Don’t worry about getting hacked. Worry about getting socially engineered.

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonpost.com/news/the-intersect/wp/2014/10/15/dont-worry-about-getting-hacked-worry-about-getting-socially-engineered/

This fall has seen a rash of private data leaks so intimate, so invasive,
that a sort of moral panic has erupted over personal computer security.

First, a boatload of female celebrities learned that their private, nude
photos had been stolen. Then the perpetrators went after girls on Whisper.
Now, as the calamity that is Gamergate spirals onward, it’s clear that a
number of high-profile participants on both sides have been “doxed” — a
fate that was also met, not long ago, by several Darren Wilsons who were
not related to the police officer who shot teenager Michael Brown in
Ferguson, Mo.

We commonly refer to these incidents as “hacks,” as if someone commandeered
the victim’s computer and pulled things from it without her knowledge. And
in some cases, that is indeed what happened. But frequently, and
surprisingly, the opposite is also true: Users freely give up their
information, or their friends’ information, to total strangers. They just
don’t realize those strangers mean harm until it’s far too late.

In some respects, today’s most dangerous online scams are not terribly
different from the Nigerian-prince e-mails of old. But modern “social
engineering,” or “social hacking,” as practitioners call it, is far subtler
and more sophisticated than Nigerian princes ever were. The definition is
considerably broader, too: Social engineering describes any technique that
tries to get around a security system — not by breaking or attacking the
system itself, but by exploiting vulnerabilities in the people who use it.
Those “vulnerabilities” can range from the obviousness of your passwords to
the manipulability of your feelings.

That also means scammers aren’t just sending e-mails any more. They’re
calling your house, pretending to be the credit card company, or calling
your Internet provider, pretending to be you. They compiles reams of
personal data based on information gleaned from public records, social
media and Google search. Sometimes, they’ll use these files to guess at
your passwords or security questions. And once they’ve cracked those, your
world is their oyster: On anonymous forums like AnonIB, or in
black-backgrounded pages on the Dark Web, social engineers trade everything
from nude photos to Social Security numbers and credit card details.

Complained one user in Reddit’s social engineering thread: “Most ‘hackers’
these days are just glorified social engineers with programming skills.”

Last week’s blitz on Whisper is pretty indicative: So-called social
engineers posed as modeling and escort agencies on the app, even going so
far as to invent fake backstories and interview questions, to get women to
send then nude photos. The trick — according to scammers coaching each
other on AnonIB — was to “play the role” convincingly.

When I “hacked” into my brother’s iCloud account back in August, I was also
using social-engineering techniques, drawing on the information I knew
about my brother to guess the answers to his security questions and gain
access to his account. Security experts have suggested similar techniques
were used on actress Jennifer Lawrence and other victims of “Celebgate.”

Meanwhile, whenever hackers publicize other people’s personal information
online (a generally malicious practice, called doxing), they’ve frequently
obtained that information using SE techniques. Many victims will never
realize they were targets. Which raises a really terrifying question: How
can you protect yourself from something you can’t see?

Social engineering 101

Since we’re essentially talking about ways for people to trick each other,
there’s no real end to the number, or variety, of SE techniques. Generally
speaking, however, engineers who want access to your e-mail or iCloud
account have three ways to go about the task: They can try to persuade you
to give the passwords up directly (“active engineering”); they can try to
guess or reset the passwords using other information about you (“passive
engineering”); or they can pretend to be someone else entirely and get
account access that way (“pretexting”).

Of these options, passive engineering is probably the easiest to pull off —
it is, after all, just another strain of “Google stalking,” that favored
technique among curious daters and other casual snoops. By gathering
information from your social media accounts (as well as from public
records, your employer’s Web site, your long-forgotten wedding page, and
what have you), a social engineer can get a pretty good picture of what you
like, where you live and what you’re generally about. That might be enough
information to guess your password. If not, it’s definitely enough
information to let the engineer escalate to some other type of attack.

This person now knows enough about you, for instance, to pose as someone
from your college’s alumnae office, requesting a donation or updated
contact details by phone. They probably know enough to send you a fairly
convincing phishing e-mail from the bank or credit card company you use.

In its guidelines for employees, the U.S. Computer Emergency Readiness Team
— a division of the Department of Homeland Security — advises they watch
out for scammers posing as new employees, repairmen or researchers. I spoke
to one self-proclaimed social engineer earlier this year who made a habit
of calling the target’s Internet provider, pretending to be her — and then
from there calling the target, pretending to be the provider.

In all these scenarios, engineers are often relying on more than just lies
and Google to get them by. Many hardcore practitioners also study
psychology and cognitive science for clues on how to get people to like you
or trust you more easily. (A new social engineering forum on Reddit is,
tellingly, full of links to free online psychology and game theory courses
from schools like Stanford and Yale.)

This is a pretty skeevy art — it’s related to the cult of the “pick-up
artist,” for starters — but it can work. People tend to respond in
predictable ways to certain psychological triggers. If you went to a bar,
for instance, and the bartender gave you a second drink for free, you’d
probably give him a bigger tip in return. (That’s called reciprocation.)
Meanwhile, if a uniformed police officer barged into said bar and told you
he needed to take your seat, you’d probably give it up. (That’s called
authority.)

It would probably be fair to call those things social norms or good
manners, too: After all, we’re predisposed to be nice, to be trusting, to
try to do the “right” or the “good” thing. That predisposition is,
unfortunately, exactly what social engineers are talking about when they
refer to “human vulnerability.”

How to shut down social engineers

Fortunately, social engineers have a vulnerability, too: They tend to
grossly overestimate their manipulative powers. Sure, many SE scams play on
emotion, and they certainly help some practitioners get what they want
faster. But by and large, these hacks rely on two things only: the weakness
of your passwords/privacy settings and your inclination to trust people —
even people you don’t know.

That makes the fix easy: For starters, turn on two-step verification,
strengthen your password, and rethink your security questions. (Your
“mother’s maiden name” is not a safe choice.)

> From there, consider reviewing your privacy settings and browsing habits
not only on sites like Facebook, but anywhere else your name and picture
appear on the Web. You might not have a ton of control over some of these
things: I probably cannot, for instance, get my high school to take down
some PDF that mentioned me in 2005. But I can delete my LiveJournal from
that same year, which ultimately contains far more compromising
information. And I can certainly remove my home address from my résumé,
which I’m sure I’ve uploaded to the Internet somewhere.

Finally — and this is the big, sad, cynical one — don’t trust people on the
Internet, or on the phone, unless you have incontrovertible proof that they
are who they say. That’s actually pretty counterintuitive advice, given our
general indifference toward privacy: Consider that we regularly tell
strangers where we are, what we’re doing and even what we’re spending money
on.

Just yesterday — without even thinking about it, really — I authorized the
app my doctor’s office uses to share my medical history with third parties,
as needed. There are arguably few things on earth more private than your
medical history. But if someone called me today and said they were from the
doctor’s office and asked me to share that same information, would I ever
think to say no? Or ask to call back on their main office number?

Even worse, if someone called and told me they were doing a reference check
for a friend applying to a job, or a background check on someone applying
for security clearance — wouldn’t I tell that person every dribble of
information on my friend that I could muster? Of course I would. In fact, I
have. Fortunately, all the callers have been legit … thus far.

It’s regrettable, and exhausting, that we have to live with that sort of
suspicion, and even constant vigilance will never be wholly foolproof. But
it’s important to understand that when people speak of iClouds getting
“hacked,” or people getting “doxed,” or photos being “stolen,” they’re
often not referring to actual, technical brute-force break-ins. They’re
referring, in many cases, to Internet cons who squirrel and sweet-talk
their way into accounts.

The good news there, of course, is that social engineering is in some ways
more preventable — and it’s certainly more understandable, to the
technophobes among us.

The bad news? Once you know about engineering, you never stop looking for
it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!