Films have always heavily exaggerated the image of a hacker. From banks of dozens of monitors depicting murky images of fancy animations to fingers flying across multiple keyboards, the image of a hacker has been painted with a great deal of embellishment. To be fair, it would be very difficult to make real hacking seem interesting on the screen. A lot of watching script execute while cat videos play in another window doesn’t typically make for good viewing.
Hackers, the film from 1995, was a particularly hilarious exaggeration, but if there’s one thing it got right, it was one of the opening scenes where the protagonist gains access to a television station’s computer network by tricking an onsite guard into giving him the model number on a modem. Hacking is all about exploiting the various vulnerabilities of computer systems, and there is nothing more vulnerable in the computational equation than the human sandwiched between the keyboard and chair.
THE PRESSURE IS ON
That scene from Hackers is a great example, but to put social engineering in a more general frame; imagine that a call center employee receives a call from someone claiming that they work in some huge affiliated company. The mystery person asks to be provided important information, possibly while acting panicked and pitiful or boisterous and irate. The employee, either through sympathy or fear of repercussions, then ignores policy and protocol and divulges the required information, providing an opening to the hacker without them needing to touch a keyboard.
This method is called pretexting and is insanely effective. Humans, at the best of times, are a mess of exploitable emotions that can easily be taken advantage of by someone with the know-how. All it takes is an elaborate lie that targets a person’s trust or insecurities. A little digging for inside information, a bit of impersonation, and you too can take advantage of a lowly employee with access to important information!
Truth be told, the above example is something of a rarity. As we’ve mentioned previously, hackers work less with fishing rods and more with nets, casting them out and dealing with whatever gets caught. The analogy of casting a net is especially accurate, as phishing is perhaps the most prominent net that hackers cast.
You’ve no doubt received countless spam emails from Nigerian princes and people offering cheap pharmaceuticals. These emails, often filed under junk box, are the most obvious and common examples of phishing. More recently, emails that duplicate the exact appearance, sometimes down to the last detail, have been cropping up more and more, and they look so convincing it’s pretty easy to be tricked into clicking on a nefarious link. The only way to tell them apart is to know what to look for.
Phones can also be used for Phishing. Perhaps you’ve also received calls from people posing to as Dell, Microsoft, or banking representatives. Dell or Microsoft will tell you that there’s an issue with your computer and that they need to connect in to fix it (once connected, they’ll install all manner of junk programs and Trojan viruses, then bill you to fix it.) Banks will scare you into coughing up your Social Insurance or credit card number by stating that they detected fraud on your account. Neither Dell nor Microsoft monitor your system (not for virus issues, in any case), and the banks already have that information, and would never directly ask for it over the phone.
Those are just two methods, but there are more. Ads for fake news sites can sometimes lead to virus infected web pages. Hackers sometimes set up infected sites on URL’s that are extremely similar to a more popular site to snare people who typo the address. Spear phishing is a more directed form, using known information to further mislead a targeted user, similar to subtexting. Perhaps the most “fun” way to go phishing is to, for example, drop an infected USB drive on the curb. A curious person, hungry to see what risqué data might be hidden on the drive may unwittingly plug it into the system, opening them up to infection. All of these methods take advantage of the person behind the monitor to gain access.
IGNORANCE IS BLISS
So how do you remove the human element and protect yourself from silver-tongued hackers? Often it’s a mix of selective proliferation of information, education on how to detect scams, and plain old-fashioned distrust of your fellow humans.
Distributing information sparingly within your company reduces the number of possible leaks. Keeping important administrative passwords within a small circle of higher-ups diminishes the effectiveness of social engineering, as employees less familiar with social engineering tactics simply won’t have the information that a hacker requires. A dose of scrutiny also helps. Corporations like Dell and Microsoft won’t ever call you to fix your computer, and if you’re not expecting a package, FedEx most likely isn’t going to have a message for you. If you’re not sure whether an email or call is from a legitimate sender, then let the service desk at Just Fix It know. We’re trained to be able to identify attempts at social engineering.