Hacking is painfully easy: Anybody can be you!
Having taken the day off, I was at home sound asleep. The phone rang around 10am. I did not bother to pick it up. It stopped ringing and I became half aware that it was received by our maid.
What completely took me by surprise and made me leap towards full consciousness was her conversation with the other person on the line. This is what I heard her saying:
"There is no one at home right now apart from chotay sahib. Choti bibi is in her room sleeping. Baray sahib left in the morning to drop chotay miyan and hasn’t come back yet.”
I approached the woman while this was taking place and asked who she was talking to. I was told that the caller “sounded like” one of my cousins, so she was telling him these things. I took the receiver from her and muttered a greeting. The person on the other end hung up.
With shivers down my spine, I contemplated who this individual (with an unidentifiable number) could have been. It could have been anyone - a marketer, a potential burglar, but one thing was for sure; this person was a “social engineer”.
Social engineering is the art of using social means to manipulate people into performing certain actions or divulging information that one is not privy to. It is one of the most dangerous forms of hacking as it does not require any real technical skills. We all do it at some level in our lives for different reasons. When used by professionals, however, it becomes a different ball game altogether. In this case, the inner workings of my household were exposed as someone led our maid into thinking that he was part of the family.
Most of the major break-ins by Kevin Mitnick, dubbed as the "most dangerous hacker in the world" were through social engineering.
Let's study a case.
It can happen to anybody:
Shazia is a successful journalist. She is greatly fond of books. Her recent articles were not received well within the corridors of power. She goes to the Karachi Literature Festival and meets a lot of people. She exchanges the names of her favourite books and authors with someone.
She reaches home and realises that all her accounts are inaccessible. Her inbox prompts the login and password to be incorrect. She had just been hacked.
What was compromised?
Her inbox was used to reset the passwords of all the services that she was using, including, Gmail, Twitter, Facebook and other email services.
Shazia had pictures on Picasa of her family and herself. Some of them for only her eyes to see. Video clips could also be found. She was helping her friend on filing a patent. She was communicating with her psychologist on email. Intimate conversations with her significant other could also be found in the chat section. All the places including the homes of her friends and relatives were marked on her Google Maps. Since location history was also activated on her phone, her daily route could also be charted. The location of her home and work were compromised, including the station she used to get fuel from. Her mailbox also consisted of articles she was working on. The identities of witnesses contributing to her work were also revealed. Scans of her NIC, Passport, property documentation and online-banking credentials were also uncovered.
So basically, it was Shazia’s life and career on the line. They got everything.
What happened and most importantly how:
The “secret question” to Shazia’s inbox was “What is the name of the third book on my shelf?”
When she casually exchanged the names of her favourite books and authors, little did she know the intentions of the person. That person tried answering the question with the information acquired, and presto! He had just “socially engineered” his way into all of Shazia’s secrets.
How can I save myself from what happened to Shazia?
Things to avoid:
- Posting personal information which is publicly available. Check your profiles on social networks, albums on Facebook, timeline on Twitter, and posts on public forums. Ensure that either the information provided is private, and if public, it is not personally compromising. Do a Google search about yourself and be amazed.
- Have the same password for all accounts.
- Linking all accounts to one email address for recovery purposes. Use two factor authentication if you have to. You can also use your cell phone for password resets in some cases.
- Most people choose passwords that include their aliases, names of children, or their date of birth. This makes them highly susceptible to social engineering. One needs to choose a password that is randomly generated and hard to grasp by a third party. Using a password generator is the best choice. You can try one here.
- Using public computers. Workstations at public places like hotels, airports, internet cafes, computer labs and the likes are swarming with malicious software that may steal information which could later be used to access your accounts.
- Writing down your password in or around the place you work, on a piece of paper, in a diary, wallet, or even your cell phone. Your password needs to be "up there" in your head.
Your information with organisations:
This is an area where your voice matters.
Exchange of personal information to acquire products and services has become pervasive in our daily lives. As a customer, it is your right to inquire if your information is safe. Numerous organisations with a wealth of private customer data, cater to the delivery of products and services through phone and internet; some of these media are susceptible to social engineering. Their call centre personnel are oblivious that they may be providing information to the wrong person.
Social engineers can glean information from such places. This link provides a hypothetical example of a social engineer extracting a target’s info from a cab booking service by impersonation. All he started with was the target’s cell number.
Try a similar drill on places which have your data and see if it is safe. This may include restaurants that deliver, hotels, online retail stores, travel agencies, or telecom companies.
You will be amazed to find how unsafe your privacy is.
Follow Ali on Twitter @enspec
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ