(Security is as strong as the weakest link which is usually the human. As Kevin Mitnick said most of the time he got access just by using this technique. More awareness campaigns are needed to address this issue.
It is just too easy to trick someone, especially if they are not aware of it and worst of it most of the time they won't even realise that they were a victim/target as some people are just too good to be caught. For example, someone who is really at good 'human source development' will put the important questions in the middle of the conversation as humans generally remember far better the beginning and the end of it than the middle bit. WEN) Social engineering: Hackers exploit human weakness by Laurie G. Knepper Joint STARS Test Force senior computer systems manager 12/6/2002 - MELBOURNE, Fla. (AFPN) -- Are you familiar with the term "social engineering"? If not, you probably don't know the potential impact of social engineering on the Air Force and national security. And that means you could be an unwitting participant. Social engineering means computer-security cracking techniques that rely on weakness in human nature rather than weaknesses in hardware, software or network design. The goal of social engineering is to trick people into revealing passwords, network vulnerabilities or other information that will help the hacker get access to important data. Using social engineering, even someone with lousy computer skills can find his or her way into a supposedly secure computer system and access, modify or destroy the data on it. How are your social engineering defenses? -- Do you lock your work station before leaving your desk, or do you leave it up to a screensaver to kick in a little while later? -- Would you decline to give your password to someone who said, over the phone or in an e-mail, that he or she was debugging a problem with your account, and then contact your computer security representatives immediately, or would you comply with the password request? -- Do you challenge strangers in the hall who don't display a proper badge, or do you assume because they are in nice suits that they are probably too important to be questioned? -- Would you stop a clean-cut uniformed delivery person carrying packages who flashes a smile and asks where the mailroom is as he attempts to tailgate into a secure building with you, or would you politely hold the door open for him and point him toward the mailroom? -- Do you shred old phone lists, or do you simply dump them in the trash or recycle bin? -- Would you decline to participate in a phone survey that asks a bunch of questions about your organization's computer systems, or would you participate to get the "free gift"? -- Do you leave work discussions at work, or do you discuss Air Force business over meals at local restaurants? In case you have any doubt, the first action in each of these examples reflects proper security practices, while the second action reflects poor security or outright security violations. Here are a few interesting and educational articles on the Web that deal with social engineering. Please take some time to read them. There may be a test. It may be given by someone official. Or it may be given by someone who is not official, not authorized, and not supposed to be getting the information or access that you are inadvertently giving them. Think about it. Physical Security - Technical Security's Biggest Hole lists some everyday "easy access" methods that have proven effective. http://www.scmagazine.com/scmagazine/2001_11/feature.html -- Social Engineering Fundamentals, Part I: Hacker Tactics http://online.securityfocus.com/infocus/1527 -- Social Engineering Fundamentals, Part II: Combat Strategies http://online.securityfocus.com/infocus/1533 Social Engineering Attacks via IRC and Instant Messaging http://www.cert.org/incident_notes/IN-2002-03.html IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
