Social ... is the attempt to gain access to ... data (such ... ... and credit card numbers) by gaining trust. This methodof gaining access to a system is very popular among Social Engineering is the attempt to gain access to sensitive data (such aspassword, usernames and credit card numbers) by gaining trust. This methodof gaining access to a system is very popular among hackers. It is oftensurprisingly easy and even more often successful. THIS IS PROBABLY THE MOSTSUCCESSFUL AND MOST USED METHOD OF GAINING ENTRY TO ACCOUNTS!Here's how it works. You might receive a phone call from a representative ofyour computer company claiming there is a problem which requires immediateattention. He may offer to come right over and fix it (or, in a variation,he might send you a disk in the mail). Of course, while he is there, hereboots your system with a "diagnostic" floppy inserted into the drive. Whenthe "tests" are done you will be relieved to find out from him that nothingis wrong with your system. Naturally, you were just infected with a Trojanhouse which gives this stranger complete access to your system and all ofyour data files.A more common social engineering scheme (especially on America Online) is tosend out an email which says there is a problem with your account. Would youplease send your username and password by return email so it can be fixed?Or perhaps you are asked to visit a web site, which naturally requires youto log in with your username and password. You might be asked to call aphone number, where the very official sounding person on the other end willjust want to verify that your account is yours by getting your credit carddata.An example of a standard social engineering attack is shown below. From: [email protected] To: [email protected] Subject: Account Compromised We have detected a major security breach to several accounts on our network. While we do not believe that your account was among those compromised by hackers, we recommend that you check your account data immediately. To verify your account, just visit the following URL: http://www.yourISP.Com/security/view.htm Login to your account and check your data. Make special note of the last login data and time. If anything appears to be incorrect, please send an email to security using the link at the bottom of the page. Thanks for your immediate attention. YourISP securityWhen you visit the site it shows a username and password prompt. You enteryour username and password, which sends you to an "incorrect password - tryagain" screen. You hit the "continue" button, which places you on the REALISP site. Now when you enter your username and password, you are, of course,logged in. You are greatly relieved to find that your account data has notbeen changed and think nothing else of the issue. Of course, you just gaveyour username and password to a hacker!And that's all that social engineering is about - gaining your trust,getting your vital data, and abusing that data.How do you protect against this? Be aware that it exists and don't respondto these kind of things. If someone asks you for your password, then tellthem to buzz off. Nobody needs to know your password for any reason. Let merepeat: DO NOT GIVE OUT YOUR PASSWORD TO ANYONE FOR ANY REASON. THERE IS NOTA VALID REASON FOR ANYONE TO NEED IT. If the person who asked really workswhere he says he works, then believe he, he can ALREADY get to your account.Why on earth would he be asking you for your username and password?If you think the email or whatever might be accurate, then call the ISP ornavigate to their site yourself (don't use anything from the email or letterthat your received - use the menu's and screens provided by the ISP). Forexample, say you get a letter from your ISP saying to change your passwordimmediately. It has a phone number and URL. Throw the letter away withoutreading either. Now, find your ISP phone number and URL yourself - perhapsin your browser help menu or in the manual or letter that arrived when yousigned on. This bypasses anything that might be wrong in the letter or emailthat you received.If you do suspect that you've received a social engineering attack, be surethat you notify your ISP, MIS department or whoever needs to know. The onlyway this kind of criminal can be caught is if the crime is reported quicklyand accurately. Article Tags: Social Engineering Source: Free Articles from ArticlesFactory.com