Steve Burgess, Burgess Forensics
Social engineering/hacking can be both the means for compromising individual or corporate private data, and the means of generating after-the-fact attempts at compromise.
One of the most common means of attack is getting someone to use an infected USB flash drive in their networked computer. I did this (without any malware) just two days ago. I called the front desk of my hotel to ask if I could email them a document to print, as I’d forgotten to bring a copy of my Curriculum Vitae for computer forensics expert testimony in court that day. “No,” said the clerk, “but do you have a Jump drive?” Whereupon she plugged my flash drive into two different computers, turning the display toward me so I could direct her to open various files to print.
The Iranian nuclear research facility, similarly, had an unauthorized USB drive that was infected by malware (Stuxnet) plugged into a computer on site. While it is believed that an Israeli double-agent actually took one or more USB drives into the site, it is not known whether that person just left a few lying around, or whether she plugged the drive in herself. In any case, it’s quite simple to configure a computer not to recognize a flash drive plugged into its USB port. So, what’s considered to be the very first successful act of cyberwar may have been simply the result leaving around an attractive device for some other person to grab and use on his own with a remarkably undefended system.
As I write this, Target Stores is in full-fledged reputation-repair mode due to there having been something like 100 million credit cards compromised in its store Point-of-Sale (POS) card-readers. Every night for a few weeks, the responsible malware attackers dived into a Target server and uploaded thousands of credit card records.
But how did the malware infect the server and POS devices? If security researchers are to be believed, the vulnerability most probably came from inside. Unless there was internal saboteur, a careless Target worker, possibly in the IT department, was fooled by a link in an official-looking email – ostensibly from his or her bank, or from a manager or superior in the company – or by visiting an alluring website – to reveal important authorization credentials, which were passed on to the hacker. Or possibly, someone just convinced a helpful staffer to print out a small document from a flash drive.
And now, people are being called and emailed by individuals posing as concerned Target or bank investigators, gathering even more compromising information from unsuspecting victims, as a second wave of social hacking.
While there are sophisticated hackers (such as the writer of the malware that finally made it onto Target’s equipment), the weakest link, and therefore the path of least resistance for hackers is the unwary individual.
In 2008, 10 million unwary Americans had their credit card info stolen. In 2012, it was 15 million. In just the last month of 2013, more than 100 million.
Now, some prescriptive words to the wise:
DON’T give out your Social Security number – especially over the phone or in responding to an email, and don’t use it as an ID. You usually only have to give it to your employer, your financial institution and government agencies.
While you’re at it, with very little exception, DON’T click on links embedded in emails – especially ones from people you don’t know. It’s probably a good idea not to click on links from people you do know either. Safer to enter the URL or domain information by hand into a browser yourself.
Don’t give your passwords to anyone. Not even tech support should need that.
And don’t be the helpful person who prints out someone’s resume while unwittingly infecting the whole network.
There are courses designed to train both ethical and unethical hackers in social engineering, and books on the same subject. There are many thousands of unethical characters taking these lessons and who are now out there looking for helpful souls like yourself. Do take precautions and don’t become a patsy for the social engineers to manipulate.
About the author:
Steve Burgess, principal of Burgess Consulting & Forensics since 1985, is a practicing computer forensics specialist and expert witness. He is also a freelance technology writer, a speaker and a contributor to the text, Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens, et al. He can be reached at
firstname.lastname@example.org. Find him in BASF’s Register of Experts at www.sfbar.org/register.