Social Engineering: The Dangers of Human Hacking – D.K. Stepanko
This is part 2 of a 3-part post about Social Engineering. This post I will discuss what, exactly, is Social Engineering and why it can be so easy for hackers to leverage it to obtain information.
Part I can be found here .
Social Engineering is a topic that has been getting a lot of attention in the IT world. The amount of information that is available on the internet to would-be hackers is astonishing. Most of the time, Social Engineering is targeting the good-will of the unsuspecting victim; their only issue is wanting to help.
Social Engineering, by definition, is considered to be the art of manipulating people into performing actions or divulging confidential information.
Social Engineering can come in many forms:
- Baiting – Leaving a USB/CD somewhere with the intention of it being found by a curious party who then inserts it into their computer and unintentionally installs malicious software. This is not as common anymore, as Phishing emails have taken over as the leader.
- Phishing – Fraudulent email disguised as a legitimate email. Usually trying to trick the recipient into installing software or sharing information. Phishing isn’t limited to only email; it can also be done over the phone or in-person just by sparking up what seem to be casual conversations. One thing to note: Phishing email isn’t necessarily spam. While it is unwanted email, spam, by definition, is unsolicited Phishing emails have a purpose that is far worse than spam.
- Pretexting – Outright lying to gain access to privileged data. You see a lot of this as e-mails or phone calls alleging to be from Microsoft Support. They need to “confirm” your identity via billing information before they can help you. Sound familiar?
- Quid Pro Quo – Asking for information in exchange for something else. Maybe a favorite chocolate of yours? The information may be meaningless to you but it would be helpful/beneficial to the recipient. Examples include your date of birth or your mother’s maiden name.
- Spear Phishing – As mentioned in the first part of this series, this is a far more focused attack than a Phishing attack. Hackers have specifically targeted the company, or a person, and have done their research. Social Media, Job Wanted postings and even competitor knowledge of the industry can all help an attacker to gain trust. Once they know enough about the company environment, they can impersonate key players and extort valuable information or money.
- Tailgating – This can come in a few forms. The most basic is following right behind someone to get through a secured door. We’ve all done this at a mall and most people are polite enough to hold the door open for us. Do they have a keycard? Are they supposed to be there? Tailgating can also be Shoulder Surfing: watching someone type in a password/passcode.
Social Engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it.
Something to consider: How many of your password recovery questions can be answered by someone looking at your Facebook Profile? Your first car? Childhood friend? Street you grew up on? How about your e-mail address that is also your login for other sites?
Something I personally learned while researching for these posts is that Social Engineers also look at current job postings for their target company. We list the technologies we use since we want people skilled in their use to be applying for positions with us. Depending on the software we listed, we may have just tipped our hand on things that might give would-be hackers an advantage.
In my next post, I will write about ways that you can go about protecting yourself. The answer, if you haven’t guessed yet, involves much more than top-of-the-line anti-virus software.