Staying Safe Online

Search this site:

 
     
Home
 News
Why This Site?
About Us
Contact Us

Personal Safety
Children Online
Online Dangers to Kids
Child Safety Tips
Adult Safety
Online Dating
Meeting People
Cyberbullies
Social Networking
Phishing
Social Engineering

Computer Safety
 Hackers
Passwords
Spyware
Backdoors
Keyloggers
Viruses
Antivirus
Firewalls
Spam
Hoaxes
Scams

Internet Manners
Netiquette
Copyrights & the Internet
Bandwidth Theft

 

   What is Social Engineering?

Social engineering is the art of getting people to do what you want them to do.  In the hacking world it's a way of getting a person to give a criminal hacker the means of accessing a computer or network without realizing they are helping someone who doesn't belong there.  The cracker will employ various psychological tricks to manipulate a person's natural human tendency to trust others.  Strong technical and computer skills are not needed to pull off this sort of hack.  A social engineer's strongest feature is their social skills.  They know how to get along well with people, are good listeners, and are good at picking up on small clues that people unwittingly let on about themselves.

Social engineering is a painstaking process though.  It takes time to gather enough information before launching an attack.  Information is collected a little at a time - an email address here, some personal information there, then a little monitoring of when the system is active, etc.

Social Engineering in Chat Rooms, Message Boards and Blogs

Chat rooms, message boards and blogs provide a great opportunity for social engineers to pick up enough clues to make a stab at passwords and secret questions for online identities.  People leave all sorts of tidbits about themselves in such places.  For example, they'll leave their email addresses exposed and put their names on a birthday list.  Those are a couple of good pieces of information to have to establish an identity with some service providers.

Posting pictures of family and pets with names and birthdays also gives more information to a social engineer which can enable them to spoof your identity.  Genealogy sites are gold for them.  Many banks ask for mother's maiden name as proof of identity.  What a great piece of information for a criminal to have about you!

Are you spending a lot of time in a chat room telling your life story?  What schools did you attend, your children attend?  What places did you live in, and where do you currently live.  Does everyone in chat know your daily schedule - get up, go online for a bit; work eight hours, commute for two hours, come home, go online, make dinner, go back online, go to bed?  If you spend enough time in chat rooms and on message boards, at least one or two of them will be able to put enough information together to spoof your identity or even guess at your passwords.

Methods of Social Engineering

Often victims are unaware of social engineering attacks as they are happening (although when they look back they can see it).  An attacker often won't ask for sensitive information right off the bat (under most circumstances).  They'll take their time to get to know the victim - establish some common ground.  Then they'll extract what they want from the victim little, by little.  The questions will start off innocently, often under the guise of friendliness, or being helpful.  If the victim seems a little hesitant about answering a question, the attacker will back off and try to regain the victim's trust again.

Another method of gaining a person's trust is to launch a small scale attack against them.  Then they will pose as a technical support person that is there to help them recover from the attack.  A victim will give a "technical support" person all sorts of information about their computer system.  Under the guise of helping the victim, the attacker is in fact gathering more information in order to launch a full scale attack.

Intimidation is also used at times.  Most people are conditioned to respond to authority figures.  A social engineer can pose as an authority figure in order to obtain information.  Name dropping is one means of establishing authority.  They can also use their supposed "status" to browbeat, rush, or outright ask the victim for the information they desire. 

How to Deal with Social Engineering Attacks

There are a few things that you can do to protect yourself against a social engineering attack.  As with most things in life, prevention is the best policy.

  • Make sure your passwords are secure.  Check out our page on Passwords for more information on how to do this.
     
  • Make sure the answers to your secret questions are something that no one can guess at.  In fact, use an answer that is not related to the question at all.  For example if the question is:  "What's your father's middle name?" the answer you give could be something off the wall like, "chocolate cake."
     
  • Be careful about how much and what kind of information you give out online about yourself.  The info might be used to reconstruct a secret question answer, your password, show when you are not online to keep an eye on things, or be used to establish an identity in your name.
     
  • Be aware of some basic signals of a social engineering attack: 
    • a refusal to give information that identifies the cracker as an authority figure
    • rushing the victim to provide information "right away"
    • name dropping
    • intimidation
    • misspellings of words and terms that are specific to your group
    • odd or invasive questions
    • directly asking for sensitive information
       
  • Be aware that a cracker or social engineer will try to establish a relationship of trust with you under the guise of helping you.
 		  
 

© Copyright 2004 - 2008
All Rights Reserved.
Page last updated January 26, 2008