Social engineering takes advantage of our innate accepting nature, perpetuating breaches in every aspect of our online existence
Technology evolves rapidly, with incredible advancements changing the ways in which we interact and exist every day. Unfortunately, human behavior is not progressing with the same vitality, thus creating unignorable challenges that threaten our security in cyberspace.
“Having the capacity to evolve doesn’t necessarily mean we’re evolving,” boomed blue-bearded, kilt-wearing, fast-talking Chris Roberts from the Tel Aviv University auditorium stage. The CSH and senior consultant of Sentinel Global presented at Cyber Week’s “Cyber In Motion” segment on Monday, and afterwards spoke privately with Geektime about the potential evolution of social engineering.
Even before 1250 B.C.E., when the Grecian army famously penetrated the city of Troy with their hollow Trojan Horse, social engineering has presided as an important means of psychological control. Multitudes of books educate the ways in which people can proliferate “any act that influences a person to take an action that may or may not be in their best interest,” which is how the security website Social-Engineer, Inc. describes the “blend of science, psychology and art” that is social engineering.
Charm involves no technology. “The problem is almost social engineering doesn’t have to evolve much,” Roberts elucidated to Geektime. “And it hasn’t had to evolve because we haven’t evolved the defenses to compensate for it.”
In 2007 one man stole €21 million worth of diamonds and other precious gems from ABN Amro Bank in Belgium. His weapon of choice? Social engineering, of course. Over the course of one year he established relationships with the bank’s employees, earning their trust and, eventually, an electronic card to access the vault.
More often than not, however, Trojan Horses – plaintively defined as “a type of malware that is often disguised as legitimate software” – and social engineering act as partners in crime online.
“Ten years ago, it was the Nigerian prince. Five years ago it was, ‘I’m stuck in Colorado and I’ve lost my passport and my wallet. Can you send me money?’ To this day and age… I mean, you’ve got so much stuff. ‘Hey, your Google password needs to be changed! Here, have a link!’” Roberts told Geektime. “Whatever the heck it is, we are still susceptible to it.”
These exponentially sophisticated attacks drastically threaten widespread security. In 2011 social engineering allowed hackers to inflict $66 million in damages on security company RSA through phishing emails disguised as recruitment plans sent to groups of lower-level employees.
Similarly, in 2013 the Associated Press’s Twitter account was hacked by the Syrian Electronic Army, ultimately causing immediate impact to the U.S. stock market, through a discreet malware message opened by a few employees.
Roberts knows these situations well. As an altruistic hacker, he is an expert on infiltrating systems, and has conducted many social engineering exploits of his own. “The fact that I can walk into most corporate environments and engineer my way into their rooms, far enough in that I can drop a tool in there and then get the heck out of there, is still a huge problem,” he explained to Geektime.
He believes it is the fault of our inherently kind, trusting dispositions that we can be so easily exploited. And unfortunately, he detailed, “there’s no easy solution for that. We’ve either got to become a hell of a lot more skeptical, at which that doesn’t say much for the human race at all, or there’s got to be other controls in place. Which, for the most part, there aren’t.”
Large-scale education and preventive measures may be our sole means of combatting our intentions from influence, therefore keeping our data safe from cyber security breaches. Carefully examining email addresses and the content of each email itself is one step towards confronting today’s contemporary phishing epidemic.
When everyone is vulnerable to social engineering, one might hope that security advancements would help protect employees and laypersons alike from our own naivete, but our empathic emotion will always be our technological fatal flaw.
“If I approach you outside of the company, and we start having a conversation, how easy is it for us to walk in together to that corporation?” Roberts asked Geektime. “Way too easy. Somebody inside that front door should go, ‘Two people walked in, only one had a badge. Taser the other other one.’ No questions asked! Taser them. Done. Simple! Solved!”
Maybe combatting social engineering can be that simple. Companies and corporations can impose greater physical security measures to scrupulously examine every person that enters their buildings, in order to keep hackers, both malicious and altruistic, out of their offices and out of their systems.
Kindness is a virtue, and human beings cannot seem to change. Until then, we must force ourselves to be conscientious citizens of the internet, paying attention to the information that we volunteer and what we accept to be true, both online and in-person, and become more critical of the world that surrounds us.