The movies and even TV media have misled us countless times; somebody is trying to hack into a system. They have a screen of scrolling, indecipherable code going by. The hacker types in some mystical incantation and a big, dumb box pops up on the screen: “access grated”. The crafty hacker cackles at his own cleverness.
They never show the hacker making phone calls pretending to be a service tech, or digging through a smelly trash dumpster behind the target office, or waiting around the door of the facility with a nervous look waiting for someone to buy their story and let them in. That just wouldn’t be glamorous enough for them! But in real life, that’s actually more like what happens.
“Social engineering” is the term used amongst hackers to mean ‘hacking people’ instead of hacking machines. The Jargon File has this definition, as well as links to some interesting stories – check out the “tiger team” story there. Here was this IBM security system that they couldn’t penetrate, so what do they do? Write their own penetration program and fool some managers into installing them. Their chief weapon in this plan? Some stolen IBM stationary, used so it would look official.
The modern incarnation of this attack is the “phishing scam”. If you’ve ever dealt with eBay or PayPal, you’ve probably gotten a phishing email which arrives telling you there’s some kind of problem with your account at the site and you need to log in and fix it. The link in the email, however, goes to a fake site with stolen graphics to make it look “official” – kind of like you’d use IBM stationary to pretend that your patch came from IBM!
A recent ARS Technica article reports on the “PEBKAC” problem of security – the “Problem Exists Between Keyboard And Chair”! In other words, it doesn’t do a lick of good to have maximum firewall, encryption protection, and super-strong passwords if Marge, the receptionist, sticks a post-it note with her log-in and password on the monitor in plain view of the window and tosses print-outs of sensitive data in the trash without shredding them first.
The various forms of social engineering are covered in good detail in the Wikipedia article. You might want to browse the list and ask yourself how many of these your company is vulnerable to?
- Social Engineering with Pretexting
- Top 20 Excuses Why your Wife or Girlfriend Should Let You Have Five More Minutes On the Computer
- WordPress 2.2.1 release
- The Home Computer Security Glossary
- Top 7 Reasons Why I Didn’t RTFA