"Hello, I'm Tom from the technical support department. We encountered a database server problem and data was lost. We have recovered most of the information, but we need to verify some details from you. Can you tell me your user account and password so that I can verify against my screen now?" A male voice echoes from the handset of Mary, the executive secretary of the marketing director at BigCorp. How would Mary react in this scenario?

Such cases are not uncommon. In fact, many conceptually parallel scenarios have happened consistently over the past few years around the world. Many of the affected organizations are very large, with thousands or tens of thousands of employees. It is often difficult to ascertain just who is really calling, writing, or e-mailing.

This is the threat of social engineering. And the threat is very real because social engineering does not even require technical skills, unlike true coders and crackers.

Parlor Trickery

Many tricks used by social engineering crooks are easily spotted, if you are prudent. Starting from the top, many employees fail to shred documents. Most people just crumble documents and fling them into the bin, allowing determined crooks to find sensitive information that can enable them to probe or even enter your network.

Another rather common trick crooks use involves passwords. It is not uncommon that network administrators design unwieldy passwords for users, only to find that users stick them on the monitors, and such.

When social engineering crooks, disguised as parcel delivery agents or technicians walk in, they simply hop from cubicle to cubicle to search for the infamous Post-It notes sticking on monitors. Nothing can be simpler than that! And if the network administrators allow the users to change the passwords, the passwords are often simplistic ones that brute-force cracking will easily circumvent.

Another trick crooks use is to pretend to be new users of the computer system. They would call up the technical support department and ask for help in "configuring their computers". Should a naïve engineer or help desk employee spill the beans, the crooks would walk away with administrative details of at least one workstation.

And if the impostor knows that there may be analogue modems connected to phone lines, and also knows the public telephone number of the company, he could set a war dialing software to call all phone numbers until a phone line answers with modem handshaking. Then the crook may use remote access software such as PCAnywhere and Timbuktu to gain access to workstations.

Spam can also be a tool some crooks use to gain user information. For example, by sending a sweepstakes or prize-winning competition e-mail to unsuspecting users, they may be able to get the users to key in their passwords at a Web site. Since many users use the same passwords for their computers as they would online, the crooks may use the passwords, combined with the default user account names and the domain name, to gain access into the network.

What Would You Do?

Being aware of these often overlooked vulnerabilities will allow you to formulate simple, but effective policies, such as making sure visitors and service personnel have visitor tags and are escorted. For network security, disable or remove internal or external modems associated with network PCs.

In addition, besides not allowing users to post passwords on their monitors, a security policy should also force users to validate passwords and change new passwords at specified periods. If possible, all phones should be upgraded to reflect the caller ID. This will reduce the possibility of outside callers pretending to be employees. This is not foolproof, but if you enforce the policy of denying physical access to outsiders, this technique will be complementary.

Last, but not least, ensure all sensitive documents are shredded. Desk-side shredders go for less than US$50 these days, and it should be no excuse not to buy one for every department.

Dr. Seamus Phan is a world-renowned authority on the technical security aspects of the Internet. Dr. Phan serves the BWW Society as Founder and Chairman of the Internet Security Committee, which is designed and conceived to gather and share information on the latest computer and Internet threats, to provide immediate information on technology’s newest developments in the prevention of Internet-related security problems, and to increase and enhance all forms of Internet Security.