Socially engineered online threats; Be cautious, educated, hard target

  • Published
  • By Staff Sgt. Chad Thompson
  • 90th Missile Wing Public Affairs
F.E. WARREN AIR FORCE BASE, Wyo. --  Computer security is every Airman's responsibility, and combating online threats is part 
of that role. 

Tech. Sgt. Nicholas Cichon, 90th Missile Wing Information Assurance NCO in charge, said online threats are everywhere, and to continue day-to-day operations everyone needs to be cognizant of what cyber terrorists are doing, and be aware of potential threats. 

Phishing, spoofing and social engineering are some online threats Airmen might face.
Sergeant Cichon said social engineering uses trickery to fool someone in order to get account information. 

"Social engineering is the art of manipulating people to perform actions or divulge confidential information," he explained. "It is like dumpster diving, the cyber terrorist looks for something to attack the human element of an information system in order to manipulate that person into divulging some sort of critical information." 

Master Sgt. Chad Glazier, 90th Missile Wing antiterrorism office, said social Web sites, blogs and spoofed Web sites are the easiest ways a cyber terrorist can socially engineer someone. 

Information is everywhere, and cyber terrorists use search engines to learn what they can about people in order to pry critical information from them, Sergeant Glazier said. 

One form of social engineering is phishing, Sergeant Cichon said. 

Sergeant Cichon said phishing is a scam or deception where hackers or cyber terrorists try to coerce personal and financial information from unsuspecting victims in order to steal someone's identity or gain access to a secure computer system. 

"A lot of hackers get information about people through phishing, which then could be used to launch some attack on them by stealing information or getting trusted access to a network," he explained. "Login names and passwords are normally attained by using phishing scams." 

Sergeant Cichon said one way this is done is by spear phishing. 

Spear phishing is a targeted e-mail designed to look like something coming from an internal source, such as a supervisor or the 90th Communication Squadron's help desk.
He said the e-mail would say something like, "We lost your account paperwork and have incomplete information on file. We need your password and login name to verify your account. If you don't respond within 48 hours, your account will be closed." 

Some e-mails or phone calls like this are just tests conducted by the information assurance office but sometimes it is an actual threat he said. 

"No legitimate financial institution, bank, or [90th CS] help desk personnel will ever ask for personal information or passwords over an e-mail or phone," Sergeant Cichon said. 
"Don't ever give out any type or personal information, such as credit card numbers, mother's maiden name or computer account information. Our network administrators would never ask for that." 

Some common phrases to look for in a phishing e-mail scam are: 

--Verify your account
--You have won the lottery
--If you don't respond within 48 hours, your account will be closed
--Thank you for serving, click here for your free trip
--Click the link below to gain access to your account 

Lack of education is the biggest reason people fall victim to phishing, Sergeant Cichon said. 

"The majority of people that fall for any phishing scams or social engineering are either oblivious to the fact people are actually out there doing it, or they just aren't thinking it could happen to them," he explained. 

Sergeant Glazier agrees education and awareness are the keys to success when combating online threats. 

"Not only is it important to be aware yourself, but it is also important to teach your children and family on what information they can post on Web sites or give out over e-mail or phone," he explained. 

"How you protect your identity is the same way you should protect your unit's critical information," Sergeant Glazier said. "You don't want anyone getting your personal information and you shouldn't let critical information out to allow it to get into the wrong hands." 

Protecting critical information is important, and one of the biggest concerns is Web spoofing, Sergeant Cichon said. 

Spoofing is the act of making a Web site look like an accredited page when in actuality it is a site hosted by a hacker or cyber terrorist, he explained. 

Imagine going to an online banking Web page, where everything on the page looks exactly like it is supposed to, yet the only difference is a letter, number or some other character. 

Once there, someone logs on using a username and password, only to find a list of error messages. This person has just experienced a spoofed page, and the person who set up the page now has access to personal information. 

"The copycat Web site, or spoof Web site, looks like a legitimate site, where the person creating it uses graphics or fonts from the actual Web site," Sergeant Cichon said. "It is basically used to get personal information or account information from people." 

Cyber terrorists are upping the ante and it is getting more difficult to recognize spoofed Web sites and phishing scams, but that doesn't mean Airmen shouldn't be focused, Sergeant Cichon said. 

Airmen have to be focused on the mission but they need to keep in mind that computers are everywhere and people know how to use them. 

If someone suspects a phishing scam or social engineering forward the e-mail to 90cs.netsec@warren.af.mil or contact the information assurance office at 773-5139; to report phishing scams from home go to http://www.antiphishing.org and click on the "report phishing" link. 

"Stick to basic computer security principles, be mindful of what computers can do and what networks can do, and just know there are people out there that want critical information," Sergeant Cichon said. "Because if you give up some piece of information, even the smallest piece of information, and [cyber terrorists] get a little piece from you, and then a little piece from someone else, eventually they could put together the puzzle." 

(Editor's note: This is the second story in a series of articles highlighting Air Force computer security.)