By Rodney Johnson

President of Prescient Consulting Inc.

“You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick, most successful and infamous hacker in American digital history

Security systems made to protect computers and networks from assault are designed by PhDs, coded by security experts with master’s degrees, and integrated into business computing environments by skilled technicians trained specifically for that purpose. In this specialized security process the users are often forgotten at the end. The simple sad facts are that the chances of breaking a code built by a math professor are worse than the chances of talking the boss's secretary into revealing her password. If you were an attacker, where would you put it?

Predictably, the bad guys put their energy on attacking people. Technologically attacking a computer or network user requires special skills, knowledge, brains, time, and perseverance. Psychologically attacking the same requires just a little fancy footwork. We've all installed virus checkers, firewalls, and other security software aimed at protecting against technological attacks. No firewall available, indeed, no software available can protect against a people attack. There is no magic bullet. Rather, training and awareness are the only real ways to harden the weakest link.

"Amateurs hack systems. Professionals hack people."

A computer security industry joke has it that the definition of an unsecure computer is one that is turned on. We might as well give up on a technological solution to turn cyberspace into a Utopia where the unsuspecting computer user can roam freely without fear of assault - it will never come. Technology itself doesn't wear a white hat, or a black hat. The advances that serve the good guys are just as easily employed by those with bad intentions. The technological race between those who would attack and those would protect is a never ending one, with one side's advance often being met with a reply from the other side within hours.

Too many organizations, scared off by the scope of the problem have delegated authority and responsibility to the propeller-heads. They then sit back in the false belief they've done all that can be done. In reality, no one can depend on technology to batten down the hatches. No software 'solution' can solve all the computer security problems that haunt us, no matter what the software salesman may say. We can only depend on ourselves. At the end of the day, a computer is as secure as the person using it is aware of and ready to meet the dangers facing him or her.

This One's For All the Marbles.

There are many types of attackers in the computer security area, ranging from light to very heavy in degree of seriousness of the threat they pose to computer users and organizations. The purpose of the attacks also varies from simply accepting the challenge of gaining access to a supposedly 'locked' system to disruption and destruction of systems to theft of money and intellectual property.

Just as technological advances are made, advances in social engineering schemes are also being made through trial and error. Even in the web's short life, many schemes have had time to go through several generations and evolve into serious strains. Two recent, particularly damaging schemes, phishing and email blackmail, have become very effective at luring in unsuspecting computer users.

By definition, phishing involves "The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft." In this case, there are two potential victims - the recipient of the email and the company the attacker is claiming to represent.

Email blackmail involves sending an email to a target claiming to already have control of that user's computer and threatening to place child pornography or other incriminating material on the computer and then alert the authorities unless a payment is made to the attacker. Even if the threat is not believed entirely, the requested payment is usually small enough as to be seen as less of a burden than potential search and seizure of a person's computer by police. Email blackmail inside companies creatively turns organizational security policies on their heads by using a person’s fear of being caught and fired for corporate internet and computer usage infractions to extort money from them. It is usually easier to pay some money to the blackmailer than to become the object of suspicion and rumors among management and colleagues - even if the computer is found to be clean.

Delivering the Attack

Among computer schemes, phishing and email blackmail have been uncommonly successful. The success of the two schemes is directly correlated with their skill in psychologically pushing the right buttons on their targets. These schemes both use the medium of email, but social engineering attacks can be executed using all kinds of media, from physically showing up in an organization, to using the telephone, online methods, and even dumpster diving.

Phone attacks are the most popular form of non-computer-related methods of gaining unauthorized access or information. For phone attacks, an attack's chances of success are made greater the more the caller can appear legitimate. There are many ways to gain the information necessary to make the crucial phone call, some simple and legal, like reading a company's website for names, titles, and phone numbers, and some illegal like dumpster diving, or calling other people in the company in a circle in order to learn progressively more and more. Even the smallest bit of information may give an attacker enough 'clout' to pull off a successful phone attack. Once confident that a call can be made, there is no limit to how creative an attacker can be on the phone, and even senior people who should know better are often taken in.

An online example of social engineering would be sending an offer form to the target person requesting they visit a website and sign-up to receive a free gift. Online the user is required to create a membership account and create a password for it. Attackers know that there is a good chance that the password created will be the same password the target uses for many other online accounts they possess. If the attacker is lucky, and the user unlucky, the password the user chooses for the new account will be golden - it will be the same password used for their bank account, office computer, and various personal email accounts. Once access is gained to one person's systems, a flood of confidential information is released potentially valuable for attacks on others.

Son, Let Me Show You How It's Done

Attackers have enormous patience. They will often take a long time to get close to the target so as to gain the target's confidence and hopefully become intimate. The attacker will use every psychological trick in the book to create the right mindset in the target to comply with later requests he might have.

Phone attacks may include:

Impersonation ("I'm from MIS and..."),

Ingratiation ("I'm coming to you with this because everyone says how capable you are."),

Diffusion of responsibility ("Mr. Jones, SVP in engineering, is asking for this...")

Threatened ostracizing ("You're the only one who's info I don't seem to have..." or "You're the last person on my list."),

Seeming helplessness ("I've got to get this done and really need your help."),

or just being very friendly.

On the other hand, email phishing attacks rely on the use of trademarks and images that the target is already familiar with or already trusts. This puts the phishing attack one step ahead of the game. In fact, people who have had their personal information compromised may never even know it. Others may find out there has been a breach, but they may not be able to track it back to where it occurred, still believing the phishing interaction to have been legitimate.

Attackers who thrive on social engineering thrive on understanding what people need, want, and will do. Some emails literally beg to be opened. The Love Bug virus was released by targeting the psychological need of its recipients to be loved. 

Next Month – "Fighting Back"  your energy?