Social Engineering & Privacy

If you received a phone call from your Internet Service Provider (ISP), announcing that they were now offering credit card payment, would you give them your credit card number so they could automatically bill your card? What if they offered to make it a sweet deal by cutting your monthly bill by $15? If you said 'yes', you could have just been socially engineered into giving your credit card number to some clever stranger!

Besides credit card scamming, another common social engineering tactic is to trick people into giving out their account passwords. OK, so imagine that your ISP asked for your Internet user name and password to validate your identity when you speak to them on the phone. I hope you would decline because this is something they would never ask you to do.

On your Messaging application, or social networking site, you might receive a message from someone who claims to be a support person: "Hello! I'm sorry to inform you that there has been an error in your account configuration in our database. The server's password information has been damaged. We need you to type in your password and hit reply. Thank you for your assistance". Survey says, 'Bzzzzzt!' No!

Statistics have shown that 20% or more of all successful security attacks were made possible through simple social engineering. It is perhaps the easiest way to gain access to computers, networks and their data, because it relies not on technical know-how but knowledge of human nature and our inherent desire to trust one another. With phishing scams on the rise, banks and credit card companies are warning their customers to be wary of suspicious e-mail supposedly coming from them, especially if it links to a web site that asks for personal details. Identity thieves create authentic looking web sites to fool people into providing account numbers, passwords and more. It used to be relatively easy to tell if you were at the real web site by paying close attention to the address field in your browser. But a recently discovered vulnerability makes it possible to spoof even the web site address. If you are sceptical about the actual address of a web site you are visiting, try the following:
Copy and paste the following into the address field of your browser and hit Enter:
javascript:alert("The real URL of this site is: " + location.protocol + "//" + location.hostname + "/");
It will tell you the real address of the site you are visiting.

Do you think you have what it takes to tell a legitimate email from a 'phishing scam'? Try this quiz.

A wise person once said, "There is no privacy on the Internet. Deal with it!". They weren't kidding. Do a Google search on your name. You may be surprised to see what comes up. Did you know that the content of email messages that are sent or received on a company's network are the property of that company? Be careful when using web-based email services at work or to discuss work-related subjects. Some people are surprised to discover that free e-mail services actually own the content of messages sent through their web service. Hotmail and Gmail are some of those services. There is a simple rule to live by when sending information of any kind onto a network, especially the Internet:
 
Imagine the content of your communications being posted on a public bulletin board.
This includes email but also includes web browsing, messaging, social networking, file transfers, etc. If the stuff you communicate with others is not suitable for public discovery, find a way to encrypt it or don't send it via these means. If your PC is not configured to prevent it, and your software's vulnerabilities haven't been patched, you may as well imagine all the files on your PC are being shared on the Internet. If you are using file sharing programs or torrent sites and you haven't limited what these share with the world, all of the files on your PC might be shared on the Internet. Look for the lock icon in your browser to see that your web connection is encrypted before entering personal information like credit card numbers.

Another hot topic with regards to privacy is SpyWare. Spyware was created in an effort to build a profile of your Internet habits. This data is useful to direct marketing companies, because it's cheaper to target marketing to specific people. Whenever you download a program for free, you may actually be downloading Spyware as part of the product. Free software such as screen savers; download managers; FTP programs or peer to peer file sharing clients (like Kazaa) often contain spyware. Some would suggest that Facebook is a form of spyware due to what it does while you're on their site. In these cases the software itself actually IS useful. But the price for using these applications is having your net surfing habits reported to a marketer, perhaps without your awareness or permission, unless you read the End User License Agreement or EULA - but who does that? Do you read the fine print before using your software? What's even more devious about these applications is that even after you discover their true intent and remove the software from your PC, the SpyWare portion quite often remains on your computer, continuing to do its work. Programs such as OptOut, Ad-Aware and Spy Bot can be installed on your computer to check for the presence of spyware. There are also web sites to pre-check if the program you're about to download contains spyware first.

Before you get all up in arms, building a marketing profile on you is not a new practise. Those club cards that help you save money at the store are really just a method of electronically linking you to the purchases that you make in an effort to build an accurate marketing profile. In fact, I'll offer a controversial opinion here - the main reason spyware (along with adware, shareware, etc.) exists is because many small firms who develop software have a hard time getting paid for their efforts. Witness the sheer number of people who copy other peoples' programs. Small time software developers often have few other choices (if they want to get paid) but to allow a marketing company to include spyware into their program.

People who value their anonymity while surfing the web can use a variety of methods to protect themselves. One way is to pay a fee to an "anonymizer", a company that enables you to surf the web through their "proxy", which makes it seem that the proxy is doing the surfing. The banks are also working on a way to make it possible to shop online anonymously with a form of electronic cash. For now, PayPal is your best bet, but BitCoin is making a splash right now.

For more information on non-technical security, read my article The Weakest Link.