Date: Late 1980s
You answer your phone talking to a person who identifies themselves as an agent of the phone company. He tells you that your phone card has been used fraudulently and they need some information to fix the problem, including your phone service name and the number on your card.
You go along with this until they ask for your phone service. You ask THEM for the name of your phone service since if they really are an agent of the phone company then THEY would know about your service. They start to falter, which gives you an excuse to hang up. You call for a trace on the phone call and find out that it came from a prison. The operator tells you prisoners that have access to a phone pick a random number and scam people out of their phone card to the tune of thousands of dollars. You breathe a sigh of relief that you were not one of those victims.
Date: Late 1990s
You walk into an office and speak to an executive of your company about changing his password more frequently. He replies that he does not see the reason to do that, since he feels his password is secure enough. You look around the office and tell him that you can guess his password in 3 attempts. He looks at you like you have 9 heads and says to give it a shot. You get to the second guess and he says that he will change his password immediately.
As you turn to leave the office, he asks you how you did it. You respond that the entire office had golf items and memorabilia. You took a wild guess that his password was based on golf. You were right.
What do these scenarios have in common?
Both of these scenarios are not fabricated. They both happened on my watch; the first one while an Air Force officer and the second one while working as an IT manager in private industry.
The similarity in both of these cases above is that someone used some simple profiling to attempt to get information about another person. In the first one, the attempt was unsuccessful; in the second one it was successful. This is the basic use of social engineering to gain information on someone else. My definition of social engineering is the ability to find out about another person by asking questions and compiling a profile. This, as we will discuss, is very effective at finding out computer passwords.
Are You Too Trusting?
In the United States we are pretty trustworthy. We pick up conversations with people standing in line. We talk about our football teams; we talk about where we grew up and maybe find an acquaintance in the process. We pride ourselves in being open and friendly. We want to help and feel badly when we cannot help someone else. Notable accomplishments as a country and a people, and things we should hold with pride. Unfortunately, the unscrupulous among us do not feel the same way.
I have seen as an IT professional how people lose their ability to keep secrets, and as a result, lose more than their passwords. For instance, let’s say that I want to get the password that “Sue" is using to get to her bank account.
My first piece of information about “Sue" is “Sue’s" friends. How would I find that out? Look at her social network, where people also list their work phone number and maybe even their home phone number. I would then call Sue at work and explain that I know one of her friends and that I work at Sue’s place as a member of the IT department. I slowly gain her trust to the point where I can either guess her password, or she may give it to me as part of our conversation. How would I do that?
Bad Guy: “Good morning Sue, I am George in IT. I noticed that you may have a virus and wanted to check your main screen for any problems. I talked with Karen down here who knows you and she said that you had those problems before."
Sue: “I don’t believe I know you George. How long have you worked at this location?"
Bad Guy: “Only a few weeks. Sam from HR hired me and he was pretty quick about it. I used to work at Company ‘X’ but left there because I wanted someplace more friendly to work. This is certainly the place."
Sue: “Well I am glad you like it."
Bad Guy: “Karen says that you are big ‘Slugs’ fan. I am a personal fan of the ‘Salt’ team myself."
Sue: “They are our biggest rivals!"
Bad Guy: “Sorry about that, but we must go where our hearts take us."
Sue: “Well, I guess I can forgive that as long as you work here. Now, what was it that you wanted?…"
And it goes on from there. The Bad Guy may not be able to get the password on the first shot, but he or she will continue with future phone calls at random times and days until they get what they want. What happens when they do get your password is pure chaos.
Improve Your Security
So, what does that mean? If you are a business owner you spend thousands if not millions on big company security software and hardware. You constantly tell people to make their passwords strong, and talk about security, but people are naturally trustworthy. How do you combat that? Further, why would you tell your employees to be unfriendly when you want a friendly company to reach out to customers?
Here are some tips for you to consider:
1. If you are an employee and someone asks for your password to do work on your computer, do NOT give it to them. I have been an IT professional for a while and can tell you that I did not need a password to get into someone’s computer in the company. I had administrative privilege so I could get into any computer I wanted. I would call first to let them know I would be getting into their system, but I did not need their password. If you are a private computer user and someone calls to get into your system, do NOT let them do that. There is no reason for any IT professional to get into your system unless you called them. Do NOT ever give passwords to anyone at any time.
2. For routine security questions (the type that helps you verify you are who you say you are), don’t EVER give out private information like your mother’s maiden name as the answer to a security question. Make up a name for that answer that you can remember. Why am I saying that? The mother’s maiden name is a major source of verifiability for other areas of your life, some that will have a great effect on your income. Giving out your parents’ information could develop an information source for others to get to your health and wealth.
3. Social networks are great ways to stay in touch, but there is no benefit to putting your birthday, middle name, or even full first name on your Facebook page. People that know you well will know your birthday. The desire of having strangers wish you a Happy Birthday should not dictate you giving out personal information. In other words, be cautiously friendly. Remember that any information you give can also give people hints to your passwords or pass phrases. Remember the second scenario? I was able to walk into that executive’s office and get that password quickly. Why? The individual based his password on his passion. I could tell what his passion was from the pictures, statues, and awards in his office, so I was able to guess his password. This is called in logic a hypothetical syllogism. In other words if A=B and B=C then A=C. It is that easy.
4. Base your passwords on uncommon patterns or long words. The longer the password, the more secure the passwords. And do NOT base your email address on any personal information. If you were born on 1 January and you put 0101 in your email name, it does not take much research to figure out your birthday, especially if you put your age in your social network profile. In other words, be unique, and be introverted when it comes to giving out your personal information.
If you are part of a company that pays through the nose for good computer security and it takes a hacker with bad intentions minutes to get through the computer security, then you as a company IT person have paid your gold to get nothing. How can you save money and get the most out of your computer security? Train your people through live simulations. Have a person from your company computer security department, or another detached company security location test your employees by calling and trying to get them to reveal their password. See if the computer training actually takes hold.
But, and this is important, do NOT punish the ones that fail the test the first time. Ensure that you re-train them as a warning. If they fail a second time, then you can talk some punitive action. A company employee that gives their password out is one that needs to be re-trained or reemployed at some other company.
If you get a phone call, or email, asking for permission to use your password, do not give them your password. No one that is in your IT department would ask for your password. They have administrative rights to computers and can get into your computer whenever they like – they do not need your password.
If you are home and someone calls or emails about getting access to your computer, then my recommendation is to not let them have that access. The only time when access like this might be necessary is if YOU made the call to your computer company through an approved support number. Even then, I would be careful. Granting access to your computer exposes you to possible theft of information and just because it is an approved support number does not mean that it is safe.
The more that you think through these types of social interaction, the more secure you make your interactions on your computer. You are ultimately responsible for keeping your personal information secure. Make your protection, and ultimately your security, personal.
About the Author:
Chris Greco has decades as an intelligence officer and computer security professional in the military and public service. He is a Certified Information Systems Security Professional (CISSP) as well as a Project Management Professional (PMP). He recently published a children’s book, “Granpappy Turtle Talks About Passwords," through www.lulu.com and as part of his company GRECTECH, which as one of its fundamental philosophy (Learn, Offer, Value, and Educate) is to Educate individuals on different aspects of project management and computer security. You can reach him at www.grectech.com or chris @ grectech.com