Front Page

Previous Story

Next Story

NIH Record vertical blue bar column separator
Are You a Computer Hacker's Target?

By Cheryl Seaman

Computer hackers don't need to resort to their bag of technical tricks if they can con you into giving up information in easier ways. Security specialists have adopted the term "social engineering" or "people hacking" to describe how hackers gain unauthorized access by manipulating people's innate human tendency to trust. Once hackers create a sense of legitimacy, they can exploit it for a variety of motives including disruption, fraud, industrial espionage, network intrusion, identity theft and even entertainment.

Here's how it can work. Imagine that someone comes to your desk and claims to be from customer support. He says he needs access to your computer to check out a network problem. Would you give him your password? Maybe he'll ask you to enter it as he watches the keystrokes from over your shoulder. Perhaps you'll get an email message directing you to click on a web site to install a free copy of a new action-packed video game. As promised, it's a great game, but unbeknownst to you, malicious software has also been downloaded. It's still your computer, but who controls it now?

This kind of "social engineering" presents a major threat to computer security because security is grounded in trust. Ironically, because hackers can easily prey on the human impulse to be kind and helpful, using social engineering to access a system is often easier than technical hacking. A local security analyst who performs risk assessments for corporate customers says, "It's a given that if [hackers] use social engineering, they'll be able to break in."

How can you recognize a social engineering attempt? Indications include the use of intimidation, name-dropping, refusing to give contact information, a sense of urgency, flattery/flirtation, small mistakes (misspellings, odd questions, misnomers) or a request for forbidden information. A hacker will pretend to be anyone you might trust, for example a network administrator, manager, phone technician, FBI agent or police officer or credit card company. Social engineering can be done in person, over the phone or online. Folks using instant messaging services might get a message notifying them of a virus infection. The message instructs them to download software (from a malicious URL) to "clean" their machine.

What can you do to thwart social engineering? Never give out your passwords. Never disclose them over the phone or in an unencrypted email message. Reasonably question anyone in your work area who does not appear to belong there. Don't indiscriminately open the door for people who seemingly can't find their card key. If you don't see their NIH ID, refer them to the security guard.

Never give out confidential information about others without authorization. Be wary of opening unsolicited email attachments. If in doubt, check with the sender to see if an attachment was really sent.

Be cautious of downloading software from untrusted Internet sources such as games, programs or screen savers — you could be accessing an infected web site. Recall the adage, "beware of strangers bearing gifts" before installing any free software on your computer. If it seems too good to be true, it usually is.

Employees can review An Awareness Guide to Social Engineering, located at http://irm.cit.nih.gov/nihsecurity/GuidSocEngine.htm, or take the new NIH Computer Security Awareness course (see http://irtsectraining.nih.gov/).

In summary, sometimes it's okay to be a little suspicious. Don't be afraid to ask questions. Trust your intuition. If you have any doubts as to the authenticity of an inquiry or the actions you are being asked to take — hold on. Refer the request to your supervisor. If you think you have fallen prey to a social engineer's ploys, notify your supervisor and, if appropriate, immediately report the situation to your local IT help desk, ISSO (http://irm.cit.nih.gov/nihsecurity/scroster.html), or TASC (594-6248). If security has been compromised, swift action can help minimize damage.


Up to Top