Tuesday, September 05, 2017

Cyber Insecurity

I know what you Tweeted last summer. Also this summer. And during that particularly nasty rainstorm in the winter of 2015. In fact, I know what you posted on YouTube, Reddit, Instagram, and Flickr. (Also VK, if you happen to be into Russian social networking.) And if you posted anything while you were supposed to be hard at work in an office building or manufacturing plant, well, there's a pretty good chance that I can find that out, also.

This is a series of social media posts that originated in my old
high school over the past several days. I can click on the icons
and see who posted what. 
Of course, none of this is secret, right? You didn't really post it on the Internet and expect it to remain private, did you? I mean, c'mon, if there's anything the Web is bad at, it's maintaining your privacy; just ask any number of breached and outed and exposed criminals, trolls, Hollywood insiders, and a slew of embarrassed  AshleyMadison.com members. (Not that one might not be all four, of course.)

The Internet is great at sharing information; that's what it was made for. (No, it wasn't set up to provide a backup communication net in the event of a nuclear attack. It was invented and intended for use by university researchers looking for ways to communicate and share data.) Unfortunately, it's not so great at protecting information.

As someone who has worked on the security side of technology, I have access to some tools that might make my search a little easier, simpler, or faster, but the truth is that all of that information is out there. Everything you've ever typed. Every Google search you've ever made. (Yes, even that one.) Everything you've posted, commented, searched for, or communicated is stored somewhere; and all it takes is a little time and effort to uncover. If it's supposedly protected by virtue of it being stored on a "secure" site (think Facebook, Dropbox, your corporate network, etc.), well, I have bad news for you. As security-conscious sages (including former FBI director Robert Mueller) have said many times: "There are only two types of companies: Those that have been hacked and those that will be hacked." (I might add a subset of the first type: those that have in fact been hacked, but don't know it yet.)


Robert Mueller was the 6th director of the Federal
Bureau of Investigation. He is currently occupied
with other security-related endeavors. Image in
the public domain.
But I'm not necessarily talking about sophisticated, hardcore tech attacks here, the sort of thing that some shady operator in a basement in Odesa or Kiev or Omaha might use to force his way through a firewall or other cyber defense. Those types of attacks certainly exist. But why would anyone go through the trouble? It's time-consuming and expensive, and it requires skills that most of us don't have. And besides, there's often no need. The info is either already out there (in the form of social networking posts and other communications—many of which can easily be viewed or uncovered with a bit of sleuthing) or else it can be had simply for the asking.

That's what social engineers do. When they need the keys to the (yours, your boss's, your client's) kingdom, they just ask. Of course, they might have to lie a bit. (Well, let's say prevaricate. It sounds better.) They might (read: probably will) get in simply by emailing you a dodgy link. Occasionally, they might need to invent some pretext to get into an office: Perhaps the social engineer shows up at your place of business in a blue shirt holding a clipboard, and wearing a baseball cap with a service company logo. He either just waltzes in (if your company is foolish enough to leave its campus buildings unlocked) or else stops at the reception desk to tell the folks manning the desk that he's "here to check on your <insert name of make and model> corporate printers, to ensure that they're working correctly." Or perhaps he's (supposedly) with a janitorial service and he'd like to see if he can outbid your current provider, the name of which he just happens to know. (He also knows how much they're charging you. In fact, he seems to know a lot, more than enough to convince you that he's on the up-and-up.)

Or maybe he keeps it simple. He just picks up the phone and starts calling your employees; when someone answers, he says, "Hey, Sarah, this is Todd from IT. We're working on something here and I need to get into your system to see if you've been updated. It doesn't look like the last security update was installed, for some reason." Of course, he's using a phone-spoofing application that makes his call look as if it's coming from inside your building, so for all you know, it's legit. (Do you know everyone in your IT department? Really? Everyone?) And you wouldn't want your system to be out of date, would you? Vulnerable to attack?! If the caller is good—and professional social engineers are very, very good—odds are that "Todd" will eventually find someone to give him a password; after that, he's off to the races. And by "off to the races," I mean that he's successfully infiltrated your network. (Note that I’m saying “he,” but keep in mind that the social engineer could just as easily be female. There are some truly exceptional social engineers out there who happen to be ladies. I don’t think that they’re necessarily better liars or any more duplicitous than the guys, but perhaps we’re simply not expecting to get hacked by a woman. Whatever it is, the ones I know of or have met are very good at this.)

You see, social engineers are hackers of a sort, but they don't hack systems; they hack people. And people are easily hacked. We're great targets, because we're trusting and we're helpful. I hate to say it, but we need to learn to be more suspicious and wary. C'mon, people—stop being so nice, so trusting! We should all be more like those people we see writing in comments on the Internet: angry, cantankerous, distrustful. Well, maybe only a little like them. No need to get nasty or insulting.

And here I'm going to put in a plug for my friend, Chris Hadnagy. Chris runs Social-Engineer.com (and Social-Engineer.org), a penetration-testing company that specializes in using social engineering to uncover weaknesses in your company's "human network." He and his team are very good—scary good, in fact.  They can lie and wheedle and schmooze their way into almost any network. If you're wondering if your network has weaknesses, it does, trust me—especially your human network. It's porous and shaky at best, and Chris and his folks can help uncover those weaknesses. But my favorite of Chris's endeavors is the Innocent Lives Foundation (ILF). The foundation specializes in unmasking child predators and in providing useful, usable evidence to law enforcement officials so that these people can be found and prosecuted. It's a worthwhile endeavor with a talented board of directors and headed up by a guy who's the epitome of the "white hat hacker." (Also, he has a very large, vicious-looking dog, the name of which I can never remember, so I keep referring to it as "Fluffy." Someday, "Fluffy" is going to show up on my front porch and drag me out to the woods and bury me like a very large bone, and I'll never be seen again. So, if you don't hear from me…)

No comments:

Post a Comment