While security officers focus on firewalls and intrusion detection systems, a far more dangerous avenue often lies open to hackers. In most cases, it is far more easy to trick innocent users to give up their passwords by phoning them up. Most people would refer to this as "lying", "trickery", or "deception", but security people prefer to use the term "social engineering". In the past, social engineering schemes have traditionally revolved around a hacker posing as someone from the support department and either trying to assist the user with a problem or getting the user to help the hacker run a "test". These have been frighteningly effective, and are getting increasing publicity: former exponents such as Kevin Mitnick have argued that social engineering is more worrying than tech-based attacks. Hackers like to break with tradition, and current social engineering methods are all about defying expectations. To help you understand the new face of deception, here are some of the new ways that hackers are manipulating expectations to get what they want -- access to your data. By reading through these new schemes, you can better educate yourself and your staff about the techniques being used, which in turn will help everyone in your company avoid falling prey to these security breaches. Relationship social engineering I had the chance to watch first-hand a social engineering stunt using common conversation to obtain password information. This particular job wasn't an illegal hack, but rather a situation in which a client paid a security company, Relevant Technologies, to see if its employees would fall victim to a trick. The company felt it better to find out its security holes under controlled conditions than to be exploited by someone who really did have malicious intentions. Unfortunately, the scheme went off without a hitch, and the company's owner realised that he needed to place a greater emphasis on employee training. For this particular scheme, the security company hired a woman with a sexy voice to call sales representatives at the company and pretend to be interested in buying the company's product. Part of the conversation went something like this: Social Engineer: "My kids will love this product. I have a two-year-old named Fred and an eight-year-old named Beth. Do you have any kids?" User: "Yes, I have a four-year-old son named Shawn." This is seemingly innocent chitchat, but in organisations that don't enforce strict password policies, employees often use their kids' names as passwords. In this particular case, the employee used his son's name, Shawn as his password. Of course, that was a lucky guess, but the security company's social engineer was able to worm other personal information out of the employee as well. For this particular job, the woman never asked for a password -- or anything else related to the computer system. What she did do was to build a relationship with the victim. Even if nothing on the password list had matched, she had built the guy's trust enough that on a future call she would be able to get something more useful out of him. Password conundrum People have a lot more passwords to remember than they used to. With so many passwords to keep track of, it isn't uncommon for people to use the same password in more than one location to keep from having to remember several different passwords. For example, the person might use the same password at work as to log on to the Internet at home. There are cases in which hacker groups have set up Web sites advertising a bogus sweepstake. They then require anyone registering for the sweepstakes to supply a username and password for future access to the site. Soon a database of thousands of usernames and passwords is compiled. A "robot" then systematically attempts to log on to many popular Web sites using the supplied usernames and passwords. The hacker group can then use information from these sites to gain further information. For example, if a hacker is able to get into a person's Hotmail account, he might be able to figure out where the person works and then be able to try to break into that company's computers using the logon name and password that he has in his possession.