Social engineering is probably the greatest security threat in 2011.
As attacks on networks grow more complex, security is being tightened and access becomes more difficult. Hackers always search for the easiest point of entry to a system and the human factor has become attractive once again.
Targeted phishing, also called spear phishing, attacks have become a simple way to lure employees into giving up network access authorisation details and the ready availability of personal information from social networks helps enormously.
Sites like LinkedIn have become marketplaces that highlight professional credentials and have become “dating” agencies for job headhunters and predatory employers. Here is an array of talented individuals flaunting their abilities, experience and contacts on a public network. Though the granular details of contacts may be hidden from the casual browser, there is plenty of freely available information to get a pretty good impression of a prospect.
The same goes for phishers looking for targets. A search for employees reveals numerous potential victims. Browsing through their public pages gives a history of their employment and recommendations offers the names of people who hold them in high regard. Human frailties imply that the feelings of respect will be reciprocated. Many participants in these networks also publish their contact emails.
From these details, a vast range of possibilities open up for the creative hacker.
A crude attempt could be a fake request to reveal your log-in details to the “IT department” for administrative purposes. A slightly more subtle approach would be to ask you to sign in to the system, giving a link to a fake registration site made to look realistic with company logos and other identifiers.
This is a long-winded method but, with so much to gain, the modern phisher is patient and persistent and will try every way to find information that could be useful. The initial target may only be used to get information on, and elicit an introduction to, a co-worker further up the corporate food chain.
A quicker way to get information is to pretend to be offering a job. Few employees will publicise the fact that they have been approached with an offer they can’t refuse and will give away surprising amounts of personal information in the hope of winning the job. The approach is similar to the Nigerian (usually) 419 advanced fee frauds that offer massive riches in exchange for a large investment to free-up the non-existent funds.
Social engineering is a powerful tool because it can be used in many more ways to open fairly secure systems. Reportedly, RSA Security was initially opened up by phishing and, once access was gained, other tools were applied to escalate permissions to access information about the SecurID system.
The conclusion that most security vendors have come to is that nobody is safe from social engineering attacks and that firewalls and other security measures alone cannot be counted on these days. With social engineering, the only defence is through training and a security policy warning of the techniques employed.
Where there is no protection is when an email arrives to the employee’s private email account offering a substantial bribe for log-in information.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…