Blog

Why bad guys get paid more to socialize with a prospect victim

Kevin Mitnick, the famous computer criminal who is now a security consultant, has attributed many of his successes at breaking into systems to his ability to trick people into giving up their passwords. He coined the term "social engineering" and noted that it is much easier to trick someone into giving up sensitive information than it is to hack into a system using technical skills.

Hmm, let’s see. I could crack SHA-1 in 5.9029581035870 x 10^20 attempts, or . . . I can just talk to you about beer and ice hockey while I stand over your shoulder and watch you type your password. Tough call.

The surge in popularity of "Web 2.0" websites has shown that, among other things, people place a higher importance on cool new widgets and ease-of-use than on security (security is an afterthought -- oh yeah, it’d be nice to be safe too). The very definition of Web 2.0, from the person who coined the term (Tim O’Reilly), does not describe any security implications.

Pretending to be someone else is popular

Here at Websense, we’re constantly on the lookout for emerging threats on the web -- a subset of which are Phishing attacks. The irony of the Web 2.0 trend is the increased emphasis on aesthetics, the look and feel of a site, when aesthetics is the reason why Phishing attacks are so lucrative and successful. Aesthetics make pretexting (the act of pretending to be someone else in order to gain something) of another’s online presence simple and convincing.

Dude, I saw someone with your password. Err, what’s your password again?

StolenID Search is a search engine that, if given a credit card number or social security number, will tell you if the identity-theft black market has your personal information. The cause is one of good intent, giving many people the opportunity to learn if their credit card information is being traded freely on the underground marketplace, where identity thieves meet to talk business.

As more identity-theft search engines gain widespread acceptance, it is inevitable that identity thieves will set up Phishing sites that look exactly like these identity-theft search engines, to harvest for -- you guessed it -- social security numbers and credit card numbers.

In our race for security on the web, it’s important to remember that, the more forms of sensitive information we are willing to transmit over the web, the more variants of Phishing attacks we will have to watch out for.

Hypothetical question: Does the benefit (such as finding out if someone copied your DNA sequence for illegal use in human cloning) outweigh the risk (such as the risk of giving away your DNA sequence to a third party for verification in the first place, thus transmitting your information over an inherently insecure medium)?

The information pie: one piece at a time

It’s just what identity thieves ordered for lunch: your information. For less than the price of an iPod ($78-$294), a criminal can buy access to a person’s personal information. This could include your account number, mailing address, Social Security number, or birth date (Source: Trend Micro via InformationWeek). A great deal of your information is already out there, but "yeah, sure," you already knew that. But have you ever thought about meta-information, or information that subtly gives away more than one would think?

Did you know that:

• Using the first 3 digits of your social security number, one can guess your mailing area code (possibly where you live)?
• Using the first 6 digits of your credit card number (Bank Identification Number), one can guess which bank you bank with?

There are many other examples of information from which you can logically infer additional information.

Hypothetical question: Many online merchants ask you to tell them your pet’s name for password retrieval purposes. If your pet’s name is enough to retrieve your password, then it should be guarded just as if it were your password. Nobody (in his or her right mind) would reveal a personal password to strangers, but how many of us would hesitate to tell the world our pet’s name on a social-networking site like MySpace or Friendster?

Sorry, but my policy is based on "the need to know" (and you don’t)

The gym I frequent recently implemented a system where employees can verify my identity and membership by my fingerprints and a PIN number, instead of handing them a membership card for a barcode scan. I politely declined, citing privacy issues over giving up my fingerprints. It wasn’t because I don’t trust the company, but because I applied the principle of least privilege. This really just means that I’ll give up my fingerprints "on a need-to-know basis" -- a principle practiced by all good system administrators.

In summary, when running your errands on the web (or in real life, for that matter), always question the party requesting data about your identity. Don’t be generous when it comes to your identity information. Be an information miser.

If you find it difficult to say "NO!" to the common scam artist, keep in mind that the Websense anti-Phishing net is a wide one. We’ve got your back.