next up previous contents
Next: File Permissions Up: Passwords Previous: Password Sniffing

Social Engineering

Social Engineering is hacker-speak for tricking a person into revealing their password.

A classic social engineering trick is for a hacker to send email claiming to be a system administrator. The hacker will claim to need your password for some important system administration work, and ask you to email it to him/her. As we explain later, it's possible for a hacker to forge email, making it look like it came from somebody you know to be a legitimate system administrator. Often the hacker will send this message to every user on a system, hoping that one or two users will fall for the trick.

A common variation is to do this by phone, talk or IRC.

tex2html_wrap180 If you are ever approached this way, please contact one of us immediately either in person or by email to problem.

Another common trick is known as ``shoulder surfing''. This simply means that somebody looks over your shoulder while you type in your password. Sometimes it's impossible to guarantee that nobody can see your keystrokes, for example in a crowded computer lab. But you should be on the look out for people looking over you shoulder for no good reason.

If you're suspicious of somebody, don't type your password until they've gone. If you think somebody has seen your password, change it after they're gone (use the command passwd).

If you can, try to type your password quickly. With practice, you can learn to type your password pretty quickly, even if you're not a great typist to start with.

It's decidedly impolite to look when somebody is typing their password. If somebody is watching you when you type your password, you can ask them to not look while you login.

Another form of social engineering is for somebody to ask you to let them use your account. The HSEAS computer use policy explicitly forbids sharing your account. If you let others use your account, you've lost control of your account. You're still responsible, but you can't be sure how this person is going to use your account, or whom else they might let use it.

Another form of social engineering goes back to guessing your password. People who can find out things about you, can use that information to guess your password. For example, the names of your children, their birthdays or the license plate number on your car are all likely candidates for guessing as passwords. We point this out to reinforce the extremes to which hackers will go to guess your password.

next up previous contents
Next: File Permissions Up: Passwords Previous: Password Sniffing

Del Armstrong
Fri Oct 25 16:31:41 EDT 1996