Rocky Mountain Law Enforcement Federal Credit Union
Where our local heroes bank with confidence.









Calendar of Events
Lost Your Visa Card? Call 1-800-453-4270

Physical and programmed security does protect us from most attacks. However, human habit and interaction can ultimately be the weak link causing all other security implementations to fail. All security systems depend on you. Becoming aware of the human variable and its security foul-ups can aid in the defense of these systems.

Hackers steal – Social Engineers convince you to give them what they want

It could happen to you
“Hackers” as portrayed in the movies are in reality far and few between. Most attacks on an individual, organization, or network are done so with the intent of financial gain. If a hacker wants to get personal information on your PC then there are two ways he might go about it. Most people would expect this hacker to some how break to the computer, find the files they want, and download or copy them. A more realistic and proven method used by a Social Engineer might be to leave a flash drive lying around in parking lot, a restaurant, on the sidewalk, or even a businesses lobby. The Social Engineers hope is that you would pick it up and plug it into a computer, giving them the information they want. After all, what’s the first thing you do when finding something like this? Plug the rouge flash drive into your PC to see what’s on it. Right? A program the Social Engineer put on the flash drive would then run, emailing him the details on the PC and any network it’s connected to. It looks for things like user names, passwords, and possibly even the sacred files you’ve just saved to the newly acquired flash drive. He could also have a program like email sniffer on the flash drive which would make a copy of every email sent that that computer receives, and have it send a copy to him. Contrary to popular belief, emails are very insecure because they are sent in plain text. A sniffer program could easily read any content and attachments in the email allowing it to be sent to a 3rd party without anyone being the wiser.

A simple solution to foil the rouge flash drive attack would be to simply throw away or destroy it. Don’t be fooled, they could easily do the same thing with a floppy, CD, DVD, and even devices such as IPOD’s. A stranger asks to plug their IPOD into your laptop to charge it during a long flight. The bad part is the IPOD owner fails to tell you they will soon copy everything onto their IPOD from your PC automatically once the rouge device is plugged into your laptop.

Social Engineers exploit human flaws and habits to get what information they need. Sometimes it can be as easy as asking the person face to face, or just looking at what’s out in the open. Many people like to write their passwords down and put them under their keyboard, mouse pad, or in the desk drawer under the plastic organizer. It doesn’t take any special skill to look at someone else’s password that’s in plain sight, and write it down. How many times do you use the same password for different things? Many people unwisely only have 1 password for their 4 different emails and 1 password for all 5 online bank and billing accounts. If that single password that is written in plain sight is used once, chances are most people will use it for something else too.

So what can you do?

Always be cautious and use common sense. If at work, follow policies and procedures at work. If there are none, then create them. If at home, create rules for computer use. It sounds boring and unnecessary I know, but sticking with well thought out and planned rules, policies, and procedures will guide you into making safe decisions. The Social Engineer will do whatever possible to talk the target into giving away the information needed. They gamble that you will break from the rules, policies and procedures, allowing them to do what they want to your system, and with your information.

Be alert to Social Engineering. Know the ways to protect yourself and others, understand how you can be exploited to giving away useful but seemingly useless information.

“Burn the Source” This means to spread the word. The easiest way to stop an attack by a Social Engineer is to call them on it. Stop the interaction with them right away and let them know you won’t be giving them the information requested. Also tell those around you to be on the watch of similar activity from the same individual or others. The worse thing that can happen to a Social Engineer during an attack is to learn they’ve been caught and can’t use that avenue anymore.

Educate yourself and others. Like a neighborhood watch program the more people that understand the dynamics of a threat and are aware, the safer everyone will be. One person can stop a single attack, but many can stop multiple.

Learn not only to recognize a possible attack but foil it. Record everything about the interaction you had with the suspicious individual. If at work, post it for coworkers to see. If at home, notify your neighbor’s friends and family. Let the attacker know on no uncertain terms that you will not be surrendering any information they request.

Things to remember

“Useless Information” is still information that can be used against you - Think of the first part of your Miranda Rights

“Speak Easy” Security is False Security - Walk in like you own the place and you can walk out with the rug on the floor.
When prohibition was the law in the US a “speak easy” was a club where people could go and drink. It usually was in the basement of a building, didn’t have a sign and didn’t look like a place you would go to drink and hang with friends. The idea was that if you where suppose to be there, you already knew where it was, when they where open, and what the pattern was to knock on the door.

College pranksters in the late 1960’s where staying in a very nice hotel during an ROTC tournament. They walked into the lobby dressed in their formal uniforms, politely brushed people aside who where standing on the rug, rolled it up, and walked out with it under their arms. Nobody stopped or questioned them. The rug was found on the floor of a dorm room less than one week later. The following year the same individuals marched into the stadium, and climbed the latter to the center catwalk on the ceiling where the 50 foot flag was hanging. They ceremoniously folded the flag into the familiar triangle shape, and walked out with it in front of the crowd exiting the stadium. Nobody stopped them. It was found in the same dorm room less than a month later.

In both college prankster situations the individuals committing the act where not questioned because they looked like they belonged there, and looked to have proper authorization to do what they where doing. If even one person who worked at these facilities would have questioned them, the prank would have been foiled.

For more information on Social Engineering and how to protect yourself and others, pick up the book.
“The At Of Deception – Controlling the Human Element of Security”
by Kevin D. Mitnick and William L. Simon

[ Home | Safety Tips | Rates | Products | Services | Online Services | Free Services | About Us | Internet Banking ]
Privacy Policy Notices, Terms, and Conditions | Design & Hosting by Harland Financial Solutions, Inc.
| Browser Requirements | Copyright © Harland Financial Solutions, Inc. All Rights Reserved. | Routing and Transit: 302075283
Internet Banking Locations and Hours Contact Us FAQs Site Map Calculators Your savings federally insured to at least $100,000 and backed by the full faith and credit of the United States Government.