April 15, 2009, 10:56 AM — It's weirdly painful yet helpful when successful hackers step out from the shadows and tell us how stupid we are and how they so easily shred our security. The latest episode of this long-running show occurred last week when MafiaBoy, or Michael Calce in meatspace, reminded us once again that social engineering remains the hacker's sharpest tool. ComputerWorld called it “MafiaBoy Spills the Beans.”
Small businesses don't have the money to load up on expensive intrusion detection systems, but they can teach their employees to be a little more suspicious. You don't have to turn them into pit bulls, but you can request they become more protective.
Hackers call on the phone and pretend to be improving security by asking for your password to “verify” things. Don't ever tell anyone your password over the phone or via e-mail. If you're large enough to have an IT staff, train the techs to never take the lazy road and call, rather than visit, employees about security issues. Remote office employees must call the IT people themselves for any security updates, not respond to phone calls. Send them an e-mail or a text asking them to call the approved company phone number for IT support. Little details like that mean a huge security improvement.
Beware outside techs in uniforms as well. Hackers routinely dress as phone company employees by getting a shirt and hat, then waltz into businesses left and right. If you didn't call for service and a phone company employee appears, call the company and get confirmation. Don't believe the documentation he carries, because hackers fake those papers. Don't call the number the suspicious person suggests you call to check on them, because that call will be answered by another hacker.
Do you want to be safer? Allow your employees to be a little more rude to people asking questions and trying to get inside your business. Sometimes, outside service people are setting you up for an inside computer hack.