 |
Social Engineering: You Have Been A Victim
Monday morning, 6am; the electric rooster is telling you
it's time to start a new work week. A shower, some coffee,
and you're in the car and off. On the way to work you're
thinking of all you need to accomplished this week. Then,
on top of that there's the recent merger between your
company and a competitor. One of your associates told you,
you better be on your toes because rumors of layoffs are
floating around. You arrive at the office and stop by the restroom to make
sure you look your best. You straighten your tie, and turn
to head to your cube when you notice, sitting on the back of
the sink, is a CD-ROM. Someone must have left this behind by
accident. You pick it up and notice there is a label on it.
The label reads "2005 Financials & Layoff's". You get a
sinking feeling in your stomach and hurry to your desk. It
looks like your associate has good reasons for concern, and
you're about to find out for your self. And The "Social Engineering" Game Is In Play: People Are The Easiest Target
--------------------------------------------
You make it to your desk and insert the CD-ROM. You find
several files on the CD, including a spreadsheet which you
quickly open. The spreadsheet contains a list of employee
names, start dates, salaries, and a note field that says
"Release" or "Retain". You quickly search for your name but
cannot find it. In fact, many of the names don't seem
familiar. Why would they, this is pretty large company, you
don't know everyone. Since your name is not on the list you
feel a bit of relief. It's time to turn this over to your
boss. Your boss thanks you and you head back to your desk.
You have just become a victim of social engineering. When Did I Become a Victim of Social Engineering?
--------------------------------------------
Ok, let's take a step back in time. The CD you found in the
restroom, it was not left there by accident. It was
strategically placed there by me, or one of my employees.
You see, my firm has been hired to perform a Network
Security Assessment on your company. In reality, we've been
contracted to hack into your company from the Internet and
have been authorized to utilize social engineering
techniques. The spreadsheet you opened was not the only thing executing
on your computer. The moment you open that file you caused a
script to execute which installed a few files on your
computer. Those files were designed to call home and make a
connection to one of our servers on the Internet. Once the
connection was made the software on our servers responded by
pushing (or downloading) several software tools to your
computer. Tools designed to give us complete control of
your computer. Now we have a platform, inside your
company's network, where we can continue to hack the
network. And, we can do it from inside without even being
there. This is what we call a 180 degree attack. Meaning, we did
not have to defeat the security measures of your company's
firewall from the Internet. You took care of that for us.
Many organizations give their employees unfettered access
(or impose limited control) to the Internet. Given this
fact, we devised a method for attacking the network from
within with the explicit purpose of gaining control of a
computer on the private network. All we had to do is get
someone inside to do it for us - Social Engineering!
What would you have done if you found a CD with this type of
information on it? What Does It Mean to Be "Human"
--------------------------------------------
As human beings we are pretty bad at evaluating risk. Self
preservation, whether it be from physical danger or any
other event that could cause harm, like the loss of a job or
income, is a pretty strong human trait. The odd thing is,
we tend to worry about things that are not likely to happen.
Many people think nothing of climbing a 12 foot ladder to
replace an old ceiling fan (sometimes doing so with the
electricity still on), but fear getting on a plane. You have
a better chance severely inuring yourself climbing a ladder
than you do taking a plane ride. This knowledge gives the social engineer the tools needed to
entice another person to take a certain course of action.
Because of human weaknesses, inability to properly assess
certain risk, and need to believe most people are good, we
are an easy target. In fact, chances are you have been a victim of social
engineering many times during the course of your life. For
instance, it is my opinion that peer pressure is a form of
social engineering. Some of the best sales people I've
known are very effective social engineers. Direct marketing
can be considered a form of social engineering. How many
times have you purchased something only to find out you
really did not need it? Why did you purchase it? Because
you were lead to believe you must. Conclusion
--------------------------------------------
Defining The Term "Social Engineering": In the world of
computers and technology, social engineering is a technique
used to obtain or attempt to obtain secure information by
tricking an individual into revealing the information.
Social engineering is normally quite successful because most
targets (or victims) want to trust people and provide as
much help as possible. Victims of social engineering
typically have no idea they have been conned out of useful
information or have been tricked into performing a
particular task. The main thing to remember is to rely on common sense. If
some one calls you asking for your login and password
information and states they are from the technical
department, do not give them the information. Even if the
number on your phone display seems to be from within your
company. I can't tell you how many times we have
successfully used that technique. A good way of reducing
your risk of becoming a victim of social engineering is to
ask questions. Most hackers don't have time for this and
will not consider someone who asks questions an easy
target. About The Author
----------------
Darren Miller is an Industry leading computer and internet
security consultant. At the website -
http://www.defendingthenet.com you will find information about
computer security specifically design to assist home, home
office, and small business computer users. Sign up for
defending the nets newsletter and become empowered
to stay safe on the Internet. You can reach Darren at
darren.miller@paralogic.net or at
defendthenet@paralogic.net
|
|
|
|
RELATED ARTICLES
3 Things You Must Know About Spyware
1)Spyware is on your system. Like it or not, statistically speaking, you probably have spyware on your machine right now. There are so many malicious programs floating around out there that one or two have bound to have gotten past all of your security settings. McAfee and Norton Anti Virus are both excellent programs, but even they can be beaten by the determined spyware makers and distributors. One recent computer repair man said, close to 80% of the machines that he services have spyware on them. I believe it. Spyware can be sneaky and it can install quietly without your knowledge. Your system probably has spyware on it; make sure it doesn't corrupt your data files or worse.
Phishing
Recently I have received email from my bank/credit Card Company, eBay & pay pal saying that my account has possibly been compromised and I need to confirm my details and password in order to get continued access.
Internet Identity Theft - How You Can Shield Yourself
With the advent of the World Wide Web, a whole new breed of criminals have surfaced, posing threats to more than just our material assets, but also to our very identities. Although there are a number of effective methods for protecting yourself from internet identity theft, not everyone takes the necessary steps to initiate such a plan. By tightening up your own personal security measures, you'll be far safer when you go online, and much less likely to become just another victim in the world of cyber-theft.
How to Protect Yourself from Viruses, Spyware, Adware, and Other Nuisances
Spyware/adware is a new major concern for PC users everywhere. Infecting your computer silently (usually installed with programs that seem harmless), spyware and adware can collect personal information about you, as well as cause pop up ads to come up all of the time, changing your browsers home page, sometimes even completely disabling your computer's usability.
Just Whos Computer is this Anyway?
Well, this is an article I never thought I would have to write. Computer ownership was just not something I thought people would get confused over but, after overhearing a number of conversations last week from my co-workers, I realized that quite a few people just don't know how cut and dry this topic is.
Three-pronged Trojan Attack Threatens Security on the Internet
Glieder (Win32.Glieder.AK), Fantibag (Win32.Fantibag.A) and Mitglieder (Win32.Mitglieder.CT) are not names of a modern day version of The Three Musketeers. These are Trojans engineered for a hacker attack that will infect computers and open them for use in further attacks.
Are You Surfing Safe?
Ok, you've got a computer, and you get online. You surf your favorite sites, Sports, Shopping, Cowchip Tossing Blogs, and so on. Your kids download songs and IM their friends. But are you being tracked? Is your personal information stored safe on your computer or is it being mined to a geeky looking guy sitting in the dark half a continent away? Do you know for sure you are secure? Many people don't.
Eliminate Adware and Spyware
Everyone should eliminate spyware and adware from your hard drive for your computer privacy protection. Spyware and adware programs also slow down the speed of your computer by cluttering your hard drive with annoying programs. Once you eliminate adware and spyware, your computer speed will improve immediately.
Secure Your PC From Hackers, Viruses, and Trojans
Viruses, Trojans and Spyware: Protecting yourself.
Phishing - Identity Theft & Credit Card Fraud
What is Phishing?
Phishing is a relatively newly coined term for a kind of method for harvesting information for identity theft. Phishing is quite simply providing a person with false information or credentials to trick them in to giving you their personal information. This is done by a form of social engineering, by posing as a different person or organization that you already trust.
Spyware ? Your Web Browser is the Culprit!
My first experience with a spyware BHO based infection was several months ago. I had gone through all of the usual steps with the client's machine to clean it. Ad-Aware was run, Spybot: Search and Destroy was as well. Nothing looked suspicious in the system's startup. All appeared well, but it wasn't.
Is Adware - Spyware Putting Your Privacy at Risk
Do you sometimes notice your computer running slower. Is your computer acting strange almost like its possessed? Well, it just may be plagued with Spyware. Spyware is a common term for files that are installed on your system without your knowledge. It allows companies to monitor your Internet activity. Believe it or not, Spyware is now the leading threat to our computers, and our online privacy. It's ahead of viruses.
How to Fight Spyware
If you are wondering how to fight spyware for safe web surfing, this Internet privacy article will answer some of your questions. By now you have probably heard about the dangers of spyware.
Desktop Security Software Risks - Part 1
This is the second in a series of articles highlighting reasons why we need a new model for anti-virus and security solutions.
Delete Cookies: New-Age Diet or Common Sense Internet Security?
No, this article isn't about some new, lose-20-pounds-in-a-week, certified-by-some-tan-Southern-California-doctor diet. It's about cookies on your computer - what they are, why they are there, and what to do about them. Computer cookies actually have quite a bit in common with their baked counterparts - some are good, some are bad, and they have expiration dates.
Spyware Attacks! Windows Safe Mode is No Longer Safe
Many of us have run into an annoying and time-consuming error. With your machine running goofey you decide to run a scan for trojans and spyware. Following the scan, which usually takes fourty minutes or longer if you scan the entire system, you are hit with the "access denied" error. Frustrating, for sure, but being the savvy computer user that you are you decide to boot to safe mode to take care of the issue. No spyware can load when booted to safe mode, right?
Be Aware of Phishing Scams!
If you use emails actively in your communication, you must have received various messages claiming to be from Ebay, Paypal and a number of banks. A recent email as if from U.S. Bank Corporation that I received contains the subject "U.S. Bank Fraud Verification Process" and in the body of the mail it says "We recently reviewed your account, and suspect that your U.S. Bank Internet Banking account may have been accessed by an unauthorized third party. Protecting the security of your account and of the U.S. Bank network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive account features. To restore your account access, please take the following steps to ensure that your account has not been compromised:". It continues with a link to a webpage, which looks very similar to original web page of the bank.
Wells Fargo Report Phishing Scam
First off I should explain what phishing is. Phishing is basically the act of tricking a victim into divulging information. It involves the receiving of an email message with a link to a website where the victim would enter personal information. In this particular scam, you get an email from "Personal Banking: personalbanking@wellsfargo.com" stating that there may have been some unauthorized access to your account and that you should click the link and enter your account and verify some information. When you click the link you are taken to a site which looks identical to the Wells Fargo site.
3 Pervasive Phishing Scams
Scams involving email continue to plague consumers across America, indeed the world. These so called "phishing" scams involve "spoofed" emails meant to draw the unwary to bogus internet sites masquerading as legitimate sites. These scam artists -- phishers -- attempt to hook visitors in by having them divulge certain critical and personal bits of information. Once the information has been divulged the phishers start their dirty work and you have been conned. Several phishing scams continue to persist, the following are three of the most pervasive ones.
3 Simple Steps to Stay Safe from Spyware
There are several basic concepts to keep in mind when deciding to stay spyware free for good. This article will outline a spyware checklist for you to keep in mind when getting tough on spyware and taking back control of your computer using two popular free applications, Ad-Aware,and Spybot - S&D. Using these two programs in conjunction will eliminate a vast majority of spyware problems from your computer. For the purposes of this article, "spyware" refers also to adware, malware, and other not-so-nice "features" of today's computing reality.
|
