Social Engineering: Hackers and Social Networks

You may have heard the term Social Engineering in passing, but have you ever thought of what exactly it was? Maybe you've been a victim of it, or currently are a victim and you don't know it, yet. Social engineering at its core is manipulating a person into knowingly or unknowingly give up information; essentially 'hacking' into a person to steal valuable information.

Various different tactics come into play with social engineering, with the most well known being phishing. In addition to phishing there are other tactics such as diversion, social networking and pretexting. At times, social engineering may be used to extract what people feel is useless information, but in the right hands, that useless information can easily become critical information for a hacker to break into a person's account. The end goal of a social engineer is to extract information out of a person, like a computer virus extracts information out of a hard drive.

Think of yourself as a walking computer, full of valuable information about yourself. You've got a name, address, and valuables. Now categorize those items like a business does. Personally identifiable data, financial information, cardholder data, health insurance data, credit reporting data, and so on. There are currently 47 state level laws, several compliance regulations and standards such as Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and the list goes on; rules that were designed and communicated to businesses to protect this type of information.

But what about at the individual level? What are you doing to protect your valuable data? A business would place 'controls' in place to mitigate the risk of compromises but what 'controls' do you have in place for your information? What type of information is out on the world wide web for social engineers to target? In addition, how easy is it to find this information? Does it require extensive research, or is it relatively easy to find information about you simply by going to Google, Facebook, LinkedIn, or any number of other websites currently out on the internet? Personal blogs can also not be forgotten, as plenty of personal information can be found on blogs.

Remember, what you feel is important may not be encompassing enough. Social engineers use their tactics to extract any and all information they can out of you. Even simple information such as your pet's name, where you're from, the places you've visited; information that you'd give out freely to your friends; social engineers want that information. Unfortunately, unlike passwords, which are understood to be important, other types of personal information aren't kept as safe. There's tons of personal information freely available due to the Internet, especially due to the rise of social networks.

There's many social engineering methods out there, but one I'd like to focus on for this article is social networking. With the rise of social networking, everyone seems to have a profile on Facebook, MySpace, LinkedIn, Twitter, Google Buzz, Xanga and so on. A lot of information being placed on these sites may seem harmless; profile information, pictures, little life updates, pet updates and so forth. But in the hands of a social engineer, these are all tidbits of information they can use to hack into your various accounts.

Take a close look at some of the 'secure' sites you log into. Some have a 'secret question' you have to answer, if you cannot remember your username or password.The questions seem pretty tough for an outsider looking into trying to hack into your account. What's the name of your first pet? What is your maiden name? When was your mother/father born? Where were you born? Do these sound familiar?

As a social engineer, a hacker will look into your social networking sites to see if they can extract the answer to your 'secret question.' The name of your pet? It's on your Dogbook account. Your maiden name? Your mother has a Facebook account and she's listed as a friend on your profile with her full name displayed. When was your mother/father born? Your Twitter account has an update notifying the world that your father just celebrated his fifty fifth birthday. Where were you born? Your MySpace account lists out your home town.

All this information is out in the wild, ready for the hacker to pick up and use to hack into accounts. What was originally thought of as harmless and useless tidbits of information have now become tools for hackers to use.

How do you protect your information from getting into the wrong hands?

You need to be diligent. Many social networking sites have privacy settings that you can set, but remember the default settings aren't always the best settings.

• Look through each setting option and ask yourself, is this information that I really want people to know?
• The 'secret question' answers for the secure sites you visit; is the answer staring back at you in your profiles or pictures?
• Are you reviewing each request to befriend you on your social networking site, or are you blindly accepting invites?

Try to keep an open mind about the information that's out there about you. Before placing information online, imagine a TV or radio commercial containing this information, and try to see if you're comfortable with that type of information being announced to the public. Look at what your secret questions are and see if it's easy to find the answer; check if the information you're putting online answers your secret question.

You are a database of information waiting to be tapped; both what you know is important and what seems harmless could lead to important information. Avoid putting too many open items on the Internet for social engineers to use and keep an eye out for suspicious requests. Remember, all it takes for a large dam to fall is one small crack. Don't let social engineers exploit and hack you using one small piece of information.