What is Social Engineering?
Instead of attacking a computer, social engineering is the act of interacting and manipulating people to obtain important and/or sensitive information or to perform an act that is latently harmful. Basically, it is hacking a person instead of a computer. A social engineer can use the phone, the internet, or even show up in person to perform the malicious act. They can be after information such as ID numbers, usernames, passwords, server names, machine names, remote connection settings, schedules, credit card numbers, etc. They may also try to get someone to install some malicious software, visit an unscrupulous website, or even access unauthorized locations.
What can I do?
Be educated, aware, and a little bit paranoid.
Never give out:
- Usernames – Administrators should know them or can find out themselves
- Passwords – Administrators can ask you to enter them into the computer, but do not tell anyone.
- ID numbers
- PIN numbers
- Server names
- System information
- Credit card numbers
- Sensitive Data
Be aware of what is being asked:
- Via the phone:
- Ask for the full and correct spelling of their name, a call back number, and the reason they need the information.
- Have them contact the source directly if asked for information managed by someone else.
- When in doubt, put the caller on hold or tell them you will call them back. This gives you time to log any strange calls and verify if it is okay to give out information.
- Via the internet:
- Watch for any suspicious attachments that someone wants you to download in an e-mail.
- Avoid any links in e-mails that request you enter account information for verification (this is known as phishing).
- Administrators will never tell you or ask for passwords over e-mail.
- E-mails from SEASnet will be in plain text without attachments, unless you requested the attachment.
- SEASnet may give you password guidelines, but we will never tell you to change it to something specific like “abcde”
- When in doubt, you can also contact the e-mail sender in a phone call or new e-mail and ask if their e-mail with the subject of <copy the subject> was valid.
- In person:
- Never be pressured to comply when someone says “Do you know who I am?”
- Ask a contact to verify the person’s need for information.
- Have someone asking for configuration/access questions to contact the source directly.
- Someone from SEASnet should only ask you to enter your username/password on the computer, not have you write it down or verbally say it.
- Always be aware of people around you when entering your username/password.
- When in doubt, contact SEASnet or your supervisor.
- Shred and secure any documents that someone can obtain by looking through your trash.
IMPORTANT: When in doubt, ask the person to wait while you verify (a) their identity, (b) the need to know, and (c) if you are the rightful/authorized source of the information.
Examples of Social Engineering
Recent e-mails have been sent stating that your account has been compromised or that the account needs to be confirmed. They are false!
>From: FCU <firstname.lastname@example.org> >Subject: FEDERAL CREDIT UNION > > [ The following text is in the "Windows-1251" character set. ] > [ Your display is set for the "ISO-8859-1" character set. ] > [ Some special characters may be displayed incorrectly. ] > >NCUA Seal >Dear FCU client, > >As part of our security measures, we regularly screen activity in Federal >Credit Unions (FCU) network. >We recently noticed the following issue on your account: A recent review >of your transaction history determined that we require some additional >information from you in order to provide you with secure service. Case ID >Number: PP-065-617-349 For your protection, we have limited your >access, until additional security measures can be completed. We >apologize for any inconvenience this may cause. Please log and restore >your access as soon as possible. > >You must click the link below and fill in the form on the following page >to complete the verification process. > > Click here to update your account > >Please do not reply to this e-mail. Mail sent to this address cannot be >answered. > >NCUA Share Insurance Logo
E-mail pretending to be from tech support:
> From: email@example.com [mailto:firstname.lastname@example.org] > Sent: Monday, June 06, 2005 1:17 PM > Subject: IMPORTANT NOTIFICATION > > Dear Valued Member, > > According to our site policy you will have to confirm your account by the > following link or else your account will be suspended within 24 hours for > security reasons. > > http://email@example.com > > Thank you fr your attention to this question. We apologize for any > inconvenience. > > Sincerely,Seas Security Department Assistant.
The link above actually pointed to http://firstname.lastname@example.org, which is a malicious web server trying to obtain information.