Experiment shows users readily reveal info that could aid hackers

It is easy to get people to divulge information that could be used to break into computer systems, a simple experiment in social...

It is easy to get people to divulge information that could be used to break into computer systems, a simple experiment in social engineering at Liverpool John Moores University has revealed.

In the experiment, described to BCS members by lecturers Mark Taylor and John Haggerty, students starting a computer security course were asked to fill out what they were told was a "student orientation form".

"The form was designed to elicit sensitive information, without giving away the fact that this was the intention, so at first glance it appeared official and innocuous," Taylor said.

The form covered general information, such as name and log on name; use of the internet, including ISP and connection method; and personal information such as date and place of birth, interests, mother's maiden name and father's occupation.

"The results were worrying - especially as these students had indicated their interest in computer security by taking the course," Taylor said.

"A small number provided no information at all, and another small group only partly completed the form with non-sensitive information.

"However, most students provided all the details requested. Some items could be used together: for example the log on and home telephone number could be used to access particular university services, although this has now been changed.

"Of particular note was the number of students who provided without question details such as their mother's maiden name or father's occupation - information used by many services as prompts when a password is forgotten.

"These students will probably not provide sensitive information so readily in future without questioning the purpose of the data gathering. However, most of us do not have the need for protection of information demonstrated to us in such a benign way.

"People are aware of the need for computer security at work and at home, but we are less aware of the value of the information we may disclose, often to unknown recipients.

"Rather than paying lip service to security by following certain daily routines, we need to be more aware and questioning of the information that we disclose."

People need to check the source of requests for information, Taylor said.

"We often fill out forms and supply information to companies without checking the validity of the source of a form. This has brought an upsurge in the use of social engineering and genuine-looking e-mails purporting to come from banks asking for account details. If you are supplying information, check the validity of the source of the request.

"As a minimum we should ask what the information is being used for. Assess the information you are providing and whether it is appropriate."

Read more on IT risk management