Essays in the Category "Social Engineering"
Page 1 of 1
Stop Trying to Fix the User
- Bruce Schneier
- IEEE Security & Privacy
- September/October 2016
View or Download in PDF Format
Every few years, a researcher replicates a security study by littering USB sticks around an organization’s grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as “teachable moments” for others. “If only everyone was more security aware and had more security training,” they say, “the Internet would be a much safer place.”…
What Are the Limits of Police Subterfuge?
A warrantless FBI search in Las Vegas sets a troubling precedent.
- Bruce Schneier
- The Atlantic
- December 17, 2014
The next time you call for assistance because the Internet service in your home is not working, the ‘technician’ who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have ‘consented’ to an intrusive search of your home…
Why Technology Won't Prevent Identity Theft
- Bruce Schneier
- The Wall Street Journal
- January 9, 2009
Impersonation isn’t new. In 1556, a Frenchman was executed for impersonating Martin Guerre and this week hackers impersonated Barack Obama on Twitter. It’s not even unique to humans: mockingbirds, Viceroy butterflies, and the brown octopus all use impersonation as a survival strategy. For people, detecting impersonation is a hard problem for three reasons: we need to verify the identity of people we don’t know, we interact with people through “narrow” communications channels like the telephone and Internet, and we want computerized systems to do the verification for us…
A Real Remedy for Phishers
- Bruce Schneier
- Wired
- October 6, 2005
Last week California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info—passwords, mostly. When this is done by hacking DNS, it’s called pharming.
Financial companies have until now avoided taking on phishers in a serious way, because it’s cheaper and simpler to pay the costs of fraud. That’s unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers—they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers’ assets. Unfortunately, the California …
Customers, Passwords, and Web Sites
- Bruce Schneier
- IEEE Security & Privacy
- July/August 2004
View or Download in PDF Format
Criminals follow money. Today, more and more money is on the Internet: millions of people manage their bank, PayPal, or other accounts—and even their stock portfolios—online. It’s a tempting target—if criminals can access one of these accounts, they can steal a lot of money.
And almost all these accounts are protected only by passwords.
You already know that passwords are insecure. In my book Secrets and Lies (published way back in 2000), I wrote: “…password crackers can now break anything that you can reasonably expect a user to memorize.”…
Are you sophisticated enough to recognize an Internet scam?
- Bruce Schneier
- The Mercury News
- December 19, 2003
Recently I have been receiving e-mails from PayPal. At least, they look like they’re from PayPal. They send me to a Web site that looks like it’s from PayPal. And it asks for my password, just like PayPal. The problem is that it’s not from PayPal, and if I do what the Web site says, some criminal is going to siphon money out of my bank account.
Welcome to the third wave of network attacks, what I have named “semantic attacks.” They are much more serious and harder to defend against because they attack the user and not the computers. And they’re the future of fraud on the Internet…
The Third Wave of Network Attacks
- ZDNet News
- October 3, 2000
On Aug. 25, the press release-distribution service Internet Wire received a forged e-mail that appeared to come from Emulex Corp. and said that the CEO had resigned and the company’s earnings would be restated.
Internet Wire posted the press release, not bothering to verify either its origin or contents. Several financial news services and Web sites further distributed the false information, and the stock dropped 61 percent (from $113 to $43) before the hoax was exposed.
This is a devastating network attack. Despite its amateurish execution (the …
Sidebar photo of Bruce Schneier by Joe MacInnis.