Wednesday, September 15, 2004

Social Engineering Attack

You know what is social engineering attack ? It has nothing to do with Microsoft, it has nothing to do with Linux, neither it has anything to do with any technology. But it has a lot to do with you and me and every human being.

Social engineering is 'The art and science of getting people to comply to your wishes' (according to Steve Riley presentation slide). It make use of human intelligence to manipulate human in giving out their secret information.

If you think you are safe because you are not using a computer system for doing anything, you are DEAD WRONG! Social engineering has nothing to do with technology, it counts a lot with how smart are your in protecting your information.

For example, someone might call you pretending they are from your ISP. They tell you there is a problem and need to reset your internet account and ask for your user name and password. You just give it to them without thinking twice. Boom!! The attacker can now login to the ISP using the user name and password you just give.

Another example, someone might call you pretending they are from the credit card company. They ask you for your credit card information so that they can validate the recent transactions that you have made.

It is hard to combat this kind of attack as it take advantage of human weakness and mistakes. However, there are ways that you can minimize your chance of being attack.

First, be smart about how you will share your personal information. Don't simply give your information to sources that you can't validate.

Second, be careful in how you handle documents that include your personal information such as sales receipt that contain your credit card number. The attacker can pick this up from waste basket and find out where you have spend your money recently. The attacker could be just somewhere close to you observing your behavior.

Third, try to counter validate the person who contact you. In the previous credit card example, instead of you telling them your credit card info, ask them to tell you what they think your credit card number is and you will tell them whether it is correct. Since they claim they are from the service provider, they have have your info.

Forth, this is one of the thing that I start doing recently. Never ever simply give out your contact or business card. When you go to exhibition or some business function, some people will ask you to drop your business card so that you will get a chance to win a lucky draw or so. Don't do that, because you will never know what they will do with that infor. They could sell it to third party to make money, or they could start calling you to attempt new business from your (violation of privacy).

Wow!! There is no end to this list. But the bottom line is, take extra care of how you handle personal information(not just yours, but also peoples you know[attacker can also learn about your friend if they manage to pick up your address book]) and when you deal with a stranger.

Don't think you won't be fool with this. In the presentation, Steve teach us what it take to do SE attack. You can never imagine how easy it is. I did it once with my friend before and it work very well.

You can Google here for more info on this topic.



Post a Comment

<< Home