As cracking passwords and encryption by technical means is getting harder, the employees in charge of security become the weakest links in the chain. Social engineering hacks use a combination of publicly available data and expert bluffing to tweak confidential data out of customer service personnel.
“Are you the LOD today?” contestant J.C. asked as he connected with a Target store manger. Rattling off details about the company’s external supplier software, he knew enough jargon to convincingly pass himself off as a systems administrator from Target’s Minnesotadata center (“TTC” in Target corporate-speak).
When one of his questions triggered an alarm bell — the store manager wondered why he was asking her for technical info HQ should already have — he assuaged her suspicions by offering up specifics. “This is store 8761, right?” he asked. (Not the real number; I changed it.) “Yup, you’re the one we’re supposed to check. We need to confirm everything and figure out why this software patch isn’t going through.”
I asked J.C. later how he found the store numbers for his targets — that seemed like potentially sensitive data. Was it something Target makes public? The answer: Nope, but if you look up a location in the “store locator” on Target’s website, the URL for each store includes its number.
J.C. competed in a benign Defcon hacker contest but less sporting individuals employ similar techniques with great success. The latest victim was Mat Honan whose Apple iCloud account got hacked. Once the hacker was in, he wiped all of Mat’s Apple devices (iPhone, iPad, MacBook Air) – but not before retrieving the logins for Mat’s Google and Twitter accounts, wiping those as well! As it turns out, this nightmare was the result of a highly successful social engineering hack:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
The lesson here is twofold. First, there is absolutely nothing you can do to prevent such attacks. Forget about stronger passwords or two-factor authentication – it’s the employees at the companies that manage your data who are the security risks. Just like one Dropbox employee in another recent high-profile hack. (Dropbox’s announcement of two-factor authentication is pure propaganda – it wouldn’t have prevented this theft.)
Second, here’s the one thing you can do: never leave important unencrypted data in a cloud service! Especially not a free one that offers no restitution in case of disaster. Jason Scott said so 3.5 years ago, and Steve Wozniak also got the right idea. Always maintain local backup copies, and don’t keep sensitive data in the cloud longer than necessary. Use a private encryption such as TrueCrypt for any sensitive data that permanently resides on third-party servers. If that’s not possible, don’t use that service.