what we can do to help detect and avoid social engineering.
We all know that we should never click on links that are received in e-mails that we were not expecting or that come from someone we do not know. The same rule applies to links we encounter on blogs, discussion boards or social networking sites. However, sometimes we may want extra assurance that a link is not legitimate. Understanding the anatomy of a web address can help you spot fraudulent links. Imagine the address below is your bank’s web address that you see printed on the top of each monthly statement:
http://www.yourfavoritebank.com/lgo
Look between the http:// or https:// and the next / to determine the web address
Phishers and scammers may try tricks such as:
Misspelling the web address.
For example, they may create a web site with the address http://www.yourfavoritbank.com/ hoping that you won’t notice the missing “e” at the end of “favorite.”
Creating a long address that includes the real web address.
For example, they may create a web site with the address http://www.mnopq.com/yourfavoritebank.com hoping that you won’t notice that you are visiting the site mnopq.com.
Using a plausible, but not legitimate web address.
For example, they may create a web site with the address http://www.yourfavoritebank-securitycenter.net/ hoping that you won’t verify the actual address of Your Favorite Bank.
When in doubt – don’t click that link. When accessing sites that are commonly spoofed in phishing messages, like bank or social networking sites, access the site by typing in the address from memory or from the address you’ve received on official correspondence (ex. your monthly statement) or use your “Favorites” list.
December 22, 2009
The term “social engineering” can be defined in various ways, relating to both physical and cyber aspects of that activity. For the purposes of this article, social engineering is referred to as an approach to gain access to information, primarily through misrepresentation, and often relies on the trusting nature of most individuals. It involves the conscious manipulation of people to obtain information without the individual realizing that a security breach is occurring. Most users are familiar with email phishing scams (a form of social engineering) and have been taught not to open attachments from unknown or un-trusted sources or to visit un-trusted web sites. There are other ways that a perpetrator may prey on the trusting human nature to gain access to information or systems.