Tags: just ask gemalto
Social engineering is a fancier, more technical form of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information. Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to identify and resist the more common attempts to trick them into letting down their guard. Criminal hackers use social engineering as a very effective tool and as part of their strategy when gathering information to piece together the parts of their scams. They often target company executives via phone and email. Once they have extracted some data from the top, accessing networks or whatever end game they had in mind is much easier.
Social engineering has always been a “person to person” confidence crime. Once the con man gains the mark’s trust, the victim begins to provide all kinds of information, or to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I suppose we would need to be able to trust one another in order to survive as an interdependent communal species, otherwise fear would prevent us from relying on others to nurture us until we are tossed out of the nest.
Defcon is a conference for hackers of all breeds. There are good guys, bad guys, and those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack. InfoWorld reports, “This year’s Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies — over the telephone instead of the Internet.”
Defcon is known for its antics but it’s also an event where hackers of all flavors improve their skills. The game they are playing this year is a social engineering fun-o-rama called Social Engineering CTF, referencing the game “Capture the Flag.” “This contest will borrow elements from the convention’s traditional computer-based CTF tournaments, but with a few variations. Prior to the conference, participants will receive an email with the name and URL of a target company. Participants will be permitted to gather preliminary information about the company using Google searches and other passive techniques. Contestants are banned from contacting their target directly via email or phone, and they get points for information gathered. Competitors then use that data during the actual tournament to fuel their social engineering attack. They have twenty minutes to call unsuspecting employees at their target companies and obtain specific bits of (nonsensitive) information about the business for additional points. Participants aren’t allowed to make the target company feel at risk by pretending to represent a law enforcement agency.”
Recognize that online predators use these tactics to get what they want. They consider you, the innocent computer user, their natural prey.
So always question authority, or the appearance of authority. Don’t automatically trust or give the benefit of the doubt. When you are contacted via phone or email, or approached in person, proceed with caution. Always be suspect of external or internal communications, and consider that you could be the target of a phishing scam. Never click on links in the body of an email, and if an email prompts you to divulge a username and password, pick up the phone to verify the legitimacy of the request. The best defense is effective policies coupled with ongoing awareness training.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Women Proved “Securest” in the Defcon Social Engineering Game
In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon), I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. Of 135 “targets” of the social engineering “game,” 130 blurted out too much information. All five holdouts were women
- Stealing Secrets: Telling Lies Over the Phone
In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon) I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. At the recent Defcon event, social engineers proved that it doesn’t take much more than asking to get
- 5 Signs You Are About to be Scammed
Smart people are scammed every day because they think it can’t happen to them or they just aren’t aware of the scams. And the scammers have gotten very good at disguising their scams, so it’s often hard to recognize them. Scamming generally involves a form of social engineering. Social engineering is the act of manipulating people
- Seven Social Media Landmines to Watch Out For
In the early days of the web, cybersquatting was a concern among corporations who were late to the game in getting their domain names. I had a little battle with LedZeppelin.com that I regret, but that’s another story. Today that same battle is being played out in social media. Anyone can register any brand or likeness
- Protect Yourself from Social Engineering
Robert Siciliano Identity Theft Expert Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face
Leave a Comment
You must be logged in to post a comment.