Politeness will get you Hacked: Social Engineering

Posted by Pamela S. on Friday, August 10th, 2012

Just because someone asks you something, doesn’t mean you have to answer. Hackers and criminals know how to play nice to get the information they need to walk into your company, take over your computer and access your data. Private Investigators aren’t the only ones who use social engineering to obtain information.

Social Engineering is the art of manipulating people into providing confidential information or performing an action that will allow the social engineer access to a secure area. A skilled hacker isn’t just a tech whiz, they know how to talk to people.

At this year’s DefCon hacker’s conference, IT Security specialist Shane MacDougall, won the championship in the social engineering “capture the flag” contest by social engineering critical information from a Wal-Mart store manager. He did this live in front of the DefCon audience.

MacDougall wasn’t out to commit any crime against Wal-Mart. He was showing how vulnerable companies are to social engineering. MacDougall runs an IT security company, Tactical Intelligence, in Nova Scotia. Read the entire article on CNN.

Last year I had a number of calls from an “IT Security Company” that claimed to be working on behalf of Microsoft. The caller wanted me to provide information and allow  access my computer remotely to fix some issues. When I said I was reporting this call to authorities, and I knew what they were up to, one of the men who called me started making sexual remarks and became downright nasty. A friend of mine received the same call and walked in just in time to find her elderly father about the give these scammers the information to get into their computer.

Social engineers use pretexting over the phone to obtain information about your business, computer system or usernames and passwords. They take this information and later hack into your computer.

Phishing and other Internet scams are also a form of social engineering. The hackers trick you into providing information by sending you emails that appear to be from legitimate organizations. This is how they obtain your credit card or bank account information.

Some social engineers conduct their business in person. In an article on CSO Online- Security and Risk, Security consultant Chris Nickerson, founder of Colorado based Lares Consulting, showed how easy it is to gain access to a company by using public information, news articles and a Cisco shirt purchased at a thrift store. This was a penetration test for the company, so he was not doing anything illegal. Nickerson was let in by reception because he said he was on a technical support visit. That is not all he did. Nickerson was able to get his team members access and hack into the company’s computer network in full view of employees. Read more at CSO – Social Engineering:The Basics.

Kevin Mitnick helped popularize the term Social Engineering. Mitnick was a convicted hacker and criminal who went on to become an author, and as many hackers who turn their life around, an IT security specialist. Mitnik was once the most wanted computer criminals in the U.S.

At the age of 12, Mitnick social engineered his way into a free ride on the Los Angeles bus system by obtaining information from a bus driver on how to punch unused transfer slips that he had found.

He went on to much greater feats of criminal behavior, such as hacking into the systems of Nokia, Motorola, NEC, Nokia, Sun Microsystems and Fujitsu Siemens. That is why you need to encourage your children who have computer skills in the right direction. As I wrote in a post about DefCon, kids who are computer savvy enough to hack, should learn to use their skills for good causes.

Mitnick is straight now, running Mitnick Security Consulting.

Part of the problem, and I know this from gaining access to places and obtaining information as an investigator, is that people are too polite and trusting. They don’t ask questions. You must train your staff to be more assertive when someone asks for information.

Remember, whether at work, or in your personal life, you don’t have to tell anyone anything. If someone pressures you over the phone, ask to call them back and speak with a manager. Check out the provided phone number and email address. If someone shows up at your place of work and requests entry, don’t provide it because of the way they are dressed, or how familiar they may seem. Just because someone is wearing a name tag, a shirt, or a uniform, it doesn’t mean that they are with that company. Call the company to find out if they have an employee by that name and an appointment to work at your location.

CSO provides a lot of relevant information on social engineering and how to avoid becoming a victim. Read CSO’s Ultimate Guide to Social Engineering. (You must register with the site to obtain this guide, however registration is free.)

Former FBI Assistant Director Tom Sheer has recruited the best from the FBI, DEA, IRS and Secret Service to build a formidable team at Sheer Investigations. Our private investigators have the sensitivity and experience to handle the most delicate investigations.