Latest blog posts

Social Engineering/ Human Hacking

Social Engineering/ Human Hacking

Also known as Human Hacking, or Pretexting, social engineering is one of the fastest growing threats of today’s social networking empire. Social engineering (without regard to social science) is the act of manipulating people into performing actions or divulging confidential information, which often leads to fraud and identity theft. This term has been confused with the art of deception or coning, however, it has acclimated to include social observation with regard to social networking…. To put it simply, social engineering is one person’s ability to convince or manipulate a victim into giving out personal, confidential information that can be harmful to the victim.

Pretexting is a form of social engineering that involves lying and manifesting invented scenarios to get a victim to sacrifice information that is potentially harmful to them. Pretexting has been illegal with respect to the unlawful accumulation of banking records since 1999 and accumulation of phone records since 2006 and is in some cases a felony, however, this does not completely protect people from it

Whether you know it or not, you are already a victim, that is if you are reading this article, however in this case without consequence. I.e. somehow you were manipulated into reading this article. You probably saw the link on Facebook or in an email saying something like “learn how to avoid being a victim of social engineering.” This very sentence may have sparked your curiosity into clicking on the link that led you here reading this. Fear not! You are about to get a crash course on social engineering and how to avoid being duped into being a victim.

For starters, stop and think…. When you post something on any social networking site along the lines of what Kelly on Facebook says like: “Such a great day planned out, going to Home Depot followed by brunch then straight to the theatre to see Avatar at noon with my wonderful hubby and the kiddies, I sure hope Fido doesn’t miss us too much- Hugs and Smooches to all — : )” you are asking for trouble. Let’s say I’m Joe Badguy and I am skimming through people that live in my area (maybe some are my close friends) so that I can rob them blind if I came across a post such as the one above, I know for sure I would have my target. This isn’t necessarily social engineering with respect to manipulating someone into giving me essential information to cause harm, however this victim has certainly volunteered themselves for trouble by telling me they are going to be away from home for most of the day and that the entire family is going as well as I know there is a dog at home I need to watch out for. I can click on the info tab of this person’s profile and possibly find out where they live if I didn’t know already since this victim could be one of my friends or a work acquaintance, how old their children are, who they work for and where. I can also click on the photos tab and get a great layout of their home and the size/intimidation factor of the dog. I can look at this victim’s recent wall postings or postings from several weeks ago and get a good idea as to how Kelly’s daily routine is, what time the kids are off to school, when hubby is off to work and when the victim likes to go to  her two hour spin class. Two hours is pretty ample time for a break in however, half the day is even better. I may have even seen the 2 week old posting mentioning she got her hubby a new 50’ plasma for his birthday, hmmmmm….

I may not know this person at all but because my profile is so inviting and nice looking the victim may have been too nice to ignore my friend request which gives me access to most, if not all of their personal info, even with social networking sites privacy settings set at a moderate level there is still a great chance I will have privileged access just because I’m Kelly’s friend. Either way with just the simple wall posting you have read above I have most of the information I will need. Let’s say I know Kelly, I could lie to her and send her a reply while she is still online and ask her the exact time the show is playing because I may want to see the same one and take my kids (This is known as a pretext/giving false information in order to get information or alter the circumstances in order to victimize Kelly). If she is truthful and replies with a time, it gives me an exact time frame as to when her and her family will be out of the house. I have then committed a more text book form of social engineering by manipulating her into giving me essential information that allows me to victimize her. You get the idea….

 This issue goes far deeper than just making yourself vulnerable to home burglaries. For example, let’s say Brian (a mutual friend of Kelly) is an IT security specialist for a bank and posts on Facebook something like “Ahhhhh system crash at work!!! I hate my life : ( “ If I dug a little deeper and was a computer savvy individual I may easily be able to take advantage of this situation which could affect the well being of an entire business. Another horrifying example could be Army Specialist Joe Shmo currently stationed in Baghran, Afghanistan has a few moments before his patrol briefing to post on Facebook “Love you Mom and Dad, about to roll through downtown for an escort, wish me luck– <3” Don’t think that militias in Afghanistan don’t poses the ability to monitor the internet, more specifically anyone belonging to the Army’s  22nd  Cavalry Division group on Facebook. Our military is well aware of this and does screen most outgoing info from computers belonging to a forward unit for reasons of operational security, however, their system is far from full-proof. Specialist Shmo may not have meant any harm, nor did Brian or Kelly when they all broadcasted info to over 500 million Facebook users their personal/daily business, however our complacency, carelessness and ignorance will always be an advantage to our adversaries, adversaries which you may not know exist.

The possible scenarios go on and on, we could play the “what If ” game all day. This article is not meant to scare people away from social networking sites. I myself enjoy social networking sites and have been able to better stay connected with family and communicate with long lost friends after decades of no communication. Facebook as well as many other sites can certainly be enjoyable. The point of this article is to highlight some of the mistakes we are making in an effort to educate ourselves on how to avoid social engineering on the internet. The mistakes are simple; people are giving out too much information to a general population, some information should not be divulged at all. Most of the time people need to take a moment and think about what they are about to tell everyone when they hit that Share button.

Tips to a safer and more secure social networking experience:

  • Picture what you are about to say online, in front of people (as though they were standing right before you). This should be a real mental deterrent for you posting something that people should not know, care to know or could be flat out inappropriate to say. (This could also save you from a lot of embarrassment.)

  • Be a part of your children’s online experience, make friends with them on social networking sites (monitor what they post). Always advice them not to post where they are headed to right before hand, if Joe Badguy  was a stalker, kidnapper or pedophile this type of information is very helpful to him.

  • Don’t post things while intoxicated or under the influence of mind altering drugs.

  • Make common sense and common virtue. You can post some of the events of your day (after the fact)  however don’t get too juicy. For example, you can say that “Dinner was wonderful last night,” but try to avoid saying things like “Headed for dinner at Applebees in 30 mins, strawberry daiquiris here I come, can’t wait to get hammered!!!” Not only could this be potentially embarrassing down the road it can tell people like Joe Badguy where you will be and about how long you will be there.

  • Never allow people to become a part of your network if you don’t know them. (I would even go as far as saying don’t allow people in your network even if they’re an acquaintance.)

  • Most sites have privacy controls. USE THEM! (Don’t rely on the default settings) Restrict information to people who are not in your network even random information that you don’t think could possibly harm you.

  • Don’t put confidential information on your profile AT ALL. This includes no addresses, phone numbers, places of employment, banking/credit info, school locations or vehicle descriptions to say the least.

  • Don’t post videos that give a detailed look at the inside of your home.

  • Be cautious when accepting event invitations or joining social interest groups.

  • Don’t instigate, intimidate, antagonize others, you may make enemies faster than you think

  • Always keep checking back on and reading our newsletters for further advice on how to be safe and secure as well as staying up to date on the latest information and news that threatens Americans well being.