Hackers choose the path of least resistance and manipulating your colleagues is the simplest route to your data, warns Eric Doyle
Social engineering is probably the greatest security threat in 2011.
As attacks on networks grow more complex, security is being tightened and access becomes more difficult. Hackers always search for the easiest point of entry to a system and the human factor has become attractive once again.
Targeted phishing, also called spear phishing, attacks have become a simple way to lure employees into giving up network access authorisation details and the ready availability of personal information from social networks helps enormously.
Only Fools Have Nothing To Hide
Those who say they have nothing to hide and therefore feel they have nothing to fear from public disclosure of information are deluded fools. It all depends on who is judging you. Prospective employers may find that your liberal attitudes as a student are a good reason to refuse you a job but it’s the smaller details that often bring about a fall.
Sites like LinkedIn have become marketplaces that highlight professional credentials and have become “dating” agencies for job headhunters and predatory employers. Here is an array of talented individuals flaunting their abilities, experience and contacts on a public network. Though the granular details of contacts may be hidden from the casual browser, there is plenty of freely available information to get a pretty good impression of a prospect.
The same goes for phishers looking for targets. A search for employees reveals numerous potential victims. Browsing through their public pages gives a history of their employment and recommendations offers the names of people who hold them in high regard. Human frailties imply that the feelings of respect will be reciprocated. Many participants in these networks also publish their contact emails.
From these details, a vast range of possibilities open up for the creative hacker.
Whatever IT Takes
A crude attempt could be a fake request to reveal your log-in details to the “IT department” for administrative purposes. A slightly more subtle approach would be to ask you to sign in to the system, giving a link to a fake registration site made to look realistic with company logos and other identifiers.
Another approach could be to send emails using information scraped from the social network contacts’ recommendations and, using fake Hotmail, Gmail or other free email services, a message can be drafted. This will sound like a genuine contact from a respected colleague and further information can be solicited.
This is a long-winded method but, with so much to gain, the modern phisher is patient and persistent and will try every way to find information that could be useful. The initial target may only be used to get information on, and elicit an introduction to, a co-worker further up the corporate food chain.
A quicker way to get information is to pretend to be offering a job. Few employees will publicise the fact that they have been approached with an offer they can’t refuse and will give away surprising amounts of personal information in the hope of winning the job. The approach is similar to the Nigerian (usually) 419 advanced fee frauds that offer massive riches in exchange for a large investment to free-up the non-existent funds.
Thin End Of The Wedge
Social engineering is a powerful tool because it can be used in many more ways to open fairly secure systems. Reportedly, RSA Security was initially opened up by phishing and, once access was gained, other tools were applied to escalate permissions to access information about the SecurID system.
The conclusion that most security vendors have come to is that nobody is safe from social engineering attacks and that firewalls and other security measures alone cannot be counted on these days. With social engineering, the only defence is through training and a security policy warning of the techniques employed.
Where there is no protection is when an email arrives to the employee’s private email account offering a substantial bribe for log-in information.