Saturday, February 05, 2005
Nontechnical threats
Your Internet connection exposes you to bad guys all over the world, but after that you're in the most danger from the trash can and the phone.
The Internet's uniquely dangerous because attacks are automated and hundreds of millions of people can attack you. That's why you're a target of Internet attacks even if nobody's personally out to get you. Attackers can just twist every virtual doorknob in the virtual city.
Someone attacking you personally is less likely but you can't overlook it. Ex-spouses? Stalkers? Investigators from a lawsuit? If you draw hostile attention from an actual human instead of from a computer program, that human's likely to try "social engineering".
"Social engineering" basically means taking advantage of people's trust. People trust that nobody will go through their trash cans looking for sensitive data. People trust that people on the phone are on the level. Con men violate both kinds of trust.
Feeling a little at sea? Here are some real life examples of "social engineering" attacks, or you could rent the movie "Catch Me If You Can" about scamster Frank Abagnale. There's also a chilling but funny story about a loss prevention expert who showed a store manager that he could walk out with five computers he hadn't paid for and get the store personnel to help.
Kevin Mitnick, the well-known computer intruder, testified to the Senate that conning people worked so well he rarely had to resort to a technical attack. Mitnick's book, "The Art of Deception", gives many chilling accounts of plausible-sounding phone calls leading people to disastrous actions.
So, what can you do?
Keep a low enough profile that nobody takes a particular interest in you.
Buy a shredder. Use it for bank statements, phone lists, phone logs, or any information that could help someone bluff his way in.
Stay small enough that everyone in your company knows everyone else. If you get bigger than that, hire someone to train your people about resisting con jobs.
|
The Internet's uniquely dangerous because attacks are automated and hundreds of millions of people can attack you. That's why you're a target of Internet attacks even if nobody's personally out to get you. Attackers can just twist every virtual doorknob in the virtual city.
Someone attacking you personally is less likely but you can't overlook it. Ex-spouses? Stalkers? Investigators from a lawsuit? If you draw hostile attention from an actual human instead of from a computer program, that human's likely to try "social engineering".
"Social engineering" basically means taking advantage of people's trust. People trust that nobody will go through their trash cans looking for sensitive data. People trust that people on the phone are on the level. Con men violate both kinds of trust.
Feeling a little at sea? Here are some real life examples of "social engineering" attacks, or you could rent the movie "Catch Me If You Can" about scamster Frank Abagnale. There's also a chilling but funny story about a loss prevention expert who showed a store manager that he could walk out with five computers he hadn't paid for and get the store personnel to help.
Kevin Mitnick, the well-known computer intruder, testified to the Senate that conning people worked so well he rarely had to resort to a technical attack. Mitnick's book, "The Art of Deception", gives many chilling accounts of plausible-sounding phone calls leading people to disastrous actions.
So, what can you do?
Keep a low enough profile that nobody takes a particular interest in you.
Buy a shredder. Use it for bank statements, phone lists, phone logs, or any information that could help someone bluff his way in.
Stay small enough that everyone in your company knows everyone else. If you get bigger than that, hire someone to train your people about resisting con jobs.
# posted by Frederick @ 9:41 PM Email to a friend:
Haloscan: they provide trackback