Skip to main content

Social engineering

note

This page forms part of the Moodle security guidelines.

What is the danger?

Moodle is so secure that Evil Hacker gives up on trying to crack the software. Instead, he decides that the users are the weakest link.

For example, they may get the phone list for your organisation, and start making bogus calls:

"Hello, I'm from the help desk. It's not very clear, but I think I have a message here saying you are having trouble logging in? Is that right?"

Eventually, they hopes to someone will get tricked:

Gullible user, "Err, yes. I am having trouble logging in, but I don't recall asking for help."
Hacker, "Well, I am here now. Let me go through it with you, now what is your username?"
User, "It's ..."
Hack, "And the password?"

You get the idea. It can work the other way. Someone phones the help desk pretending to be a helpless teacher who wants to increase a particular student's grade, and the person on the help desk kindly does that for them.

One very well known form of social engineering is phishing.

How Moodle avoids this problem

This is not a problem that can be solved with technology.

What you need to do in your code

  • There is not a lot you can do.

What you need to do as an administrator

  • All you can do is to try to educate your users. However, don't be too hard on them if they are tricked. They were probably only trying to be helpful.

See also