[BreachExchange] Hackers are con artists: The perils of social engineering

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 29 21:15:22 EST 2018


Portrayals of hackers in popular culture are inaccurate. We imagine
individuals bent over computers, rapidly typing in a mortal battle with
opposing hackers. The struggle goes back and forth, until finally, one side
wins — breaching their opponent’s encryption, downloading terabytes of
secrets, and stealing away triumphant.

This might make for good television, but it’s also far-removed from real
hacking. As dramatic as it might be to force your way past security and
into enemy lairs, the best hacks are the most subtle ones. Humans, not
computers, are usually the weakest link.

More often than not, hacking is a con job — not a break-in. And the most
versatile tool in a hacker’s arsenal is a technique called social

The importance of subtlety

There are many reasons that subtle hacks are the best, especially in
espionage. Simply put: if your target isn’t aware that you’re scamming
them, then you can continue ripping them off.

If you are a hacker, you have a few goals. First, you must retrieve your
objective, be it corporate secrets or user passwords. At the same time, you
can’t be compromised. To be exposed means that companies and governments
are wise to your intrusion, and can protect themselves. Once a hack is
discovered, your target will rush to change passwords, delete or backup
vital data, and remove any loopholes. For those hackers aiming to steal
sensitive information, this can render their gains useless.

But it also makes sense to play the long game as well, as it can be more
profitable. There is a real value to remaining in a target system,
undetected, for long periods of time. As the recent Kaspersky intrusion
shows, hackers can (and have) snuck into networks and simply waited there,
watching their opponent’s every move and vacuuming up sensitive data.

Passwords and resets

Even as our technology improves exponentially, it’s limited by one
important factor: the human brain. Not only are our brains easily
manipulated (implanting false memories is much easier than you think), but
they have glaring weaknesses that skilled hackers will take advantage of.
Remember that a chain is only as strong as its weakest link. Even strong
network security can be compromised by not factoring in the human element.

Smart hackers will target people, not their systems.

Look at passwords. If the Internet is a collection of locked doors, then
passwords are the keys. Unfortunately, many people default to very simple,
unsophisticated passwords that are easy to remember — and easy to guess.
Lists of the worst passwords feature repeat offenders like “password,”
“football,” “123456,” or “princess.”

Moreover, many common password rules are flat-out wrong. Even the man who
invented them, Bill Burr, has called his previous work a mistake. For
instance, Burr’s rule about “special characters” (such as $, @, or !)
encourages people to substitute these for letters: “A” becomes @, “S”
becomes $, and so forth. Unfortunately, this makes passwords much easier to
crack, as hackers can simply guess these common substitutions.

Further, to simplify their daily routines, most users rely on a single,
master password for all of our apps and programs. This is a terrible idea,
as a leak means that thieves can access all your accounts with a single
password. Instead, if you have difficulty remembering different passwords,
try turning to a password manager.

These programs can automatically store, generate, and track your various
accounts; they’ll create complex, unique passwords for you, and fill them
in when you log into websites. Best of all, you only have to remember a
single password: your login for the password manager itself.

Barring the advent of authentication processes that incorporate biometrics,
password managers are the safest choice.


Additionally, thanks to the quirks of our human brains, remembering a
highly complex password for each account is very difficult, if not
impossible. As a result, password retrieval is now a key feature of any
program that requires a login. However, password retrieval is also a major

In fact, this is where the best, most subtle hackers strike. Consider John
Podesta, Hillary Clinton’s campaign manager. In 2016, Podesta was hacked,
or more accurately, conned out of his email password and credentials.
Hackers posed as Google’s password reset service, soliciting Podesta’s
assistant to click on a link, where he logged in with Podesta’s password —
and allowed the thieves in. The damage was swift: the stolen emails were
leaked online and caused widespread damage to the Democratic Party.

This is a textbook spear-phishing campaign: the mark (Podesta’s assistant)
is solicited by a seemingly official notice. This phishing email ironically
warned of an illegitimate intrusion, and promised to take users to reset
their password. Secrecy was vital; the fact that the hack stayed undetected
for several months allowed hackers to penetrate the system thoroughly, and
to reap a greater haul of information (and thus, do more damage).

Instead of memorizing unique passwords (and relying on password reset
links), consider multi-factor authentication. Users type their password and
receive a second code in the form of a text message or a smartphone prompt.
To enter their email, they must input both password and code, adding an
extra layer of security that hackers must contend with.

Social engineering

Like con jobs, the best hacks use high-level social engineering: leveraging
human nature through social cues and trust to penetrate restricted systems.
Think of a scam artist posing as an authority figure (a policeman or repair
technician) to infiltrate a secure place and steal important information.

The best example of this is Kaspersky. Essentially, hackers relied on the
company’s reputation as a globally established software producer to insert
backdoors. That Kaspersky’s program is an antivirus is perfect; these
programs are trusted with scanning countless files on databases to check
for infection — which means that they can access everything.

Though it’s unclear whether Kaspersky cooperated with Russian intelligence
to insert backdoors, the effects are clear: files were stolen, secrets
compromised, and finally, Kaspersky lost its contracts with US government

Ultimately, the greatest security threat facing us today isn’t a virus like
Stuxnet or a botnet like Mirai. While dangerous in their own way, these
programs pale in comparison to the damage a well-executed social
engineering campaign can cause; just ask Hillary Clinton. Human nature is
the weak link: with our inability to create and remember passwords, as well
as susceptibility to social hierarchies, cybersecurity will continue to be
an issue for years to come.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180129/9ae06bf1/attachment.html>

More information about the BreachExchange mailing list