You've probably seen the news items about “hacktivist” groups like Anonymous and LulzSec, breaking into police-related networks, stealing officers' personal information and posting it for all the world to see. Unfortunately, these are not isolated incidents. Activists of many stripes are unhappy with government, and police as government's enforcement arm are an easy scapegoat.
Certainly, those who build and maintain a law enforcement agency's website should know how to protect data. And agency leaders should be pushing to learn about, and reinforce, the importance of keeping their data secure.
But there's more to keeping your data safe than hardening your websites and networks. Hacking is only one form of stealing massive amounts of personal data. There are other forms, too—and those, you have much more control over.
How social engineering circumvents good online safety practices
Heard the terms “phishing,” “spear phishing,” “smishing,” and so on? You've heard of social engineering. But what do those terms actually describe, and how do they work?
Phishing is a technique which criminal hackers use to obtain personal information. They can then guess passwords, security questions, and other means of breaking into bank and social networking accounts. Spear phishing is similar, but geared towards obtaining proprietary or confidential information from specific organizations. Both rely on email, social media, or instant messages that appear to come from trusted sources; smishing is phishing that uses mobile text (“short message”) services.
The key point: the messages appear to come from trusted sources. Social engineering is not like other forms of data theft, such as dumpster diving, shoulder surfing and covert surveillance (think ATM skimmer-camera combinations). That's because it exploits human emotion—guilt, pleasure, indignation, joy, and so on—to get you to click malicious links, or give up information to whomever you're talking to. That's why it's one of the most common successful “hacks” that cybercriminals use.
By now, most people know enough not to click the link in the email that professes to come from their bank, eBay, or African royalty. But in the years since those emails first became popular—and by the way, they do still work—phishers have become a lot savvier.
Consider the one that I myself almost fell for a couple of weeks ago, when a Facebook friend posted a message about 4 free Southwest airline tickets. The link used the Southwest logo, came from someone I trusted (I'm very particular about whom I allow into my network), and played on my deep desire for a real family vacation. The only clue that it was fake? The end of the URL. Rather than coming from Southwest.com, it came from a .cc.co domain—the country code for an Australian island territory.
My friend deleted the link after I alerted her, and I changed my Facebook password just to be on the safe side. But it was disquieting to realize how easy it is to fall for online scams, just because they're attached to a name and picture(s) you trust, and they don't look out of the ordinary for that person to post.
Protecting yourself from social engineering
Check link URLs. A link that should be a .com, but is instead .cn, .ru, .kr, or some other unusual combination, is one clue that something may be amiss. So are misspelled URLs (check carefully, including your own typing). And while a lot of businesses use different domains for particular microsites—Southwest.com also has SouthwestVacations.com, for instance—social engineers may register lookalike domains. This is called “domain squatting,” and although many companies are vigilant about protecting their trademarks, many others don't even know their sites are being hijacked. That can leave you vulnerable to anything from having personal data stolen, to buying counterfeit products.
Create strong passwords, one per site. At one time, I used a series of passwords that mashed up names and interests from my distant past. That made them harder to guess, but even so, I've taken to using a free software program, KeePass (recommended to me by a retired, security-conscious LEO friend), to randomize and store my passwords on my local hard drive. That way, not only is it easier for me to use the recommended long letter-number-character gibberish strings; it's also easier for me to use one password per site.
Limit the people you connect with, and know who they are. Many LEOs I know have strict “friends, family and close colleagues” rules on Facebook; some don't even connect with colleagues there, preferring LinkedIn or Twitter for that purpose. In any case, knowing whom you connect with—whether in person, or having interacted with them enough online to trust them—can help you recognize the times when something seems “off” about their communication.
Open networking can help you find new job opportunities, career paths and business partners. But it has its down sides, too. Google “Robin Sage” and you'll find information not just on the U.S. Army Special Forces training exercise, but also on a cyber threat experiment that exposed a worrisome trend among military and security personnel: if a friend request came from an attractive female who worked in a similar industry, they'd connect with her, even if they didn't know her personally.
Wisely, a few of them did try to verify “Robin's” identity by calling the phone number associated with her account, or seeking her out through the MIT alumni association she professed to be part of. And neither FBI nor CIA personnel ever friended her. But many others granted her (actually, security specialist Thomas Ryan) access to parts of their lives that were pretty sensitive.
- Continue to limit the amount of personal data you put online (even if you do lock down all your accounts to private).
- Turn geolocation off for every social networking and mobile phone application you have. Disable geotagging for the digital photos you take.
- Don't respond to, or click links in, email, text messages, or instant messages that ask you to provide personal information. Your financial institutions and service providers will not do this.
- Know whom you friend, and who your friends are.
- Notice when your friends just don't seem like themselves, especially when they send you links that don't seem typical for them, or if they ask you for something out of the ordinary.
- Be wary of all requests for connections, whether via instant messaging, LinkedIn, Facebook, and other sites. Verify the person requesting is who they say they are.
It may seem like extra work. But just like training and practice can make you more observant and thus safer in the field, teaching yourself to practice information security can achieve the same result online—and offline too.
Got other tips on protecting yourself from social engineering attempts? Leave them in comments below!
- Email Fraud Overview
- Smishing Bank Scam
- Automated Man in the Middle Attack
- Profile Duped Military Intelligence IT Security Pros
About The Author:
Christa M. Miller is a freelance writer based in Greenville, S.C. She specializes in law enforcement and digital forensics and can be reached at firstname.lastname@example.org.