From:         Patrick Douglas Crispen 
Subject:      Tourbus - 10 June 04 - Social Engineering: Part One

TODAY'S TOURBUS TOPIC: SOCIAL ENGINEERING: PART ONE
The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, home of the Stanley Cup- winning Tampa Bay Lightning. :P

Talking about cities that are nowhere near Tampa Bay, if you are going to be in Birmingham, Alabama, next week for the 10th annual Alabama Educational Technology Conference, feel free to stop by East Hall room A/B/C sometime and say howdy. I think I am scheduled to do about nine concurrent sessions in that room on Wednesday and Thursday. [Check out http://www.aetc.cc/ for more information.]

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show...

Social Engineering: Part One Audience: Everyone

The Internet can be a scary place. In fact, it's hard for even the most experienced Internet veterans not to feel a little overwhelmed by the vast sea of Internet viruses [ http://tinyurl.com/klse ],
unsolicited commercial emails [ http://tinyurl.com/99k2 ], computer
hackers [ http://tinyurl.com/g6cb ], and, worst of all, badgers
[ http://tinyurl.com/p2tm ] floating around the old information supercollider.

Fortunately, while there isn't much you can do about the badgers -- or, for that matter, the bananaphones [ http://tinyurl.com/3dx92 ]-- as you gain more experience on the Internet you learn how to practice "safe surf":

1. You use a good antivirus program like Norton or McAfee or AVG and you update your virus definitions at least once a week.

2. You run Windows Update or Apple Software Update at least once a week to make sure you've patched the latest security holes in your operating system. [Mac users: THIS INCLUDES YOU! Apple released a security patch for Panther and Jaguar earlier this week. Check out http://tinyurl.com/3bdkc for more information]

3. You never double-click on files attached to email messages, regardless of who the message is from, without first checking that file with your antivirus program.

4. Yadda yadda yadda.

We've talked about all of these "rules" before, and I even have a free PowerPoint presentation on this topic that you are free to steal. Just hop on over to

http://www.netsquirrel.com/classroom/

and click on the last link on the page: "Viruses, Cookies, and Spam ... Oh, My! How to Protect Your Computer from the Internet Nasties and How to Fix What's Bugging You on Your PC or Mac."

One thing we HAVEN'T talked about, however, is something called "social engineering" which is just a fancy way of saying "tricking you into giving a computer cracker the information he needs to break into your computer or steal your identity."

Why is social engineering important to you and me? Well, no matter how strong your firewall is, no matter how often you update your antivirus program, if a computer cracker can trick you into giving him your password or credit card number, all your time-consuming and expensive computer security precautions will be for naught.

But surely social engineering can't be a BIG problem, right? Wrong... and stop calling me Shirley.

According to our friends over at the beeb,

More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.

It also showed that 34% of respondents volunteered their password when asked without even needing to be bribed.

A second survey found that 79% of people unwittingly gave away information that could be used to steal their identity when questioned.

Frightening, isn't it? You can read the BBC's entire article online at

http://news.bbc.co.uk/2/hi/technology/3639679.stm

Obviously, if people are willing to give away the "keys" to their computers for a Zagnut bar, social engineering is a BIG problem. But how can you protect yourself? The first line of defense is education. Simply knowing that there are people out there actively trying to trick you into revealing personal information will [hopefully] cause you to be more careful with whom you choose to share that information.

One of the best resources to learn more about social engineering and some of the protections that you can take against it is Sarah Granger's "Social Engineering Fundamentals" articles at

http://www.securityfocus.com/infocus/1527

and

http://www.securityfocus.com/infocus/1533

Granger's focus is on workplace security, but a lot of what she writes can be applied to home use as well.

If you prefer your social engineering information in journal article format, check out Jonathan J. Rusch's "The 'Social Engineering' of Internet Fraud" article on the Internet Society's website at

http://www.isoc.org/isoc/conferences/inet/99/proceedings/3g/3g_2.htm

Rusch is with the United States Department of Justice, and his fifteen-ish page article provides a scholarly look at the psychology of social engineering and how social engineering has spread to the Internet.

Another decent resource is KPaul's "Give Me Your Password: A Social Engineering Intro" at

http://www.kuro5hin.org/story/2004/6/3/223758/2267

One word of warning: Kuro5hin is a threaded discussion board [a la Slashdot] and the language of a few of the posters can be a tad bit salty at times. If you are offended by foul language, skip this one.

Finally, no discussion of social engineering would be complete without mentioning Kevin Mitnick's book titled "The Art of Deception: Controlling the Human Element of Security" [ISBN: 0471237124.] Mitnick is perhaps the world's most infamous computer cracker--see http://tinyurl.com/2hpey to learn why--and his book is an inside look at the world of social engineering. You can find Mitnick's book in most bookstores for US$30 and in most libraries for US$0.

SuperCharge Windows Without Spending A Dime

Optimize! Customize! Clean Up! The Internet is overflowing with companies advertising software to make Windows look prettier, and function better than it already does. But you don't need most of those products, nor do you necessarily have to spend much money to make your own system perform better.

There are all sorts of inexpensive or zero-cost ways to improve Windows, if you know what to do or know where to look. Each month in PC Today you'll find several ways to improve your PC. Discover how today -- get your free trial issue of PC Today now.

http://tourbus.com/pctoday.htm

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

That's it for today. Next week we'll continue talking about this subject, focusing on a special subcategory of social engineering called "phishing." 

           .~~~.  ))
 (\__/)  .'     )  ))       Patrick Douglas Crispen
 /o o  \/     .~
{o_,    \    {              crispen@netsquirrel.com
  / ,  , )    \            http://www.netsquirrel.com/ 
  `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
 _(    (   )_.'
---..{____}                  Warning: squirrels.

TOURBUS
HOME PAGE
LINUX
TUTORIAL
TOURBUS
ARCHIVES
Social Engineering Part One, viruses, hoaxes, urban legends, search engines, cookies, cool sites
TOURBUS Site Search