Information Technology Services

The firewalls are impenetrable—all the security holes have been patched. The network is secure. Your passwords are all unique, random-sequenced, long, and unbreakable without all the world’s supercomputers crunching beyond the life of the universe.

The phone rings. A friendly voice who says he’s calling from a vendor’s site asks for assistance. Or perhaps this caller has self-identified as a magazine journalist doing surveys, and the first questions concern only cafeteria quality and who hauls the refuse. Then he asks what browser types and versions you use. Then there's a segue into questions about other software used by your coworkers.

It’s good to be helpful.

The problem is that this particular caller is a hacker who aims to tailor viruses to launch at your enterprise’s systems.

This is one simple, low-tech approach from an array of such activities called “social engineering.” Social engineering is not much different than market research, but unfortunately it can have a malignant purpose. It’s “social” because information is gathered from a human being rather than as the result of system cracking. It is the exploitation of the natural human tendency to trust and to be helpful. The goal is to gain information that allows unauthorized access to systems or the information that they contain.

At DefCon, the hacker’s conference held annually in Las Vegas, the ease and benefits of social engineering were demonstrated this last August through a contest in which participants had twenty-five minutes to gather as much information as possible from seventeen companies including Microsoft, Google, BP, Apple, Proctor and Gamble, and others. Out of fifty people called at these firms, only five—all women, interestingly enough—refused to give up any information. Only one company failed to yield any information—no one answered the phones there.

The appeal of the approach is that little technical skill is required; only a smooth skill to schmooze is necessary. The term “social engineering” was popularized by consultant Kevin Mitnick, a former hacker who served five years in prison for his exploits. Mitnick understood that it was often far easier to trick someone into surrendering information about a system than to hack into the system directly.

Social engineering attacks can appear quite innocent on the surface, but given the powers of aggregation through data mining and compromises at other firms, a well-orchestrated attack can reveal a great deal about a company or an individual. This is not to say that every caller is suspicious, but it’s wise to be aware that sometimes casual inquiries are not as friendly as they appear.