Subscribe!
Networking & Security
contact us

E-MAIL your software questions to:
[email protected]
solutions
View All
Plus Main Dvorak
Dvorak 9/9
The Top 100 Websites of 2009
Utility Guide Module
Best Free Software
Product Guides
Cell Phones Desktops Digital Cameras GPS Devices Headphones HDTVs Laptops LCDs Netbooks Printers Security Software All categories
top sellers
Compare Store Deals
1. Dell Inspiron 15 (dndkza1_7) PC Notebook
2. Dell INSPIRON 15 (dncwza1) PC Notebook
3. Dell STUDIO 15 (dndobm4) PC Notebook
4. Dell Inspiron™ XPS M140 (IXM140S2) PC Notebook
5. Dell Inspiron 15 (dncwza2_1) PC Notebook
  more >
shop now

Find great products
and great deals.
Shop for:

(enter product name
or keywords)
in:

Tales of a Professional Social Engineer

05.18.05

by Larry Seltzer

When Jim Stickley robs banks, government offices, and other allegedly secure locations, he doesn't go in like Edward G. Robinson with a Tommy gun. Instead, he gets you to trust him while he steals your confidential information and other assets. His specialty is what's known as social engineering.

Stickley's firm, Trace Security Inc., is hired by organizations to test the security of their offices by challenging it. Faceless National Bank will hire him to see if the Podunk branch is paying attention to security policy. The bank may even say, "Go in and try to steal these specific corporate account records."

If you got an e-mail that seemed to be from your boss or from headquarters telling you to expect a visitor —an exterminator, for example—you'd let the visitor in the door, right? But that introductory e-mail isn't hard to fake. Consider one way it might be done:

The names of the branch's employees may be available on the Internet, or you could walk in and look at the names on the desks and badges. Names at headquarters are often posted online. The social engineering team sends innocuous probe e-mails to some of these people in a variety of styles, like [email protected] or [email protected], to determine what everyone's address is.

Then the team registers a one-off domain name like facelessnationa1.com (notice the "1" at the end instead of an "l"). When an e-mail from the regional VP @facelessnationa1.com says that an exterminator is coming, people are likely not to notice. In fact, the "from" address of the message can actually say facelessnational .com with an "l," since that's easy to spoof, and it probably wouldn't be caught.

Once the team's inside, saying that they must "set traps," the proper procedure should be to escort them everywhere they go. When they crouch down near the back of a computer, look at what they are doing, because if it's Stickley he's probably installing a data-thieving dongle that he'll retrieve when he comes back to "check the traps." Other favorite scams involve posing as an air- conditioning tech or a fire marshal.

Stickley does leave glue traps, but he installs more pests than he'll ever take away. And don't leave him alone in the computer center, because he'll take the server backup tapes, the grand prize of such expeditions, since they contain much sensitive data—and it's likely to be unencrypted.

This scheme is reminiscent of Ocean's Eleven and requires the attacker to be a great liar and cool under pressure. And such attackers always carry an authorization letter from someone in charge, for the rare cases when they arouse suspicion. That usually happens because someone is assiduous at following procedure, a trait often unappreciated or ridiculed. If you were in charge, would you have someone follow the exterminator around?

Large financial institutions like banks usually have internal security groups that stage situations like this, but they don't often get as creative as Trace Security.

Stickley also uses the more common remote forms of social engineering of the Kevin Mitnick variety. Your firm's "development group" might call to ask you, for test purposes, to sign in to their new Web site at dev-facelessnational.com. If you do, they'll have your log-in info. (Two-factor authentication is useful in such cases, but it's still not universal.)

Stickley also sends users e-greeting cards that attempt to use Microsoft Windows vulnerabilities to install malware that gives him a back door to the system.

You don't want to worry about threats like Stickley while you're trying to get your job done, but alas, human failings are at the heart of most security breaches. The moral is that it can happen to you. Don't be complacent because you're in a big company that has policies and even a budget for security. Don't think that because you're in a small company you can fly under the radar. The Internet has made it too easy to attack anyone, and even small banks have money in them.

Larry Seltzer, a frequent contributor to PC Magazine, writes the Security Watch newsletter for pcmag.com.

Keep yourself safe! Subscribe to our Security Watch newsletter and get up-to-date info on the latest threats delivered to your inbox automatically:

http://go.pcmag.com/securitywatchletter.

newsletters

Get PCMag.com's FREE email newsletters delivered to your inbox.

It's easy, just follow the steps.

Want more? Check out our other newsletters here.

Manage your newsletter subscriptions here.

1. Make your selections:

Daily News Alert
PCMag.com Small Business Update
PCMagCast Update
Productwire: First Looks Update
Security Watch
TechSaver
Utility Library Update
What's New Now
PCMag Announcements

2. Select email format:

3. Enter email address:

Subscribe to PC Mag
Subscription Help | Renew | Give a Gift
Featured Offers
FREE WHITE PAPER:

The Easy Way To Keep Track Of Your Computers

No matter how large or small your business is, you are constantly faced with the challenged of keeping all your computer systems up and running, upgraded and updated. You can try to do it yourself, or you can hand off the work to a distributed device management system that can provide remote Web-based system management, software distribution, and patch management while also protecting your systems from viruses and malware.

Learn the simple practices to keep track of your computers in this free white paper.
FREE 'MUST-HAVE' RESOURCES:




NoteWhen 3: Clear the Clutter. Version 3




NoteWhen 3: Clear the Clutter. Version 3 adds many features that you, our subscribers, have been asking for. You can now:

Send notes by e-mail, including Gmail or secure servers
Synchronize notes with notes from other machines
Lock notes to prevent further editing
Archive notes, taking them out of the list without deleting them
View scheduled events on a bigger calendar showing note titles
Make NoteWhen portable for flash drives
Export notes to HTML, RTF, Text, or CSV
Print a list of notes

Download Now: NoteWhen3Setup.zip
PCMagCast
PCMag.com's live, online events make you more productive at work, home, and on the go. Best of all, they're FREE!

Featured Event:

Lower Your Costs and Improve Your Security with Network Consolidation
View on Demand!
Sponsored by SonicWALL
With the ever-increasing pressure of budget reductions and the ongoing need to do more with less, IT is looking at the long term costs of owning solutions. Optimizing resources, driving efficiency and lowering total cost of ownership are critical strategies for the survival of any business. Security Consolidation does just this. View now!

See all PCMagCasts >>
 
Free Learning Center:

Centralize! Deploying Your First Small Business Server


Available on Demand - Sponsored by Dell SB360
Now, more than ever, your business can reap big benefits from centralizing on a server-based network. And, with the recently introduction of Small Business Server 2008 operating system from Microsoft you can automate key network tasks more efficiently.

Register now.
 


Free White Papers
View all White Papers >
Click here to list your White Papers >