(Security is as strong as the weakest link which is usually the human.
As Kevin Mitnick said most of the time he got access just by using this
technique. More awareness campaigns are needed to address this issue.
It is just too easy to trick someone, especially if they are not aware
of it and worst of it most of the time they won't even realise that they
were a victim/target as some people are just too good to be caught. For
example, someone who is really at good 'human source development' will
put the important questions in the middle of the conversation as humans
generally remember far better the beginning and the end of it than the
middle bit. WEN)
Social engineering: Hackers exploit human weakness
by Laurie G. Knepper
Joint STARS Test Force senior computer systems manager
12/6/2002 - MELBOURNE, Fla. (AFPN) -- Are you familiar with the term
"social engineering"? If not, you probably don't know the potential
impact of social engineering on the Air Force and national security. And
that means you could be an unwitting participant.
Social engineering means computer-security cracking techniques that rely
on weakness in human nature rather than weaknesses in hardware, software
or network design.
The goal of social engineering is to trick people into revealing
passwords, network vulnerabilities or other information that will help
the hacker get access to important data. Using social engineering, even
someone with lousy computer skills can find his or her way into a
supposedly secure computer system and access, modify or destroy the data
How are your social engineering defenses?
-- Do you lock your work station before leaving your desk, or do you
leave it up to a screensaver to kick in a little while later?
-- Would you decline to give your password to someone who said, over the
phone or in an e-mail, that he or she was debugging a problem with your
account, and then contact your computer security representatives
immediately, or would you comply with the password request?
-- Do you challenge strangers in the hall who don't display a proper
badge, or do you assume because they are in nice suits that they are
probably too important to be questioned?
-- Would you stop a clean-cut uniformed delivery person carrying
packages who flashes a smile and asks where the mailroom is as he
attempts to tailgate into a secure building with you, or would you
politely hold the door open for him and point him toward the mailroom?
-- Do you shred old phone lists, or do you simply dump them in the trash
or recycle bin?
-- Would you decline to participate in a phone survey that asks a bunch
of questions about your organization's computer systems, or would you
participate to get the "free gift"?
-- Do you leave work discussions at work, or do you discuss Air Force
business over meals at local restaurants?
In case you have any doubt, the first action in each of these examples
reflects proper security practices, while the second action reflects
poor security or outright security violations.
Here are a few interesting and educational articles on the Web that deal
with social engineering. Please take some time to read them. There may
be a test. It may be given by someone official. Or it may be given by
someone who is not official, not authorized, and not supposed to be
getting the information or access that you are inadvertently giving
them. Think about it.
Physical Security - Technical Security's Biggest Hole lists some
everyday "easy access" methods that have proven effective.
-- Social Engineering Fundamentals, Part I: Hacker Tactics
-- Social Engineering Fundamentals, Part II: Combat Strategies
Social Engineering Attacks via IRC and Instant Messaging
IWS INFOCON Mailing List
@ IWS - The Information Warfare Site