Hacking into the mind of a hacker You've got antivirus software and firewalls guarding your computers and routers. You religiously download security updates. You've done everything you can think of to stay secure. But your network is still at risk. Why? Because an employee could unwittingly give away the castle's keys. The biggest threat to a computer is not a hardware or software problem. It's social engineering. What it boils down to is this: Someone will attempt to gain an employee's trust. Information can be elicited from that employee that puts everything at risk. Social engineering relies on the fact that most people are nice. They want to be helpful. There's a natural inclination to lend a hand when someone has a problem. These efforts can be conducted over the telephone, via e-mail, or through instant messaging. Larger organizations are especially at risk, because employees do not know one another, but small businesses can be victimized too. Anonymity is important to the hacker. But the little fish at a company can also be "gamed." So let's look at four different social engineering situations -- and the ways to thwart them. 1. The caller isn't working on your network. One of your newer employees gets a call from a computer repair technician. "My name is Joe Smith," says the technician. "Your company's network is having problems, and I'm working on it. I need you to type in some commands." On the face of it, this is silly. Any legitimate repair tech is going to have access to the network, if that's what he needs. How else could he fix the thing? The caller is playing on your employee's natural desire to be helpful. The employee is unlikely to understand the commands he is asked to enter. They may expose the structure of the network, or open a security hole. The caller then asks the employee to enter commands that identify his desktop computer. "Aha," he says. "That's the machine that has been causing the problems. I'll need your username and password." v Once the caller has collected this information, you could have an identity theft problem. He has a route into your system and he knows how your network is structured. If you have a database of customers and their credit card numbers, he may download it. Or he could get into your payroll system. There, he'll find Social Security numbers. If your business is large enough, the caller could claim to be from the in-house IT department. Either way, the result is the same. What to do? Train your employees to never, ever give out information to such callers. Computer repair personnel already have access to the network. If they don't, there's probably a good reason. And they should already have a password with system privileges. They don't need an individual employee's password. At the very least, employees should check with a supervisor before disclosing sensitive information. 2. That e-mail isn't from Joe. One of your employees gets an e-mail. It's from her friend Joe. It has an attachment. Without giving it much thought, she opens the attachment. It's something unappealing, so she deletes the e-mail and forgets it. Unfortunately, that attachment includes a Trojan horse. Your antivirus software should whack it. But maybe you haven't kept the antivirus software up-to-date. The Trojan could use a backdoor port in Windows to download more dangerous programs. These programs could find their way around your network, digging for credit card and Social Security numbers. Employees should never open attachments they were not expecting. Legitimate return addresses are easily stolen by worms. The fact that the e-mail bore Joe's return address is meaningless. If your employee wasn't expecting something from Joe, she should have checked with him before opening it. 3. When the hackers go "phishing," don't take the bait. An employee gets an e-mail message that her eBay (or PayPal, Citibank, America Online, etc.) account has a problem. She's told that she must go to a certain page for more information. The spam includes a link. When she clicks the link, a page with the company's logo opens. It explains that her account will lapse unless she re-authorizes it. It then asks for her username and password. Or it may ask for a credit card number, or perhaps a Social Security number. Sometimes, it requests her mother's maiden name (often used as a hint to get a password restored). Your average crook isn't a Rhodes Scholar, so, early on, these schemes were unsophisticated. The "phishing" pages were poorly designed and often contained bad English. And their Web addresses clearly had nothing to do with the companies they supposedly represented. More recently, the pages have been much better designed. And the pages often contain the logos of eBay or other companies. You'll find links to the company's real pages. It's easy to be suckered. So remember this: eBay isn't going to ask for a password. Neither will AOL or any other legitimate company. Delete all spam, including these pitches. What, you may ask, does an eBay password have to do with my business? Just this: People often use the same password for everything. So the eBay password may also give access to your network, a bank account and other confidential areas. 4. You must protect your company. A good security system will protect you technologically and socially. Your employees are there to do a job. They're probably overburdened, so they'll resist worrying about security. But you must train them never to give out sensitive information, unless they are certain of the caller's identity, and never to open an attachment they were not expecting. (Do you think passwords are safe? In a London study, passersby were asked at random to give up their passwords in exchange for a candy bar. Seventy percent complied!) But even the best-trained employees can be suckered. The desire to be helpful can lead them down the garden path. Assume your system eventually will be invaded; keep critical information walled off from most employees. Only those with a real need should have access to databases or payroll information. Even if a worm gets into your system, it can be thwarted. If you religiously update your antivirus software and Windows, worms can be knocked out or blocked. Be sure the firewall in your router has been activated and properly configured. Worm and virus technology is rapidly growing in sophistication. Coupled with social engineering problems, the threat to your company is very real. You must stay alert.