WyzGuys Tech Talk

One way that cyber criminals use to get personal information, such as user IDs and passwords, from unsuspecting computer users is to trick them out of it.  These sorts of methods are called “social engineering” in the computer security trade.  Social engineering is using trickery, deceit, or fraud to get the victim to help the cyber criminal in their exploit, and relies on the natural human tendency to help, cooperate, or comply with authoritative sounding requests.  Unfortunately, the weakest link in the security chain is the human computer user.  Below are six ways that a criminal may use to gain access to your computer systems or network.

Requests for your password

Reformed criminal hacker and security consultant Kevin Mitnick says that is much easier to ask someone for their password than to crack it.  You should turn down any request for your user name and password.  These requests sometimes arrive by email (“there is a problem with your account, click here to sign in.”), and sometimes over the phone by someone claiming to be from IT, tech support, Microsoft, or your ISP.  In these cases, just say no.  Sometimes an attacker will stand near enough to a person entering their credentials to see the password as it is typed, which is known as “shoulder surfing.”

Pretexting

This involves creating a story or a “pretext” for doing something on your computer or network.  It may be someone on the phone impersonating a coworker or person of authority.  It may be someone in person in a uniform shirt with the logo of the local phone or Internet company.  There will always be a story and dire consequences for failing to comply.

Phishing

Phishing is a sophisticated multi step exploit that usually starts with an email (“just click on the link”), a fake, cloned, or compromised legitimate web site, and a form on that web page where you enter your user name, password,  credit card number, and other personal information.  Avoid clicking on links in emails without confirming the destination in advance.

Baiting

Baiting involves leaving physical media such as CDs, DVDs, or better yet, flash drives around for the curious to pick up and inspect by inserting them into their PC.  Once inserted it is a trivial matter to automatically install a Trojan horse, back door, or keylogger from the flash drive.

Quid Pro Quo

This is offering something for something.  In several documented cases, people willingly gave up their logon credentials in exchange for a cheap gift or candy bar.  Or an attacker may call numbers in a company randomly, pretending to be from tech support (see Pretexting) until finding someone with an actual computer problem, and then while fixing the problem the attacker can install remote access software to get back into the computer system later.

Tailgating

This is a method used by an attacker to gain access to secured areas by walking in behind another person who has the proper access token or card key.  They may even act as if they are logging themselves in with a fake key. Another version of this ploy is when the attacker intentionally has their hands full in order to get the victim to courteously hold the door open for them.

Countermeasures

• Identifying sensitive information in your organization.
• Informing employees about what constitutes secure information.
• Establishing security protocols and policies.
• Making sure that sensitive paper information is shredded and/or disposed of in locked dumpsters.
• Make sure hard drives are wiped or destroyed before disposal.
• Training your staff about computer security and your company’s policies.
• Performing unannounced tests of your company’s security.
• Periodic review of the above steps, and modifications based on experience and changes in the threat environment.

Really, the only countermeasure that matters is a healthy skepticism that is the result of training.  Your staff needs to be trained on how to recognize and avoid these types of exploits. They need to be comfortable challenging perceived interlopers and refusing to provide useful information or cooperation without first confirming the legitimacy of the request.  This can be a good start to an overall review of your security posture in the face of today’s sophisticated exploits.