![]() |
![]() |
![]() |
|
|
July 18, 2003 [Number 227]
|
||
![]() |
Are You a Computer Hacker’s Target?Computer hackers don’t need to resort to their bag of technical tricks if they can con you into giving up information in easier ways. Security specialists have adopted the term "social engineering" or "people hacking" to describe how hackers gain unauthorized access by manipulating people’s innate human tendency to trust. Once hackers create a sense of legitimacy, they can exploit it for a variety of motives including disruption, fraud, industrial espionage, network intrusion, identity theft and even entertainment. Here's How It Can Work Imagine that someone comes to your desk and claims to be from customer support. He says he needs access to your computer to check out a network problem. Would you give him your password? Maybe he’ll ask you to enter it as he watches the keystrokes from over your shoulder. Perhaps you’ll get an e-mail message directing you to click on a Web site to install a free copy of a new action-packed video game. As promised, it’s a great game, but unbeknownst to you, malicious software has also been downloaded. It’s still your computer, but who controls it now? This kind of "social engineering" presents a major threat to computer security because security is grounded in trust. Ironically, because hackers can easily prey on the human impulse to be kind and helpful, using social engineering to access a system is often easier than technical hacking. A local security analyst who performs risk assessments for corporate customers says, "It’s a given that if [hackers] use social engineering, they’ll be able to break in." How Can You Recognize a Social Engineering Attempt? Indications include the use of intimidation, name-dropping, refusing to give contact information, a sense of urgency, flattery/flirtation, small mistakes (misspellings, odd questions, misnomers) or a request for forbidden information. A hacker will pretend to be anyone you might trust, for example a network administrator, manager, phone technician, FBI agent or police officer or credit card company. Social engineering can be done in person, over the phone or online. Folks using instant messaging services might get a message notifying them of a virus infection. The message instructs them to download software (from a malicious URL) to "clean" their machine. What Can You Do to Thwart Social Engineering?
In Summary Sometimes it’s okay to be a little suspicious. Don’t be afraid to ask questions. Trust your intuition. If you have any doubts as to the authenticity of an inquiry or the actions you are being asked to takehold on. Refer the request to your supervisor. If you think you have fallen prey to a social engineer’s ploys, notify your supervisor and, if appropriate, immediately report the situation to your local IT help desk, ISSO, or TASC at (301) 594-6248. If security has been compromised, swift action can help minimize damage. By Cheryl Seaman
|
![]() |
Published by Center for Information Technology, National Institutes of Health |
Interface Comments |
Accessibility |