December 7, 2007

How Hackers Get Your Data: (Part 3 of 3)

In Part One we talked about Hackers being able to crack or steal your passwords and using those to get to your information, in Part Two we discussed hackers exploiting flaws in infrastructure as well as software to gain access to places they shouldn't be. In part three we will talk about one of the most common elements of security, and one of the most over looked; the human element.

It doesn’t matter how much security you put in place, and how great your password is if a hacker can trick you into telling them what they want to know. One of the fastest growing ways to gain information about people and to steal information from people is just simply asking for it.

Social Engineering: When a hacker decides to contact a person to gather information rather than attacking a weakness in technology, it is called social engineering. How the attacker decides to contact you will vary depending on the situation, but one of the most common threats currently is called phishing. How phishing typically works is the attacker will send you an email that looks official (usually from a bank or large company you might do business with) and then give some almost believable reason why they need you to verify your personal information. Most people think nothing of it and just go ahead and verify the information, and without knowing, they have just given away their everything the attacker need to know to either steal your identity, or to get your password to access the other data he wants. Another variant of this attack sending you an email asking you to click on a link to go to their website and verify the information. They then point the link to a website they have built to look very similar to the real businesses website, but when you enter your information it just sends it to the attacker.

The best way to protect yourself against phishing is to educate yourself.

  • Banks and other large companies will NEVER ask you to send them your personal information via email. If they do, you should leave that bank and find one that cares about security.
  • When you click on links, pay attention to where they really go. At the top of your web browser, it gives you the address of the page you are on. If the link says it is going to Paypal then the address should be www.paypal.com/someotherwebinformation and not paypal.imgoingtostealyourdata.com notice the placement of the word Paypal. Web Sites names are called “domains”. Only one person can own a particular domain and have a website there. So in the first example, Paypal is the domain, you can tell because it is the part directly before the .com in the second example they are using what is called a sub-domain. The domain in the second example is Imgoingtostealyourdata (again you can tell because it is right before the .com) so pay attention.
  • If you are ever concerned or suspicious, you call the company that it says sent it and ask them. And if it’s a company you have never done business with, you can be sure it is indeed fake.

Other techniques used in social engineering include calling and just pretending to be someone else (usually someone high in the company or another figure of authority like the police). Pretending to be a new employee and just needing some help (people almost always want to help the new guy). Some social engineers are so confident that they will walk right into an office and claim they are a “computer repair guy” or some other professional there to fix something.

To guard against attacks like that, you just need to be very careful who you give information to. If you have never seen a particular repair guy before, ask for some type of ID, and ask who sent him, then verify that they sent him. When working with people on the phone, don’t just take their word for it when they say they are, have them prove it, or verify with someone that they can have access to the data they are requesting. And under NO CIRCUMSANCES should you be giving people your password, not even to your IT guys. NO ONE. The IT staff can reset your password if they need your account specifically, and then you can change it back to what you want later.

If you work in a company, be sure you have a way to verify who the people calling are. This is especially true if you are in a position where you are tasked with resetting passwords for people. Don’t just rest a password because “John Doe” called and said he needed his password reset. You need a way to verify who they are. Come up with a set of validating questions that your company has answers to so you can validate their identity. It might be personal information like date of birth or something business related like their supervisors name. Or better yet, have them select the questions upon hire and fill out a form that you reference when they call.

If you haven't noticed, the trend through out this series has been "knowing" is the best protection. That is what Think Smarter is about. I want to share as much information as possible so everyone is aware of what can happen, and is on the lookout for things that should be happening. Knowing the weaknesses is the best way to fix them.

More information:
Sonicwalls Phishing IQ Test (how well can you spot a phishing attempt)
The SEC has some tips on recognizing Phishing
List of current major phishing scams

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google