Arun Marballi

The term "Social Engineering" is basically a euphemistic way of referring to exploitation of unwise behavior. Just the other day, I saw an e-mail in my Inbox that informed me that I had received an e-Greeting. Since I was not celebrating any special day, I was somewhat skeptical about the e-mail's authenticity. Compounding my skepticism was the fact that the email had landed in my Junk Mail Folder.

Normally, e-Greetings that I receive do not land in the Junk Mail Folder and the fact that this one did indicated to me that Hotmail had noticed something about this email that was not "kosher." When I opened it, I observed that there were spelling errors in the message informing me that I had a greeting waiting for me and that I should click on the link below to retrieve it. The spelling errors were the last indication I needed to confirm that it was indeed a phishing e-mail looking perhaps to download something malicious onto my machine - all I had to do to make it happen was to click on that link. Needless to say, I did not click on the link but instead deleted the e-mail. This goes to show that we cannot let our guard down ever and that threats will come at us in all forms and from many directions.

Now, this instance of Social Engineering was quite random and hence easily detectable. Consider how the same social engineering attempt could have been a lot more potent had the sender known my birthday (perhaps acquired from harvesting the information off the Web) or had known our anniversary. With the amount of personal information making its way onto the Internet in seemingly innocuous ways, this attempt could have been far more targeted and perhaps less suspicious. Hence, the importance of keeping even the smallest shred of personally identifiable information private and off the web.

On a different subject, do you remember the paranoia that spread among some sections of our population at the approach of the Year 2000 turn of the century milestone? A lot of it was driven by an irrational fear of a class of software called Supervisory Control and Data Acquisition (SCADA) Systems used for controlling a lot of infrastructure such as dams, electronic power plants, nuclear power plants, oil pipelines, public transit systems and water filtration and distribution systems.

Now, many of these systems did not use dates like most business software does and hence were not affected by the Y2K problem leading to the widespread public perception that the Y2K crisis was in fact a hoax. However, since the turn of the millennium, many of these devices have been enhanced and now use the Internet rather than proprietary networks for routing performance information from one station to another. Since many of these devices have a long life span (some as long as a few decades), they do not have protective layers such as firewalls and hence tend to be exposed to the Internet. Vendors of these devices have been known to be slow to install security patches.

The reason apparently is because these devices are low priced, operate on low margins and vendors are reluctant to increase their operating costs or reducing their performance. There are instances of hackers and disgruntled employers who have discovered these holes and attempted to disrupt the infrastructural systems that they control. Can you imagine the impact if terrorists or political antagonists infiltrated these systems? A scary scenario indeed!

The recent war between Russia and Georgia also became the first instance where physical military-based warfare was initiated in parallel with Internet cyber-warfare. Russia apparently launched a full-blown Distributed Denial of Service (DDoS) attack aimed at all government and infrastructure computing devices in Georgia rendering all Internet-based communications between Georgia and the NATO countries inactive just prior to the physical military attack. Although Russia could have dealt permanent damage to Georgia's electronic infrastructure, many of these outages were not permanent in nature, and communication was restored within a few hours.

Based on this, the conjecture is that the DDoS attack was the work of relative amateurs. If you will recall, at its inception hacking also was the work of amateurs and keeping in mind its evolution, one would expect cyber-warfare to gain professional sophistication in days to come. It is probably with this in mind that the Pentagon has established a Strategic Cyberspace Command within the United States Air Force.

Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].

Home