I know what you Tweeted last summer. Also this summer. And during
that particularly nasty rainstorm in the winter of 2015. In fact, I know what you posted on YouTube,
Reddit, Instagram, and Flickr. (Also VK, if you happen to be into Russian
social networking.) And if you posted anything while you were supposed to be
hard at work in an office building or manufacturing plant, well, there's a
pretty good chance that I can find that out, also.
This is a series of social media posts that originated in my old high school over the past several days. I can click on the icons and see who posted what. |
Of course, none of this is secret, right? You
didn't really post it on the Internet and expect it to remain private, did you?
I mean, c'mon, if there's anything the Web is bad at, it's maintaining your privacy; just ask any number of breached and outed and exposed
criminals, trolls, Hollywood insiders, and a slew of embarrassed AshleyMadison.com members. (Not that
one might not be all four, of course.)
The Internet is great at sharing
information; that's what it was made for. (No, it wasn't set up to provide a
backup communication net in the event of a nuclear attack. It was invented and
intended for use by university researchers looking for ways to communicate and
share data.) Unfortunately, it's not so great at protecting
information.
As someone who has worked on the security
side of technology, I have access to some tools that might make my search a
little easier, simpler, or faster, but the truth is that all of that
information is out there. Everything you've ever typed. Every Google search
you've ever made. (Yes, even that one.) Everything you've posted,
commented, searched for, or communicated is stored somewhere; and all it
takes is a little time and effort to uncover. If it's supposedly protected by
virtue of it being stored on a "secure" site (think Facebook,
Dropbox, your corporate network, etc.), well, I have bad news for you. As
security-conscious sages (including former FBI director Robert Mueller) have said
many times: "There are only two types of companies: Those that have been
hacked and those that will be hacked." (I might add a subset of the
first type: those that have in fact been hacked, but don't know it yet.)
![]() |
Robert Mueller was the 6th director of the Federal Bureau of Investigation. He is currently occupied with other security-related endeavors. Image in the public domain. |
But I'm not necessarily talking about
sophisticated, hardcore tech attacks here, the sort of thing that some shady
operator in a basement in Odesa or Kiev or Omaha might use to force his way
through a firewall or other cyber defense. Those types of attacks certainly
exist. But why would anyone go through the trouble? It's time-consuming and
expensive, and it requires skills that most of us don't have. And besides,
there's often no need. The info is either already out there (in the form of
social networking posts and other communications—many of which can easily be
viewed or uncovered with a bit of sleuthing) or else it can be had simply for
the asking.
That's what social engineers do. When they need
the keys to the (yours, your boss's, your client's) kingdom, they just ask.
Of course, they might have to lie a bit. (Well, let's say prevaricate.
It sounds better.) They might (read: probably will) get in simply by emailing
you a dodgy link. Occasionally, they might need to invent some pretext to get
into an office: Perhaps the social engineer shows up at your place of business
in a blue shirt holding a clipboard, and wearing a baseball cap with a service
company logo. He either just waltzes in (if your company is foolish enough to
leave its campus buildings unlocked) or else stops at the reception desk to
tell the folks manning the desk that he's "here to check on your <insert
name of make and model> corporate printers, to ensure that they're
working correctly." Or perhaps he's (supposedly) with a janitorial service and he'd
like to see if he can outbid your current provider, the name of which he just
happens to know. (He also knows how much they're charging you. In fact, he seems
to know a lot, more than enough to
convince you that he's on the up-and-up.)
Or maybe he keeps it simple. He just picks up
the phone and starts calling your employees; when someone answers, he says,
"Hey, Sarah, this is Todd from IT. We're working on something here and I
need to get into your system to see if you've been updated. It doesn't look
like the last security update was installed, for some reason." Of course,
he's using a phone-spoofing application that makes his call look as if it's
coming from inside your building, so for all you know, it's legit. (Do you know
everyone in your IT department? Really? Everyone?) And you wouldn't want
your system to be out of date, would you? Vulnerable to attack?! If the caller
is good—and professional social engineers are very, very good—odds are that
"Todd" will eventually find someone to give him a password; after
that, he's off to the races. And by "off to the races," I mean that
he's successfully infiltrated your network. (Note that I’m saying “he,” but keep
in mind that the social engineer could just as easily be female. There are some
truly exceptional social engineers out there who happen to be ladies. I don’t
think that they’re necessarily better liars or any more duplicitous than the
guys, but perhaps we’re simply not expecting to get hacked by a woman. Whatever
it is, the ones I know of or have met are very
good at this.)
You see, social engineers are hackers of a
sort, but they don't hack systems; they hack people. And people are
easily hacked. We're great targets, because we're trusting and we're helpful. I
hate to say it, but we need to learn to be more suspicious and wary. C'mon,
people—stop being so nice, so trusting! We should all be more like those
people we see writing in comments on the Internet: angry, cantankerous, distrustful.
Well, maybe only a little like them.
No need to get nasty or insulting.
And here I'm going to put in a plug for my
friend, Chris Hadnagy. Chris runs Social-Engineer.com
(and Social-Engineer.org), a penetration-testing company that specializes in
using social engineering to uncover weaknesses in your company's "human
network." He and his team are very good—scary good, in fact. They can lie and wheedle and schmooze their
way into almost any network. If you're wondering if your network has
weaknesses, it does, trust me—especially your human network. It's porous and shaky at best, and Chris and his
folks can help uncover those weaknesses. But my favorite of Chris's endeavors
is the Innocent Lives
Foundation (ILF). The foundation specializes in unmasking child predators
and in providing useful, usable evidence to law enforcement officials so that
these people can be found and prosecuted. It's a worthwhile endeavor with a
talented board of directors and headed up by a guy who's the epitome of the
"white hat hacker." (Also, he has a very large,
vicious-looking dog, the name of which I can never remember, so I keep
referring to it as "Fluffy." Someday, "Fluffy" is going to
show up on my front porch and drag me out to the woods and bury me like a very
large bone, and I'll never be seen again. So, if you don't hear from me…)
No comments:
Post a Comment