- I was listening to Talk of the Nation on National Public Radio this
afternoon. There was a good discussion going on sparked by the fiasco that
happened at HP the last few weeks. Since I cover lexicon, identity, and
security, I thought it would be a good idea to cover some of the
conversation. - What has emerged new to the general conversation is the term “pretexting”.
This is the practice that investigators–both private and internal–use to
pretend that they are someone else to obtain personal information from service
companies. This includes, the phone company, cell phone companies, banks,
utilities, county ownership records, and other private and public agencies. - This is not a new term, but one that is getting public recognition as a
result of the HP fiasco. - According to the conversation that I heard, there is a synonymous term in
the hacker community for pretexting called “social engineering.” There are some
states that have made pretexting and social engineering illegal. California,
Tennessee and Florida are exceptions maybe. This is a gray area and is only
coming to light after these events. - The previous hacker turned consultant in the conversation is the author of
the book The Art of Deception. - Here is my take on this. The government and agencies are not going to be
able to cope with this problem. This means that it is your responsibility to
protect yourself. There are a few major areas that you can focus on that will
help you. - Use InfoCards for login when you can. I admit this is new stuff, but it is
fundamental in protecting your information from phishing and hijacking. InfoCard
technology will change the future of hackers and thieves. You can support this
by understanding it and using it. - Stop using common methods of identification. Your social security number,
you mother’s maiden name and your birth place are redily accessible to social
engineering agents. - Use encryption for your data and emails. There are several technologies that
will help you with this. You can do it at work and for your personal emails
where needed. Without encryption, you have to assume that your emails are
totally accessible to anyone who wants them. The current email technology is
hackable and in clear text that is readable by anyone. - You have to assume that at work, there are people keeping track of what you
do with your computer. This is an issue, but you can also understand that your
employer probably doesn’t have the resources to look that closely at what you
do. - However, they also had a guy on the program that was being offered a job–a
high profile and high paying job–that was revoked after the person had some
email conversations about the terms of employment with his attorney. The company
actually monitored his email conversations and gave him the choice of resigning
or being fired as a result of the interchange. Scary.
Ms. Dunn at HP has struck a deal with the HP board to resign as a result of
the press and fiasco. Did she know what the legal dept. was doing? Probably not.
My opinion is that she should have found out on an issue of this importance at
that she should probably step down now and not later.
Your comments are welcome.
tags: security, identity, pretexting, social+engineering, encryption