Social Engineering – How Hacking is Really Done

Posted by: Rea Maor In: Security and Prevention - Friday, October 5th, 2007

The movies and even TV media have misled us countless times; somebody is trying to hack into a system. They have a screen of scrolling, indecipherable code going by. The hacker types in some mystical incantation and a big, dumb box pops up on the screen: “access grated”. The crafty hacker cackles at his own cleverness.

They never show the hacker making phone calls pretending to be a service tech, or digging through a smelly trash dumpster behind the target office, or waiting around the door of the facility with a nervous look waiting for someone to buy their story and let them in. That just wouldn’t be glamorous enough for them! But in real life, that’s actually more like what happens.

“Social engineering” is the term used amongst hackers to mean ‘hacking people’ instead of hacking machines. The Jargon File has this definition, as well as links to some interesting stories – check out the “tiger team” story there. Here was this IBM security system that they couldn’t penetrate, so what do they do? Write their own penetration program and fool some managers into installing them. Their chief weapon in this plan? Some stolen IBM stationary, used so it would look official.

The modern incarnation of this attack is the “phishing scam”. If you’ve ever dealt with eBay or PayPal, you’ve probably gotten a phishing email which arrives telling you there’s some kind of problem with your account at the site and you need to log in and fix it. The link in the email, however, goes to a fake site with stolen graphics to make it look “official” – kind of like you’d use IBM stationary to pretend that your patch came from IBM!

A recent ARS Technica article reports on the “PEBKAC” problem of security – the “Problem Exists Between Keyboard And Chair”! In other words, it doesn’t do a lick of good to have maximum firewall, encryption protection, and super-strong passwords if Marge, the receptionist, sticks a post-it note with her log-in and password on the monitor in plain view of the window and tosses print-outs of sensitive data in the trash without shredding them first.

The various forms of social engineering are covered in good detail in the Wikipedia article. You might want to browse the list and ask yourself how many of these your company is vulnerable to?

Related Posts:

3 Responses to “Social Engineering – How Hacking is Really Done”

  1. David Major Says:

    Reminds me of the security at my school. We are all required to login with moderately secure passwords, but this is all nullified by the fact that there is an un-protected account called “test.test”.

  2. Bull3t Says:

    Haha, school computer systems are funny – I am able to erase my browser history at school even though they think that they have blocked you from doing so. All you have to do is download any file archive you wish (such as ZIP).

  3. Sambed Pattanaik Says:

    In my school level when i know that this type of job is there the i first choose my administration computer then i delete the accounting software(may tally).

Leave a Reply