ThimphuTech was the first technology blog in Bhutan. We started writing it in 2009, just as broadband and mobile internet started to take off. (Although internet in Bhutan was launched in 1999, it was either super-slow or super-expensive, and was only used by a selected few).

In the blog, we wrote about technology and food, but also about plenty of other stuff. The blog became popular and influential in Bhutan. A companion bi-weekly column -- Ask Boaz -- was published for many years in the Kuensel, Bhutan's national newspaper. (The complete Kuensel columns are available as an ebook, Blogging with Dragons).

We stopped updating the blog when we left Bhutan in 2014, but the information within the posts can still prove useful, and thus we decided to keep it online.

We thank all our readers.
Tashi Delek,
Boaz & Galit.

Saturday, February 1, 2014

Social engineering (K2 #80)

Question of the Week
Is it true that Google Apps is more secure than our current email systems?
— C., RGoB

Lots of resources are often invested in securing computer systems. We recently read about the government’s plan to use an online service called Google Apps to store and manage email and documents for civil servants. It was mentioned that one of the benefits of using this system is increased protection against hacking, as the government’s existing mail servers are considered more vulnerable. While this may be true, the sad reality is that any system is as secure as its weakest link. And the weakest link in information security is usually human beings.

Movies often depict hackers as geniuses (often in wheelchairs, for some reason) who break into computer systems. The truth, however, is that hackers often do not need to have special technical skills in order to break into computer systems. They need to understand human nature, and they can manipulate people into disclosing confidential information, such as passwords, by various tricks. This is known as “social engineering”. For example, a hacker might call an employee by phone and pretend to be the IT administrator, asking for the password in order to “maintain the account”. Or a hacker might “accidentally” drop a pen drive with malicious software near the premises of a targeted organisation, hoping that a curious employee will find the pen drive and plug it into a computer, thus infecting the organisation’s system.

Social engineering techniques take advantage of common human traits such as curiosity, fear, kindness, trust, and greed. Many of the most successful hackers are brilliant “social engineers”, understanding and manipulating human beings. In Bhutan, the levels of trust are high and people do not tend to be suspicious. While it makes for a wonderful social atmosphere, and is certainly great for the happiness metrics, it also means that rogue people with malicious intent can quite easily take advantage of this cultural psyche. Google Apps security is better than existing ones, but human beings are still the same.

Readers are encouraged to submit technology-related questions to