The Hindu Business Line : If you are pretending that you know pretexting...

Pretexting, also known as `social engineering', is the act of creating and using an invented scenario (pretext) to obtain information from a target.

Patricia Dunn, Chairwoman, Hewlett-Packard

Surprise is inevitable when one comes across a word jumping up from news reports, totally out of context. More so, when the word crosses your path, not once but many times, especially in a form different from the normal usage, as an out-of-the ordinary part of speech.

`Pretexting' has been one such, in recent weeks, because most of us know `pretext as `an ostensible or false reason used to justify an action,' the way Concise Oxford English Dictionary defines. Pretext is an early 16th century word, from "Latin praetextus, meaning `show, display', from past-participle of praetexere `weave before, adorn', from texere `weave'," educates Encarta.

Pretext means "pretence; false appearance; ostensible reason or motive assigned or assumed as a colour or cover for the real reason or motive," according to Webster's 1828 Dictionary. "They suck the blood of those they depend on, under a pretext of service and kindness," reads an example. A simpler one is in Cambridge Dictionary of American English: "He called her on the pretext of needing help with his homework." Words related to pretext are cover, pretence, plea, excuse and alibi, according to www.wordsmyth.net. `Stalking-horse,' says WordNet 2.1 Vocabulary Helper.

Bard's singular use

"To the wicked, everything serves as pretext," says Voltaire. "We excuse our sloth under the pretext of difficulty," admonishes Marcus Fabius Quintilian. "And my pretext to strike at him admits a good construction," is what Aufidius tells `Third Conspirator' in Coriolanus, in what is perhaps the only occasion where the Bard uses the word. To many, it may seem like a media conspiracy that `pretext' has swerved from its usual noun form, as explained in most dictionaries, to adopt the pretence of a verb or gerund, as in `Fuzzy Laws Come Into Play in the H.P. Pretexting Case' — a headline on www.nytimes.com dated September 19.

There are more such, as a search for `pretexting' shows on Google News, if you don't fall for the teaser `Did you mean: pretesting'. Times Herald-Record asks, `How does `pretexting' hit home?' in a story `2 hours ago'; San Jose Mercury News speaks of `Pretexting in action'; Austin American-Statesman says, `Calling it `pretexting' doesn't make it right'; and CNET News.com tells us `What Congress isn't doing to stop pretexting'. Time for a zero base, therefore, addressed especially to those who are pretending that they know pretexting!

On the verb form, there is little help in most dictionaries. But www.bartleby.com explains `pretext' not only as a noun but also as transitive verb, meaning `to allege as an excuse', with inflected forms such as pretexted, pretexting and pretexts. Thankfully, `pretexting' has a page on http://en.wikipedia.org, where it is elaborately discussed.

Social engineering

"Pretexting also known as `social engineering', is the act of creating and using an invented scenario (pretext) to obtain information from a target — usually over the telephone," says Wikipedia. Pretexting is `typically a bit more involved than a simple lie'. How so? Because "it regularly involves some prior research and the use of bits of known information (e.g. birthday, Social Security Number, last bill amount) to establish legitimacy in the mind of the target."

The problem that is dogging HP (Hewlett-Packard), a technology major, is that private investigators working for the company "allegedly impersonated HP directors and reporters covering the company to obtain their call logs from phone companies," as www.latimes.com narrates in a story dated September 15. "The practice of pretexting typically involves tricking a business into disclosing personal information of a customer, with the pretexter pretending to be the customer," elaborates Wikipedia.

How did the HP issue come to light? In a filing with the Securities and Exchange Commission (SEC), HP had acknowledged that it investigated its own board of directors to discover who leaked information that led to a News.com story about HP's future strategic plans, informs Tom Krazit in a story titled `FAQ: The HP `pretexting' scandal' dated September 6 on http://news.zdnet.com. "HP also said that the outside firms used to obtain the identity of the source of the leak might have used a technique called pretexting to obtain telephone records of calls made by HP directors from their home phones and cell phones."

How does it work

How does pretexting work? "Pretexters use a variety of tactics to get your personal information," says www.ftc.gov, the site of the US Federal Trade Commission. A simple example of pretexting on the site is of a call that is purportedly from a survey firm, asking you a few questions. "When the pretexter has the information he wants, he uses it to call your financial institution. He pretends to be you or someone with authorised access to your account. He might claim that he's forgotten his cheque-book and needs information about his account."

Pretexting can lead to identity theft, cautions FTC. "Identity theft occurs when someone hijacks your personal identifying information to open new charge accounts, order merchandise, or borrow money." HP surveillance was a tech-savvy operation, writes Frank Washkuch Jr on www.scmagazine.com. E-mail-based malware was planted into the PCs of targets to facilitate tracing, one learns. Is there a law about pretexting? Yes, there is, assures FTC. The Gramm-Leach-Bliley Act makes it illegal for anyone to:

use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.

use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.

ask another person to get someone else's customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.

"Still, proof is not always easy," note Damon Darlin and Matt Richtel in The New York Times. "Even if prosecutors can show that private detectives hired by the company violated the law, it may be difficult to establish that executives, managers and lawyers at the company's headquarters were culpable."

Michael A. Hiltzik's article dated September 15 in Los Angeles Times postulates that the State's HP case may be tough to win. "No single state statute specifically outlaws `pretexting,' or the use of deception to obtain a person's private or personal information," says Hiltzik. "The term, a coinage of the private investigation industry, has been used since at least the mid-1990s," he traces. "Although it carries an air of formality, it was defined in 1998 by then-Federal Trade Commissioner Mozelle W. Thompson as `plain, old-fashioned lies.'"

Legally grey

A recent story by `i-Technology News Desk' on http://opensource.sys-con.com calls the HP case `a legal grey area'. The story predicts that we are all going to get an education on this point of law "since HP is now being investigated by the SEC, the FCC, the FBI, the US Attorney for Northern California, the House Energy and Commerce Committee and the grandstanding Attorney General of the state of California."

Opinion, again, is divided on whether Patricia Dunn, Chairwoman, Hewlett-Packard, did the right thing. While some say that she tried to protect the company by trying to trace the boardroom leaks, others argue that the exercise of collecting private information by masquerading is scandalous. "There is a tendency now for prosecutors to try to criminalise behaviour that, however damaging and unwise, could be handled through civil fines and penalties and pulling the licenses of professionals involved," rues Steven Pearlstein in a piece dated September 13 on www.washingtonpost.com. He cites the Sarbanes-Oxley law as an example; for it "has been taken to ridiculous lengths by auditors and lawyers who have profited handsomely as a result."

Of interest to the pro-legislation lobby would be the February 8 testimony of Marc Rotenberg, Executive Director, Electronic Privacy Information Centre, on `Protecting Consumers' Phone Records', before a US Committee. "Banning the commercial sale of private consumer information is a necessary complement to banning pretexting, as it would `dry up the market' for illegally obtained telephone records," said Rotenberg. "Such a prohibition would also allow consumers and consumer protection agencies to go after those who advertise privacy-invasive services without having to prove the specific techniques that the data brokers have used."

It is natural human tendency to trust. So it may sound reasonable to lobby for a ban on `social engineering' in public interest, else hackers could cleverly manipulate the gullible. "You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation," is a quote of Kevin Mitnick, a well-known former computer cyber thief, and the author of The Art of Intrusion.

A heavy dose of optimism may, therefore, be required to believe that truth will eventually prevail, in spite of the plain, old-fashioned lies that are ancient companions of mankind.

ZeroBase@TheHindu.co.in

D. Murali