You've probably seen the news items about “hacktivist” groups like Anonymous and LulzSec, breaking into police-related networks, stealing officers' personal information and posting it for all the world to see. Unfortunately, these are not isolated incidents. Activists of many stripes are unhappy with government, and police as government's enforcement arm are an easy scapegoat.
Certainly, those who build and maintain a law enforcement agency's website should know how to protect data. And agency leaders should be pushing to learn about, and reinforce, the importance of keeping their data secure.
But there's more to keeping your data safe than hardening your websites and networks. Hacking is only one form of stealing massive amounts of personal data. There are other forms, too—and those, you have much more control over.
How social engineering circumvents good online safety practices
Heard the terms “phishing,” “spear phishing,” “smishing,” and so on? You've heard of social engineering. But what do those terms actually describe, and how do they work?
Phishing is a technique which criminal hackers use to obtain personal information. They can then guess passwords, security questions, and other means of breaking into bank and social networking accounts. Spear phishing is similar, but geared towards obtaining proprietary or confidential information from specific organizations. Both rely on email, social media, or instant messages that appear to come from trusted sources; smishing is phishing that uses mobile text (“short message”) services.
The key point: the messages appear to come from trusted sources. Social engineering is not like other forms of data theft, such as dumpster diving, shoulder surfing and covert surveillance (think ATM skimmer-camera combinations). That's because it exploits human emotion—guilt, pleasure, indignation, joy, and so on—to get you to click malicious links, or give up information to whomever you're talking to. That's why it's one of the most common successful “hacks” that cybercriminals use.
By now, most people know enough not to click the link in the email that professes to come from their bank, eBay, or African royalty. But in the years since those emails first became popular—and by the way, they do still work—phishers have become a lot savvier.
Consider the one that I myself almost fell for a couple of weeks ago, when a Facebook friend posted a message about 4 free Southwest airline tickets. The link used the Southwest logo, came from someone I trusted (I'm very particular about whom I allow into my network), and played on my deep desire for a real family vacation. The only clue that it was fake? The end of the URL. Rather than coming from Southwest.com, it came from a .cc.co domain—the country code for an Australian island territory.
My friend deleted the link after I alerted her, and I changed my Facebook password just to be on the safe side. But it was disquieting to realize how easy it is to fall for online scams, just because they're attached to a name and picture(s) you trust, and they don't look out of the ordinary for that person to post.
Protecting yourself from social engineering
Check link URLs. A link that should be a .com, but is instead .cn, .ru, .kr, or some other unusual combination, is one clue that something may be amiss. So are misspelled URLs (check carefully, including your own typing). And while a lot of businesses use different domains for particular microsites—Southwest.com also has SouthwestVacations.com, for instance—social engineers may register lookalike domains. This is called “domain squatting,” and although many companies are vigilant about protecting their trademarks, many others don't even know their sites are being hijacked. That can leave you vulnerable to anything from having personal data stolen, to buying counterfeit products.