How do you protect yourself from the smooth-talking hacker whose only "tools" might be a floppy disk and a smile?
Hey there. This is Dave in Tech. We're trying to patch our servers to protect them from the latest worm attack and I'm gonna need to ask everyone to change their network passwords. Would you mind doing that for me now? And just to make sure it conforms to our new standards can you tell me what it is?"
OK, you wouldn't fall for a phone call like that, but would everyone else in your organisation be able to twig to the fact that there is a very good chance they were being hacked? Willing to bet the business on it?
The other week I had the pleasure of chairing a Security in Government conference in Canberra where I heard lots of horror stories. Of course there were discussions about the huge blackout in New York and surrounding areas. Though that's not being reported as being the result of an attack (though subsequent blackouts in London and Sydney make one wonder), the event did illustrate how easily a baddie might possibly wreak havoc with the right passwords instead of explosives.
And how do unscrupulous characters get access to these passwords? Well, they might have a way of hacking into password files, or even guessing obvious choices. Or they might just call up and ask.
In another horror story related at the conference, a stranger walked into a company and managed to convince the receptionist to take a floppy disk, go to the boss's PC, and install the "patch" that was on the floppy. Of course, the patch was a hidden program that captured keystrokes and sent them to a dead drop address in China.
| They might have a way of hacking into password files, or even guessing obvious choices. Or they Might just call up and ask. |
Social engineering has been defined as the art and science of getting people to comply to your wishes, and there are countless ways people can use it to get the information they are after. And the telephone is one of the best tools of the social engineering trade.
What can an organisation do about it?
The only effective way to protect against these "attacks" is through education. Your employees must know the tricks that might be used to get them to cough up classified information. Just saying "Never give your password out" isn't enough.
Or perhaps it's a case of trying some fake social engineering techniques on your own staff, and seeing how they respond. Follow-up debriefing sessions would no doubt teach lessons that would leave an impression.
What other forms of "hacking outside the box" are there? Daniel Lewkovitz of Securelink, a presenter at the security conference, reminded attendees of the practice of "dumpster diving"--the practice of going through company rubbish in the search for valuable information. Then came shredders, which rendered any useful information unreadable. Then, as Daniel points out, came "secure" waste paper removal bins (which would also help with recycling). Well, if this wasn't a situation dreamed up by the data spies, it should have been. The "security" on those bins is about as solid as the lock on those old "private" diaries (sorry, Sis... I didn't read anything, I swear!).
In fact--it's been said before--but could it be that this huge focus on the technological apsect of security is making us forget some of the more common sense protection that was a way of life for most companies for many years? Good old Kevin Mitnick thought so, when he said "You could spend a fortune purchasing technology and services... and your network infrastructure could still remain vulnerable to old-fashioned manipulation."
Do you have any stories of successful or attempted social engineering attacks on your company? Let us know at edit@zdnet.com.au.
Brian Haverty is Editorial Director of ZDNet Australia.
Subscribe now to Australian Technology & Business magazine.
