Hacker's polite approach works like a charm
The intruder first called the firm and found out what time the staff broke for lunch. When he turned up, he saw just one person manning three security desks. And by just being polite and charming, he got a visitor's pass. What's more, he said he had a medical condition that required him to use the restroom, and the security officer gave him an executive pass to use it - without checking his identity. He used the pass to enter the executive offices where highly classified information was stored. The 'intruder' was Dr Ron Davis, 56, an American information technology and computer security consultant who had been hired by the firm to test its security effectiveness. He said what he had done at the firm four weeks ago was called social engineering, which he defined as subtly manipulating people into giving out information with or without their knowledge. Dr Davis has more than 30 years' experience in IT and security, and his firm, Mile2, offers training and consultancy. He believes hackers can use such techniques to gather information for computer attacks. A lot of information about a firm's operations is easily available. And sometimes, all a hacker may need to do is to keep his ears open. Dr Davis says he has walked past tables in bars and pubs and overheard professionals carelessly reveal computer system passwords during happy hours. Last year, he said computer fraud, including cases in which some kind of 'social engineering' was used, cost US$8.9-10.9 billion ($15-18.4b) worldwide, largely from the loss of data like company expansion plans, secret drug formulas and corporate takeover strategies. There may also be attacks that are not reported as they might affect staff morale and cause share values to drop. He said: 'Many firms prefer to absorb the loss and keep the attack out of the news to save face. If a firm cannot be trusted to keep important information during a telephone conversation, who will work with it?' 'Sleepers' Those who use such techniques can have political or religious aims and can be placed in sensitive positions as 'sleepers' for long periods to gain trust, Dr Davis said. When activated, they can pass on passwords and other sensitive information with which computer systems can be entered and destroyed. Computer security is not taken lightly in Singapore. Mr Alex Siow, chairman of the National Infocomm Competency Centre, said the Infocomm Development Authority held a Security and Trust Month last year to promote the importance of Internet security, and an infocomm security seminar in February. The Singapore Computer Emergency response team has also organised seminars on online security. But Mr Siow said firms here should do more and have mock tests to assess vulnerability to social engineering techniques.
Reproduced from an article published by Asia1.com
© Asia1.com
The original article can be viewed here:
http://newpaper.asia1.com.sg/top/story/0,4136,74378,00.html
Permalink Bookmark Digg this story
