I’m about to cheat.
Yes, I’m a terrible cheater. I just told right up front I’m going to cheat. But just watch, I’m going to break an inherent rule you trust, right in front of you.
Out of a regular set of 52 cards, pick your favorite card. Go ahead, say it to yourself.
How impressed would you be if your card popped up on screen when you click the button down here? You’d buy me a drink? Deal.
Ok, let’s call the bet. Click here to see your card.
Hey, your card popped up, didn’t it? Told you I was going to cheat. But I didn’t say just your card would pop up. I said your card would pop up.
Not Just Bad Magic Tricks
What this loosely demonstrates is the way many hackers work. They look for those inherent trust relationships that have always been the same, and we inherently trust because, hey, that information is never wrong, right? One of the most brilliant things about hackers these days is their ability to identify those key, trusted relationships, and find ways to exploit them.
Another example of this was a Russian intelligence operation on September 11, 2014. In our current age, news media turns to social media for the scoop on the latest trending stories. Realizing this, a group known as the “Internet Research Agency” used numerous fake Twitter accounts to generate buzz about a non-existent explosion at the Columbia Chemicals plant in St. Mary Parish, Louisiana. By using these fake accounts and generating fake buzz, they were able to create real concern. A YouTube account that still exists called James Harris posted numerous videos about the incident on 9/11/2014 including this one that even includes a timestamp displaying “11.09.2014.” (I guess they forgot we Americans are the only ones who do things “month/day/year”.)
Tricking Humans – Nothing New
This is all part of a broader side of hacking known as social engineering. Social engineering (SE) is all about taking the way humans work and using it against us. There’s a really great video here from a group over at Social-Engineer.org that explains SE in much more detail.
Recently the CIA, FBI, DOJ, and DHS all had a number of breaches that resulted from the work of a 16 year old out of the UK. The alleged hacker was even so bold as to contact reporters and give an interview, explaining that he pulled this hack off incredibly easily.
How?
Social Engineering
Once he gained entry to a part of the DOJ’s computer system, he couldn’t go any farther without a token code. He called up good ol’ Helpdesk and explained he was new (which is technically true—he had never logged in before!) and they explained he needed a token code. When explained he didn’t have one yet, they gave it to him.
As Michele Fincher points out in the above video, the biggest problem that organizations are finding, and the greatest ally criminals have, is the natural tendency we have to be helpful. By exploiting that fundamental human desire the bad guys are taking our data in droves. Add in a sense of authority figure, and an element of urgency, and you’re practically golden.
And, yes, even cops are falling victim to this simple tactic.
So what’s the fix?
In some cases it’s really just as simple as reviewing basic policies. The tricky part is getting people to adhere to those policies. In others cases it may be time to add in new policies.
There are organizations out there that actually offer social engineering training and will test your organization for you. They’re called penetration testers. There’s a great video from last year’s Defcon conference that has a bunch of great stories where one of these professional penetration testers gives some details of his finer human hacks. The neatest thing about all these stories is the fact that there’s really nothing more to it than being super confident and just walking in to wherever you’re not supposed to be.
Conclusion
Moral of the story: Most of the hacking going on today can be attributed to some sort of human factor failing. It’s time we start training the people to catch this stuff. This graph does a great job of showing how serious social engineering is:
0 Comments