Old-fashioned hacker deceit
- By Dan J. Ryan
- May 29, 2000
Information assurance isn't always a technology issue. Of course the types
of attacks we're most familiar with and best prepared to defend against
range from password cracking to van Eck radiation intercepts, in which eavesdroppers
tap the electronic emanations from a computer to steal data.
But hackers use all sorts of methods to gain entry to systems and networks
or to obtain information that makes getting in easier. One powerful tool
they use is good old-fashioned fraud, or what the hacker community calls
It can be quite simple and very low-tech. For example, a hacker can
call the computer department help desk created to assist users who are having
problems with the network, including (often) users who are having trouble
accessing the network because of forgotten passwords, misplaced tokens or
The hacker says something like, "I can't log in today for some reason.
Can you help me?" The help-desk worker does what he or she was trained to
do — help. I know of one case in which a persuasive hacker was given a user
ID and password via the phone, and the help-desk worker sent an overnight
mail package to the hacker with the software needed to gain access.
Another type of attack has the hacker calling an employee and saying
something similar to this: "This is the security department. I'm sorry,
but your password has been compromised. Get a pencil and I'll give you the
new password we want you to change to immediately." Surprisingly, many users
will change their password as directed.
Social engineering attacks may take place over long periods of time,
not just a few phone calls. One hacker developed a phone friendship with
an employee of a target company that lasted for more than three years. The
unwitting employee provided informal access to a great deal of information
that the hacker could use to mount a successful attack.
Other social engineering attacks involve hackers posing as students
doing research or candidates seeking jobs.
In some cases, the hacker actually takes a job. Once inside the office,
the attacker may abuse the network access privileges or use the access
to information from within the organization to mount an attack from outside
The countermeasure for social engineering is a combination of an identification
and authentication process together with education and training. Help-desk
and systems operations personnel must be taught how social engineering attacks
work and be given a way to authenticate employees asking for assistance.
Employees throughout an organization should be taught to recognize and
report suspicious activities. A well-designed information security training
and awareness program for employees at all levels is one of the cheapest
and most effective methods available for protecting valuable information
assets and systems.
—Ryan is an attorney, businessman and member of the George Washington University