[BreachExchange] Here’s the Real Way Hackers Will Get Your Information Online

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 7 19:58:58 EST 2016


http://observer.com/2016/03/heres-the-real-way-hackers-will-get-your-information-online/

Hacking as portrayed in movies often features a socially awkward man
thrashing away at a keyboard in a poorly lit basement, as computers flicker
among chaotically arranged cables.

In reality, this is far from the truth. Our natural distrust of computing
systems has led us to engineer them in a way that allows humans to override
security functions, or have control way beyond what is necessary.

Organizations, especially large and well established ones, have struggled
to fully incorporate the computer into their workflow. As a result many
critical operations are still overseen by people. This makes it
unattractive for attackers to target the machine, as the machine can be
over-ruled. Hackers, therefore, will go for the leader of the operation:
the human.

Hackers who wish to manipulate people require extensive knowledge of social
engineering. These manipulators, or ‘social engineers’, might be after a
variety of different things. It’s likely a  hacker targeting people is only
interested in increasing their quality of life – be it through a free
flight upgrade, or perhaps a complimentary dessert at the diner.

There are some, however, who might be after your private information, or
they may seek access to accounts you control.

Social engineers may work together as part of a criminal gang in order to
complete large scale hacks, such as a Business Email Compromise.

A Business Email Compromise is a tactic that often involves no compromise
of any computer system, but relies primarily on heavy research and social
engineering.

A group of social engineers will work together to trick employees into
making wire transfers to foreign bank accounts. Between October, 2013 and
August, 2015, the FBI reported 7,066 US victims of this scam – with an
overall loss of almost 750 million USD.

Understanding the tools at the disposal of a social engineer and how these
tools target our psyche can help us counter such attacks.

Research: There is more information about you online than you think

A social engineer will do thorough research before speaking with you. We
often forget how much information exists about us online, be it information
released by our government (such as voting records) or information released
by ourselves (LinkedIn, Facebook, Twitter, etc.).

Having confidential information about you will allow a social engineer to
trick you into believing they are authorized to gather more information
from you. The attacker may even use the information to pose as a
representative from a company you deal with. The information the attacker
has might come from a variety of public sources, or even be obtained by
literally digging through your trash.

Pretexting: Making up a reason to talk to you

Armed with your name, address, and account number with the local
telecommunications company (information that can easily be found in your
trash), an attacker can easily create a pretext to call you. It could be in
the guise of an annual inspection, or perhaps a follow-up to an earlier
call.

After asserting themselves as a legitimate representative of the
telecommunications provider, the attacker can ask for more information, or
even get you to run some compromised software on your computer. Whatever
the attacker’s end goal is, having a pretext to call you is like getting a
foot into the door – often literally.

Elicitation: We tell strangers a lot more about us than we probably should

Elicitation is the technique of gathering information from people by
interviewing them. Often the interviewer has a specific goal in mind and
the interviewee is unaware they are being interviewed

To elicit means to gather data and the term is used in anthropology,
sociology, consultancy, and many other fields. Elicitation is used by
intelligence agencies as part of their “Human Intelligence” or HUMINT
programs.

Elicitation requires research and may involve pretexting. The social
engineer will likely ask intelligent open questions that trigger a response
from the interviewee. The answers to these questions will show what the
interviewee is thinking and what they care about. An attacker may even
ascertain the interviewee’s sense of humor.

There are neutral questions designed to calm down the interview subject and
make them more comfortable with the situation. Questions such as “how is
the weather?”, and “stuck in traffic again?” are designed to calm and lead
to a topic of interest, such as: “the boss is leaving for a big trip
tomorrow, right?”

The goal is to gather as much information as possible. This might be very
specific information, such as passwords, or more vague information, like
whether the company has a dedicated cyber crime specialist.

Asserting Authority Or Appealing To Kindness

Not every individual is equally receptive to claims of either authority or
kindness – but most people are receptive to one of the approaches.

Elicitation is used to read the target’s character and ascertain whether an
attacker should approach the target with an authoritative or kindly
approach.

Appealing to Authority

An attacker will pose as someone in a position of authority.. This persona
might be an existing authority within the company that is being subjected
to the attack, or a trusted one from outside of the company. Emails from
fake law enforcement agencies or calls from courts fall under the latter
category.

To appeal to a (false) authority can be particularly successful in
organizations that rely on authority themselves. Failure to implement
strong counter-measures for instances in which this authority can be abused
could lead to an attack. Organizations also often rely on hiring
individuals susceptible to control by authorities, as they are deemed loyal
and controllable.

Appealing to Kindness

Other individuals and organizations are easier to influence through
kindness. It is natural for us to be influenced by things that we like. A
social engineer will try to exploit this instinct. If the attacker has
elicited sufficient information in an interview, it is easy for them to
create a character that has the charm and attributes that will make us go
out of our way to help them.

This attack can be irksome to defend against – being nice and helpful is
not something we want to sanction people for. Though it is important to
make clear what information we want to be shared and who has access to
which documents, rooms, or funds.

Diversion: Sending Things Were They Don’t Belong

Diversion might refer to the diversion of emails, packages, or money
transfers. Diversion might be the intention of the hack or it might just be
a means to a goal.

An attempt to divert might be a phone call asking to change the contact
details of a client. Or it could come in the form of an email from a
private address of a colleague, in which documents are requested.

It can be difficult to assess the true identities of those behind emails
and phone calls, but it’s important to have steps in place that allow you
to verify the identities of non face-to-face communications – perhaps by
setting up secure channels.

Baiting: Not Everything You Find Was Lost

Given how computers work and what they defend against, malicious programs
are far easier to execute when run from a CD-ROM or USB stick. Instead of
delivering viruses and trojans via the internet, the tactic of baiting
often relies on physical storage mediums.

Humans are curious beings. If we find a USB stick left by our car or desk,
we might want to plug it into our computer to see what’s on it. This is
obviously a bad idea, but drives with malware can also come in the mail,
personally addressed to you – so it’s important to remain vigilant.

Phishing: Just Because Your Key Fits Doesn’t Mean You’re At The Right Door

We all know that passwords are supposed to be kept secret. On the other
hand we have to type them into websites all the time. A phishing attack
comes in the form of an email or link that directs you to a website that
looks legitimate, but in reality impersonates another website that will
attempt to harvest our passwords and other private details.

We always need to be aware of the passwords we are using, and double-check
we are entering them on the correct sites. Password managers can help with
this.

Phishing attacks are not just limited to emails, they can also come via
phone calls or even in person.

Playing With Your Associations: Did They Really Say That?

Our brains often take shortcuts, and usually this works fine. When we’re on
the phone we take clues from a person’s voice, their words, the time of the
call, and the setting to determine what is happening and who we are talking
to. When something goes wrong, it is usually a only small embarrassment at
best.

However, this characteristic of our brain can be specifically exploited.
Using the right setting and ambiguity we can be tricked into thinking we
are speaking to someone who we are not. For example, an attacker might
mimic someone you are less familiar with, such as a long lost friend or a
work colleague from around the globe.

When authenticating people we might also fall victim to hearing answers
where there are none. Using the ‘mumbling’ technique, an attacker will
simply mumble something instead of clearly stating their credentials, in
the hope that we will let it pass.

This might lead us to reveal information to attackers that we would not
usually reveal, or give someone access to a place they shouldn’t be.
Especially in professional situations, we shouldn’t be embarrassed to ask
who is on the phone and exactly what is being asked from us. Don’t be
afraid to ask for credentials, even from a boss.

Impulsiveness: Don’t Make Decisions Under Pressure

We don’t always make good decisions under pressure. An attacker could
create a false sense of urgency or scarcity, together with suggestive
questions, to trick us into making the wrong decision.

Security procedures, in particular, should not be skipped or jumped during
times of emergency. If a security procedure does not make sense in a
certain situation, then it might need revision in the future. It is almost
always better to follow, then blame, existing security procedures for
failing to fix a problem than to blame ourselves for failing to implement
standing security procedures.

Similar is true when it comes to the impulsiveness, and fear that is inside
all humans. Take a step back to review an extraordinary situation. Is it
too good/bad to be true? What steps are usually necessary in this instance?
Who else can be consulted? Can it wait for a second opinion?

As hacking does not always include computers, computer knowledge alone does
not prevent you from getting hacked. Security requires a holistic approach
that includes not just the IT infrastructure, but every individual that has
access to sensitive information, funds, or access.

Keep yourself informed about the tactics used in attacks and be aware of
what you share and who you share it with.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160307/1858c9de/attachment-0001.html>


More information about the BreachExchange mailing list