The Social Graph of Malware

Social engineering as a descriptive term, originally meant using social skills in order to uncover passwords or other secret information.

This might involve calling someone’s secretary and saying “your boss is here at a meeting and has forgotten his password, can you please tell me the password so we can get him online?” If you believe this, you lose control of your account.

You also see it in James Bond movies all the time.

This type of social engineering can exploit the fact that many people use their spouse’s name, a pet’s name, or some other easily-guessed word, as their email password. If you attempt to log into their email account using these names or words, you are likely to hack some high percentage of accounts. This technique was used recently when someone hacked into Facebook and commandeered the accounts of several famous people, including Britney Spears. Honest – it was that simple!

For this reason, many online systems used to require that passwords 1] be strings of random characters, and 2] that users change their passwords frequently. Using random characters is very effective[1], but people have trouble remembering random passwords, so they often revert to using the names of their pets. The second technique, requiring that passwords be changed frequently, is only effective if a hacker has already compromised your account – you change the password and they can no longer log in. But, this technique also leads to people writing their passwords down (because they can’t remember what they changed to most recently) and if they write ’em down, then someone can just go to their desk, look at the pink sticky note on the monitor, and break into the accounts. So I don’t recommend that systems force users to change their passwords for this very reason.