This month our Information and IT Security Officer Graeme Wolfe, takes a look at the phenomenon of “social engineering” which is behind the majority of successful hacking activities.
From the images promoted by television programmes and movies, many people think of hacking as hi-tech wizardry, cleverly designed software disguised in emails and geeky programmers. However, the reality is usually just an old-fashioned confidence trick, which uses an electronic medium to deliver or maintain the trick.
You could say ‘the con’ has been updated for the modern age where “phishing” and “smishing” are the modern terms used to describe the specific con tricks. All the cons rely upon a set of human characteristics which, with due respect to Hieronymus Bosch, you might think of as the “seven deadly sins” of social engineering.
To fall for a confidence trick, or worse, we assume others “must” have taken the necessary steps to keep us secure. Sadly this leads to a lack of awareness, and in the world of the hacker, that is gold dust.
This flaw was perfectly highlighted by the newspaper phone hacking scandals a few years ago. Where certain people’s voice mails could be accessed using the default PIN codes from the network operators. If they had set up a PIN themselves to protect their sensitive information, then they would most likely not have been hacked. This scandal caused many of the mobile service providers to force you to change your PIN when you use their service for the first time.
Another example is if you stay in a hotel and programme your random PIN into the room safe to keep your belongings secure, how many of us check to see if the manufacturers override code has been left in the safe?
Default PIN codes are nearly always 0000 or 1234. Change your PIN codes, if you haven’t already.
Humans are curious by nature. However, naive and uninformed curiosity has caused many casualties. Criminals know we’re curious and they will try to lure us in. If we see an unfamiliar door in a building we frequent, we all wonder where it leads.
If unlocked and there are no signs telling us not to, we might be tempted to open it and find out, but in the online world that might just be a trap waiting for an innocent user to spring it. A researcher for an online security firm built a website that contained a button that said Do Not Press, and was astonished to find that the majority of people visiting the site, actually clicked on it.
Be curious, but exercise a healthy degree of suspicion.
It is often thought of as a derogatory term, but we can all suffer from this sin. We make assumptions. We take others at face value, especially outside of our areas of expertise. Put a uniform (Imperial Storm trooper?!) on someone and we assume they have authority.
Give an email an official appearance by using the correct logo and apparently coming from the correct email address, and we might just assume it’s real, regardless of how silly its instructions might be.
All of this can be easily forged online, so make no assumptions.
We quite rightly all teach our children to be polite. However, politeness does not mean you should not discriminate.
If you do not know something, or you feel something doesn’t feel quite right, then ask someone. This principle is truer than ever in the online world, where we are asked to interact with people and systems in ways with which we can be unfamiliar.
If someone phones you out of the blue and says they are from your bank do you believe them? No. You would phone them back, on a number you obtained elsewhere and check. By the way, it’s best to use a mobile, or different, phone for this; as landlines can remain connected to the person who made the call in the first place and so while you might think you’re phoning the bank on a valid number, you’re just talking to the person who called you.
This happened to me quite recently, when I received calls and texts that looked like they came from my bank. The person I spoke to from the fraud department of my bank, said they wished that all their customers would take similar measures to ensure the identity of the person calling them.
Don’t be afraid to question someone who contacts you and appears to be legitimate. If they are they will understand that you are being cautious and won’t get offended.
Despite what we’d like to think, we can all be susceptible to greed; even though it might not feel like greed.
Since its inception, the very culture of the web has been to share items for free. Initially this was academic research and pictures of naked ladies! But as the internet was commercialised in the mid to late-1990s, we were left with the impression that we could still find something for nothing.
Nothing is ever truly free online. You have to remember that if you’re not the paying customer, you’re very likely to be the product. In the worst case, you might find that you have taken something onto your machine that is far from what you bargained for.
Many pieces of malware are actively downloaded by people unaware that the “free” product contains a nasty payload, even if it also appears to do what you expected of it.
Have you seen how much access to your personal data many ‘free apps’ require? Do you wonder why, as you click ‘allow’?
People are reluctant to ask strangers for ID, and in the online world it is more important than ever to establish the credentials of those whom you entrust with your personal or sensitive information.
Do not let circumstances lead you to make assumptions about ID.
For example, if someone from “IT support” calls you and asks for your password so they can help fix your problem, how do you know they haven’t called everyone else in the building first until they found you, who really has got a problem?
This is a well-known form of attack. If someone has a problem with proving who they are, you should immediately be suspicious.
Thinking before you act is possibly the most effective means of protecting yourself online. It is all too easy to click that link.
How many of us when reading an apparently valid link in an email would bother to check whether the link is actually valid or whether instead it takes you to a malicious site.
It’s horribly easy to make links look valid, so try hovering your cursor over the link for a few seconds before clicking to see what the real link is, the true link pops up if you give it a moment.
Try to think again and check before clicking on a link.
As cynical as it may sound, the only answer is to practise your A-B-C:
- Assume nothing
- Believe no-one
- Check everything
With more transactions (shopping, banking, etc.) being done online than ever before, you should watch out for those that would exploit the deadly sins.
Don’t give criminals the chance to ruin your on line experience, and remember that a little bit of paranoia goes a long way online.
Graeme Wolfe, Information and IT Security Officer, 21/07/2016