Social engineering: the art of hacking in words
When I entered the first year of the Faculty of Information Technology, the teacher casually mentioned social engineering methods. I was only 18 years old then, so the teachers did not begin to introduce us to the nuances of social engineering, leaving this problematic question for later.
As an 18-year-old girl, I was so impressed by the term "social engineering" that I decided not to wait for senior courses and figure it out independently. Then a wonderful world of discoveries and disappointments in people opened up in front of me because hackers cynically deceived people shocked me.
The thing is that technical security measures do not always guarantee 100% safety. Often, even the miscalculation of all risks is powerless in the face of human inattention.
For example, Mark Rush, director of the network security division of Computer Sciences Corporation, so commented on the audit report of the subordinate organizations of the US Department of Homeland Security:
There is no device that prohibits people from being idiots.
Two years before the resonant incident with Snowden, it was in these organizations that people who were responsible for preventing threats on a national scale were tested, and many of them were powerless in the face of social engineering.
Today we will talk with you about the art of hacking a person and find out why many criminals love to use social engineering methods in practice so much.
Table of Contents:
Social engineering is the methods and rules used by hackers to theft information through moral pressure on the victim.
The term "social engineering" was popularized by Kevin Mitnick, a legendary information security specialist. Kevin is a familiar figure in cyber security; he is also the author of "The Art of Stealth", "The Art of Invasion", and "The Ghost on the Net". The activities of Kevin Mitnick has filmed a feature film "Hacking", which caused a lot of controversy regarding the integrity of both the image of Mitnick and his activities.
In the case of social engineering, information theft has nothing to do with vulnerabilities in the IT system; such hacking methods refer to social interactions (online, over the phone, or in-person) between the attacker and the weakest link in the IT security chain − the user.
The most popular social engineering methods are based on the charisma of the hacker and his inner conviction, "I can!" Yes, for social hacking to succeed, you need to have phenomenal arrogance and confidence that the victim will obey. It is why a hacker needs to study psychology.
It is essential to study psychology not only for hackers but also for information security specialists.
The confrontation between the psychologist-hacker and the psychologist-white hacker is an incredible sight!
In addition to the Faculty of Information Technologies, I also entered the second higher education − the Faculty of Psychology. We studied anatomy, the structure of the central nervous system, psychoanalysis and other valuable sciences that helped me calculate hackers' steps in advance.
I think, should include psychology in the educational program on cybersecurity because one cannot survive in a cybercriminal environment without it.
Typically, hackers influence our irrational impulses and provoke vivid emotions − delight, fear, shame, guilt, etc., to take over our minds.
For example, a hacker will try to impersonate another person or pretend to be a government official to persuade the victim to provide confidential information. Moreover, hackers get used to the role so much that often the victim does not even realize that at the moment she is being deceived.
- Well, first of all, it is much easier to get what you want using social engineering methods than, for example, hacking the technical security system of a large corporation.
In the first case, the hacker only has to introduce himself as a staff member or system administrator to gain the victim's trust. On the other case, he needs to calculate all the risks, analyze the organization's security system, and "dig" into the code and hardware.
- Second, social engineering attacks cannot be calculated and tracked using technical information security tools. No program can convince an employee not to send confidential information to someone who has kindly introduced himself as a system administrator from a neighbouring department.
- Third, the social attack is free. An attacker does not need to spend money to buy additional funds for a penetration test; all he needs is charisma and a smile. The risks, by the way, are nominal: even in case of failure, the hacker will not receive the necessary information, but nothing more.
- Fourth, social engineering techniques apply to any operating system and are nearly 100% efficient.
Kevin Mitnick made famous the term social engineering itself and also described its varieties in detail. One of the "bright" social engineering methods is the Reverse SE method.
The method of reverse social engineering is that the victim finds himself in conditions under which he reports the necessary data − without unnecessary questions from the attacker. This method resembles hypnosis, and the victim is a snake that obeys the will of the hypnotist.
By the way, it was this tactic that Edward Snowden used to gain access to the classified materials.
As it later turned out at a hearing in the US Senate Intelligence Committee, Snowden got into the credibility of his colleagues at the NSA's regional command centre in Hawaii.
He worked as a system administrator, so employees and bosses trusted him; no one saw danger or a threat, significantly since Edward often helped his colleagues solve technical problems and were exceptionally polite.
As a rule, the system administrator never asks for user passwords to complete his tasks. The administrator uses his account to solve technical problems or asks the employee to log in to the system without disclosing the password. If the administrator finds out the user's password, he must be informed about this and ask the user to change the password.
Image source − semanticscholar.org
However, Snowden periodically asked colleagues to provide him with credentials under the pretext "to resolve technical issues".
Moreover, they often turned to him for help and provided the passwords for the accounts, trying to help Snowden solve the problem
Using data from more than twenty accounts with different access levels to classified information, Edward Snowden stole more than one and a half million files from the NSA network. For a long time, he did not arouse suspicion since his polite behaviour earned the trust of employees and superiors.
It is how talented hackers get what they want − cleverly and cunningly. Knowledge of psychology, well-thought-out tactics and manipulations open almost all the doors for them.
Social engineering is like a virus: you can't see it but can suffer the consequences long after recovery.
Many employees who have succumbed to the tricks of social fraudsters blame themselves for contributing to the "leak" of data, although they are not to blame for anything. These people are victims of dangerous criminals who have no conscience and shame.
Today we figured out why social engineering is attractive for criminals and why Reverse SE methods hackers use to collect information about victims.
I plan to continue the series of researches about "hacking" a person, so next time I will tell you about the most popular social engineering methods and ways to resist psychological pressure.
In the meantime, write, did you like our meeting today? Say about it in the comments, please.