Social Engineering: You Have Been A Victim

Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week. Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoffs are floating around.

You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD-ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.

And The "Social Engineering" Game Is In Play:

People Are The Easiest Target
--------------------------------------------
You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk. You have just become a victim of social engineering.

When Did I Become a Victim of Social Engineering?
--------------------------------------------
Ok, let's take a step back in time. The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of my employees. You see, my firm has been hired to perform a Network Security Assessment on your company. In reality, we've been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.

The spreadsheet you opened was not the only thing executing on your computer. The moment you open that file you caused a script to execute which installed a few files on your computer. Those files were designed to call home and make a connection to one of our servers on the Internet. Once the connection was made the software on our servers responded by pushing (or downloading) several software tools to your computer. Tools designed to give us complete control of your computer. Now we have a platform, inside your company's network, where we can continue to hack the network. And, we can do it from inside without even being there.

This is what we call a 180 degree attack. Meaning, we did not have to defeat the security measures of your company's firewall from the Internet. You took care of that for us. Many organizations give their employees unfettered access (or impose limited control) to the Internet. Given this fact, we devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network. All we had to do is get someone inside to do it for us - Social Engineering! What would you have done if you found a CD with this type of information on it?

What Does It Mean to Be "Human"
--------------------------------------------
As human beings we are pretty bad at evaluating risk. Self preservation, whether it be from physical danger or any other event that could cause harm, like the loss of a job or income, is a pretty strong human trait. The odd thing is, we tend to worry about things that are not likely to happen. Many people think nothing of climbing a 12 foot ladder to replace an old ceiling fan (sometimes doing so with the electricity still on), but fear getting on a plane. You have a better chance severely inuring yourself climbing a ladder than you do taking a plane ride.

This knowledge gives the social engineer the tools needed to entice another person to take a certain course of action. Because of human weaknesses, inability to properly assess certain risk, and need to believe most people are good, we are an easy target.

In fact, chances are you have been a victim of social engineering many times during the course of your life. For instance, it is my opinion that peer pressure is a form of social engineering. Some of the best sales people I've known are very effective social engineers. Direct marketing can be considered a form of social engineering. How many times have you purchased something only to find out you really did not need it? Why did you purchase it? Because you were lead to believe you must.

Conclusion
--------------------------------------------
Defining The Term "Social Engineering": In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information. Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible. Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task.

The main thing to remember is to rely on common sense. If some one calls you asking for your login and password information and states they are from the technical department, do not give them the information. Even if the number on your phone display seems to be from within your company. I can't tell you how many times we have successfully used that technique. A good way of reducing your risk of becoming a victim of social engineering is to ask questions. Most hackers don't have time for this and will not consider someone who asks questions an easy target.

About The Author
----------------
Darren Miller is an Industry leading computer and internet security consultant. At the website - http://www.defendingthenet.com you will find information about computer security specifically design to assist home, home office, and small business computer users. Sign up for defending the nets newsletter and become empowered to stay safe on the Internet. You can reach Darren at [email protected] or at [email protected]

In The News:

This RSS feed URL is deprecated, please update. New URLs can be found in the footers at https://news.google.com/news

Forbes

Brexit Chaos: Why It Is A Major Terrorism And Security Risk
Forbes
In Berlin earlier this year, the Director General of MI5, Andrew Parker, addressed a symposium organized by BfV, Germany's domestic security agency. “Europe faces an intense, unrelenting and multidimensional international terrorist threat,” he said.


Washington Post

The White House bickering endangers national security
Washington Post
This week's spat between the “Office of the First Lady” and the National Security Council took the Trump team's endless infighting to a new and dangerous level. The public shaming of deputy national security adviser Mira Ricardel by her own White House ...
Deputy National Security Adviser Leaves Post After Criticism From Melania TrumpNPR
National Security Aide Is Out After Feud With First LadyWall Street Journal
President Trump reassigns Mira Ricardel, the deputy national security adviser the first lady wanted firedUSA TODAY
CNN -ABC News -Wall Street Journal -CNN
all 2,328 news articles »

Chicago Tribune

Witness to shooting of security guard Jemel Roberson: Officer opened fire 'not even 5 seconds' after warning
Chicago Tribune
Jemel Roberson was wearing a cap and sweatshirt that had the word “Security” on them when he was fatally shot by a Midlothian police officer while Roberson was trying to subdue a suspect early Sunday at a Robbins bar, a man who said he was working ...
'Hero' security guard killed by police was working extra shifts for his son's ChristmasCNN
Police Suggest Security Guard Jemel Roberson Was To Blame For His Own DeathHuffPost
'Hero' security guard killed by cops was working extra shifts for son's Christmas presentsWLWT Cincinnati

all 74 news articles »

BBC News

Japan's cyber-security minister has 'never used a computer'
BBC News
Japan's new cyber-security minister has dumbfounded his country by saying he has never used a computer. Yoshitaka Sakurada made the admission to a committee of lawmakers. "Since I was 25 years old and independent I have instructed my staff and ...
Japan's cyber security minister admits he has never used a computerTelegraph.co.uk
Japanese cyber security minister 'doesn't know what a USB stick is'The Register
Japan's Cyber Security Minister Has Never Used a Computer, Doesn't Know What a USB Drive isNews18
The Guardian -The Japan Times
all 365 news articles »

Axios

One small step for a decade-long security "moonshot"
Axios
What they're saying: "A lot of cybersecurity today is how can we patch this problem in the next five days or months, or legislate a solution before the next election," says Altabef, co-chair of the National Security Telecommunications Advisory ...

and more »

fox2now.com

Metro security study bemoans lack of police, coordination
fox2now.com
ST. LOUIS – Some of the recommendations from the $375,000 security study of Metro Transit were released Thursday. Representatives of transit agencies from four other cities (Portland, Sacramento, Minneapolis-St. Paul, and Washington DC) came to St.

and more »

ZDNet

DOD disables file sharing service due to 'security risks'
ZDNet
"The AMRDEC SAFE site was disabled as a preventative measure after agencies outside of AMRDEC identified potential security risks," said a statement posted on the SAFE portal. "At this point, we are uncertain if the site will be reinstated." ...


KWCH

QuikTrip to add full-time security officers
KWCH
What is true is that the company is looking for people with law-enforcement experience or veterans to help add security to its stores. QuikTrip has already tested having the in-store security and sees already sees positive results in Wichita. For years ...


WIRED

Mozilla Makes a Naughty List of Gifts That Aren't Secure
WIRED
Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a ...
Mozilla ranks dozens of popular 'smart' gift ideas on creepiness and securityTechCrunch
Mozilla - *privacy not included - Mozilla AdvocacyMozilla Advocacy

all 26 news articles »

New York Times

Police Report in Killing of Black Security Guard Is Criticized as Rushed
New York Times
The Illinois State Police took steps on Tuesday to defend the actions of a suburban Chicago police officer who killed an armed security guard on Sunday, claiming that the guard was not wearing a uniform and ignored verbal commands to drop his weapon.
Police officer who shot armed black security guard is white: AuthoritiesABC News
Fatal shooting of Chicago-area security guard investigated as racially motivatedNBCNews.com
Officer Gave Security Guard 'Multiple Verbal Commands' To Drop Gun, Police Now SayNPR
WLS-TV -WGN-TV -Chicago Sun-Times -Associated Press
all 430 news articles »
Google News

Email Hoaxes, Urban Legends, Scams, Spams, And Other CyberJunk

The trash folder in my main inbox hit 4000 today.... Read More

HackAttack

P C. owners are constantly at risk from attacks by... Read More

Burning Bridges is Bad, But Firewalls are Good

When you signed up for that ultra-fast DSL or Cable... Read More

Computer Viruses, Worms, and Hoaxes

In recent days, I was one of the unfortunate persons... Read More

Road Warrior At Risk: The Dangers Of Ad-Hoc Wireless Networking

Airport Menace: The Wireless Peeping Tom ---------------------------------------- As a network... Read More

Beware of Imitations! Security, Internet Scams, and the African Real Estate Agenda

Fishing on the Internet has come a long way. However,... Read More

New CipherSend Online Security Service Thwarts Email Address Theft And Soothes Password Fatigue

In 1997, I decided after 15 years as a practicing... Read More

Delete Cookies: New-Age Diet or Common Sense Internet Security?

No, this article isn't about some new, lose-20-pounds-in-a-week, certified-by-some-tan-Southern-California-doctor diet.... Read More

Web Browsing - Collected Information

You may not realize it, but as you are surfing... Read More

Phishing - Learn To Identify It

Phishing: (fish'ing) (n.)This is when someone sends you an email... Read More

Phishing

Recently I have received email from my bank/credit Card Company,... Read More

Personal Firewalls for Home Users

What is a Firewall?The term "firewall" illustrates a system that... Read More

Criminals are Fishing For Your Identity

What is Phishing? In a typical Phishing attack, a criminal... Read More

Dont be a Dork ? Protect Yourself

There are folks out there who use their powers for... Read More

Reclaim Your PC from the Internet Spies

Viruses are, however, not the only malicious software programs out... Read More

Crack The Code - Thats A Direct Challenge

I Challenge You To Crack The Code ------------------------------------- I had... Read More

What is Hacking? Are You a Hacker?

WHAT IS HACKING?Hacking, sometimes known as "computer crime" has only... Read More

Consumers: Shop Online and Get Information Safely

Do you really have to know how feeds work? Not... Read More

Backup and Save your business!

There you are busily typing away on your PC or... Read More

Phishing: An Interesting Twist On A Common Scam

After Two Security Assessments I Must Be Secure, Right? ---------------------------------------... Read More

Whats All This I Hear About Firewalls?

At this point, if you've got the whole "turning the... Read More

The Move to a New Anti-Virus Model

This is the second in a series of articles highlighting... Read More

Remove Rogue Desktop Icons Created By Spyware

If you have used a Windows machine for a while,... Read More

What to Look for before You Purchase Spyware Software

Huge number of spyware software applications are available in the... Read More

Reporting Internet Scams

When it comes to reporting Internet scams most of us... Read More