Social Engineering

Anyone who has had their computer infected by a computer virus in the past will be wary of unexpected e-mails that may contain viruses. So why do computer users still open e-mail attachments or download files and software that can so easily damage their computer systems? The criminals who writecomputer viruses and malware have quickly realised that no matter what security software and systems are used to protect computers, human nature will always remain the weakest link in the chain.

In the field of computer security, social engineering is the practice of conning people into revealing sensitive data on a computer system, often on the Internet. With the profusion of poorly secured computers with known security holes connected to the Internet, the majority of security compromises are now done by exploiting such; however, social engineering attacks remain extremely common and are a way to attack systems protected against other methods – for instance, computers which are not connected to the Internet. It is an article of faith amongst experts in the field that “users are the weak link.”

A contemporary example of a social engineering attack is the use of e-mail attachments that contain malicious payloads (that, for instance, use the victim’s machine to send massive quantities of spam). After earlier malicious e-mails led software vendors to disable automatic execution of attachments, users now have to explicitly activate attachments for this to occur. Many users, however, will blindly click on any attachments they receive, thus allowing the attack to work.

Perhaps the simplest, but still effective attack is tricking a user into thinking one is an administrator and requesting a password for debugging purposes. Users of Internet systems frequently receive messages that request password or credit card information in order to “set up their account” or “reactivate settings” or some other benign operation in what are called phishing attacks. Users of these systems must be warned early and frequently to not to divulge sensitive information, passwords or otherwise, to people claiming to be administrators. In reality, administrators of computer systems rarely, if ever, need to know the user’s password to perform administrative tasks. However, even this might not be necessary – in an Infosecurity survey, 90% of office workers gave away their password in exchange for a cheap pen.

It is important to note, however, that its not always so direct. One of the biggest problems in Windows computers is spyware, which is malicious software in which the user runs executable code that promises to do something but does other tasks in the background. This typically happens by offering a downloadable program which does a task (Weatherbug, for example), or via the internet by secretly inserting code intended to exploit holes in the user’s system security.

“Social Engineering (Computer Security)” Wikipedia: The Free Encyclopedia.