Tuesday, November 18, 2014

Social Engineering - The Infinite Leak

In this day and age, people tend to glorify, admonish, and fear what they call "hackers." The word "hacker", in this particular sense, usually implies that the person in question is smart and capable of manipulating extremely complex technology. The first adjective is correct- a hacker needs to be smart, but they don't need to be technically capable to get very far. In fact, all it takes is the ability to manipulate people.

When hired, a cyber security agency tends to run it's first tests on a company's employees, not their computers. Using only their wits, said agency attempts to gather any information they can that might allow them to create an admin account on the company's computers while trying not to appear suspicious. This method usually works, proving two things; hackers don't need to be unimaginably good with computers to break into systems, and humans are the greatest security weakness of all time.

Interestingly, social engineering tends to be one of the most effective methods for breaking into computer systems, despite the public's usual illusion that they'd be too smart to simply give away their passwords. Some of the most famous viruses of all time were traced back to social engineering methods. One such example is the virus "Stuxnet", which is thought to have originated in the United States with the purpose of slowly destroying Iran's nuclear program. It is suspected that the virus was introduced through a USB device that some unsuspecting employee plugged into their computer, which then caused the virus to infect and slowly wear out nuclear centrifuges.

The US military has also been a target of social engineering attacks. The most devastating cyber attack on the military in recent history came from a virus dubbed "Agent.btz"; the virus was traced back to a USB drive that a military employee found in a parking lot and plugged into their computer. The military learned of the infection when they caught the virus using very basic data transmission methods to send information back to it's creator.

By using basic conversational tricks or exploiting natural human behavior, an intelligent person can gain access to any computer system, no matter how heavily guarded, by exploiting it's most vulnerable security hole; the users. Users are a required component of any computer system- they create a security hole that cannot be permanently fixed, making them an ideal attack point for any system. So next time you promise to never tell anyone your password, take a moment to think about the number of ways that question can be asked.

No comments:

Post a Comment