Data Backup | Online Backup | Online Data Storage Backup

Social Engineering

Written by Richard Lowe Jr. and Claudia Arevalo-Lowe
Monday, 17 October 2005
Click here for a free trial of our Online Data Backup software! New Page 1 Copyright (C) Richard Lowe Jr. and Claudia Arevalo-Lowe, 1999-2001. Permission is granted to reprint the following article as long as no changes are made and the byline, copyright information, and the resource box is included. Article Title: Social Engineering Author: Richard Lowe, Jr. Social Engineering is the attempt to gain access to sensitive data (such as password, usernames and credit card numbers) by gaining trust. This method of gaining access to a system is very popular among hackers. It is often surprisingly easy and even more often successful. THIS IS PROBABLY THE MOST SUCCESSFUL AND MOST USED METHOD OF GAINING ENTRY TO ACCOUNTS! Here's how it works. You might receive a phone call from a representative of your computer company claiming there is a problem which requires immediate attention. He may offer to come right over and fix it (or, in a variation, he might send you a disk in the mail). Of course, while he is there, he reboots your system with a "diagnostic" floppy inserted into the drive. When the "tests" are done you will be relieved to find out from him that nothing is wrong with your system. Naturally, you were just infected with a Trojan house which gives this stranger complete access to your system and all of your data files. A more common social engineering scheme (especially on America Online) is to send out an email which says there is a problem with your account. Would you please send your username and password by return email so it can be fixed? Or perhaps you are asked to visit a web site, which naturally requires you to log in with your username and password. You might be asked to call a phone number, where the very official sounding person on the other end will just want to verify that your account is yours by getting your credit card data. An example of a standard social engineering attack is shown below. Subject: Account Compromised We have detected a major security breach to several accounts on our network. While we do not believe that your account was among those compromised by hackers, we recommend that you check your account data immediately. To verify your account, just visit the following URL: http://www.yourISP.Com/security/view.htm Login to your account and check your data. Make special note of the last login data and time. If anything appears to be incorrect, please send an email to security using the link at the bottom of the page. Thanks for your immediate attention. YourISP security When you visit the site it shows a username and password prompt. You enter your username and password, which sends you to an "incorrect password - try again" screen. You hit the "continue" button, which places you on the REAL ISP site. Now when you enter your username and password, you are, of course, logged in. You are greatly relieved to find that your account data has not been changed and think nothing else of the issue. Of course, you just gave your username and password to a hacker! And that's all that social engineering is about - gaining your trust, getting your vital data, and abusing that data. How do you protect against this? Be aware that it exists and don't respond to these kind of things. If someone asks you for your password, then tell them to buzz off. Nobody needs to know your password for any reason. Let me repeat: DO NOT GIVE OUT YOUR PASSWORD TO ANYONE FOR ANY REASON. THERE IS NOT A VALID REASON FOR ANYONE TO NEED IT. If the person who asked really works where he says he works, then believe he, he can ALREADY get to your account. Why on earth would he be asking you for your username and password? If you think the email or whatever might be accurate, then call the ISP or navigate to their site yourself (don't use anything from the email or letter that your received - use the menu's and screens provided by the ISP). For example, say you get a letter from your ISP saying to change your password immediately. It has a phone number and URL. Throw the letter away without reading either. Now, find your ISP phone number and URL yourself - perhaps in your browser help menu or in the manual or letter that arrived when you signed on. This bypasses anything that might be wrong in the letter or email that you received. If you do suspect that you've received a social engineering attack, be sure that you notify your ISP, MIS department or whoever needs to know. The only way this kind of criminal can be caught is if the crime is reported quickly and accurately. NOTE: The following information must be included if you reprint this article: ---------------------------------------------------------------------- Richard Lowe Jr. is the webmaster of Internet Tips And Secrets. This website includes over 1,000 free articles to improve your internet profits, enjoyment and knowledge. For all your Online Backup, Data backup, Computer backup, Data storage and Data restore needs go to SaveAndSecure.com
Last Updated ( Monday, 19 December 2005 )

Is your data secure? Think again. Securing data is unlike any other corporate asset, and is likely the biggest challenge your company faces today. You may not see it, but almost all of your company's information is in digital form somewhere in the system. These assets are critical because they describe everything about you; your products, customers, strategies, finances, and your future. They might be in a database, protected by data-center security controls, but more often than not, these assets reside on desktops, laptops, home computers, and more importantly in email or on some form of mobile computing device. We have been counting on our firewall to provide protection, but it has been estimated that at least fifty percent of any given organization's information is in email, traveling through the insecure cyberspace of the Internet. Digital Assets are Unique Digital assets are unlike any other asset your company has. Their value exceeds just about any other asset your company owns. In their integral state they are worth everything to your company; however, with a few "tweaks" of the bits they are reduced to garbage. They fill volumes in your data center, yet can be stolen on a keychain or captured in the air. Unlike any other asset, they can be taken tonight, and you will still have them tomorrow. They are being created every day, yet they are almost impossible to dispose of, and you can erase them and they are still there. How can you be sure that your assets are really safe? Understanding Physical Security Architectures Physical assets have been secured for thousands of years, teaching us some important lessons. An effective security architecture uses three basic security control areas. Let's assume you want to create a secure home for your family; what would you do? Most of us started with the basics; doors, windows, locks, and perhaps a fence. Second, we rely on insurance, police protection, and we may have even purchased an attack dog or a personal firearm. Given these controls, you may have taken one more step to provide some type of alarm. Not trusting your ears to detect an intrusion, you might have installed door and window alarms, glass break sensors, or motion detection. You may have even joined the neighborhood watch program in your area. These are the controls everyone uses, and they are similar to the controls that have been used since the beginning of mankind. Which is most important? Looking at the three categories of security controls used, the first consists of protective devices that keep people out; doors, windows, locks, and fences. Secondly, alarms notify us of a break-in. Finally we have a planned response control; the police, use of a firearm, or recovery through insurance. At first glance it may appear that the protective controls are the most important set of controls, but a closer look reveals that detection and response are actually more important. Consider your bank; every day the doors are open for business. This is true of just about every business, home, or transportation vehicle. Even the bank safe is generally open throughout the day. You can see it from the bank teller counter, but step over the line and you will find out how good their detection-response plan is. Evaluating your Company's Approach Now look at your digital assets; how are they protected? If you are like most organizations, your entire security strategy is built on protection controls. Almost every organization in America today has a firewall, but does not have the ability to detect and respond to unauthorized users. Here is a simple test; run a Spyware removal program on your system and see what comes up. In almost every case you will find software installed on your system that was not installed by an authorized user. In the past this has been an irritation; in the future, this will become the program that links uninvited guests to your data. Bruce Schneier, a well known security author and expert writes in his book, Secrets and Lies, "Most attacks and vulnerabilities are the result of bypassing prevention mechanisms". Threats are changing. The biggest threats likely to invade your systems will bypass traditional security measures. Phishing, spyware, remote access Trojans (RATS), and other malicious code attacks are not prevented by your firewall. Given this reality, a detection response strategy is essential. It's time to review your security strategy. Start by asking three questions. First, which assets are critical to your business, where are they located, and who has access to them? Second, what threats exist? Determine who would want your data, how they might gain access, and where the possible weaknesses in your security architecture lie. Finally, how comfortable are you with your company's ability to detect and respond to unauthorized access. If someone wants access to your data, preventative measures alone won't stop them. Begin planning a balanced security architecture. Start by adding detection controls to your prevention architecture. This does not mean simply adding intrusion prevention software (IPS), but rather creating a system to proactively monitor activity. Intruders make noise, just like in the physical world, and with proper event management, combined with zero-day defense technologies of IPS, network administrators can begin to understand what normal activity looks like and what anomalies might be signs of an attack. In a recent interview with Scott Paly, President and CEO of Global Data Guard, a Managed Services Security Provider (MSSP), Scott said, "Threats such as worms and new hacker techniques constantly morph, so the most viable model for optimum security is a blend of preventive and predictive controls based on analysis of network behavior over time". By balancing prevention, detection, and response, companies can defeat most of the latest hacker attempts.

David Stelzl, CISSP is the owner and founder of Stelzl Visionary Learning Concepts, Inc. providing keynotes, workshops, and professional coaching to technology resellers. David works with executive managers, sales people, and practice managers who are seeking to become market leaders in technology areas that include Information Security, Managed Services, Storage and Systems solutions, and Networking. Contact us at mailto: or visit http://www.stelzl.us to find out more.