A Week in the Life of a Hacker: Day 4
By Steve Cox, Chief Operating Officer at TSG
It was time to up my game. I'd had fun sauntering into offices, trying to fool people into believing I was someone I wasn't (though some would say I've spent most of my career doing that). Now it was time to try it from a remote location.
Day 4 - Social engineering
Sometimes the person in a company who has the most access (often the person at the top) could potentially be that company's biggest vulnerability from a security point of view. Hackers certainly do like to target them.
I targeted the CEO of a small business and through some simple background research discovered that he was a massive fan of motor cycling. He had subscribed to quite a few fan sites, and participated in online chats and newsletters.
Posing as an employee of one of the biggest motorcycling magazines, I rang up the CEO. I said that we were really impressed by his level of knowledge of the motor cycling industry from all his fan site contributions, and would he be interested in reviewing the latest Ducati model?
He of course says he would be delighted, and would I send him some more information?
This is what I was relying upon. I sent him an email, designing it so it actually did look like it was coming from a motor cycle magazine. It contained a 'media pack' pdf attachment for him to download.
Contained within that pdf was a whole medley of viruses. Once the attachment was opened, the viruses were then distributed across his PC without his knowledge.
Social engineering tactics are used often by hackers, and it's all about using information against you so that you don't question what you're doing - whether that's playing on an ego or preying on the vulnerable. They will go to any lengths to manipulate. You might have a policy that says 'don't open emails from people you don't know' - but hackers are trying to become someone you do know. Security policies are only as good as to how well they are enforced.
Hackers have always taken advantage of a lack of understanding or naivety when it comes to protecting your assets. There have been a number of stories recently about companies being fooled into giving out sensitive information - take a look at the case of Naoki Hiroshima who lost his $50,000 Twitter username to a hacker.
But this goes back 19 years. The internet was new in 1995 and there's a famous story from this time about the sex.com domain name.
This just goes to show how technology may be moving on, but the same mistakes are being made, mainly thanks to a lack of processes.
In 1995, no one really had any idea what the internet could do or what it could become (though Gary Kremen, the registrant of sex.com, probably had a bit of a clue...).
Kremen registered the domain with Network Solutions, who were continually hassled by a man called Stephen Cohen who wanted the domain for himself. He eventually persuaded an employee of Network Solutions to hand over the domain rights, after he sent a fake fax to them.
Court battles ensued, and it was 5 years before Kremen was victorious and the judge ordered the domain to be returned to him. And the cost of damages? A cool $65m. Which I don't believe has been paid yet.
It's a case of new technology, new environments - but the same mistakes can still manifest themselves.
Hopefully by now you'll have guessed that I didn't actually carry any of these hacking attacks out. But they are all based on real life events, with the odd bit of fantasy thrown in for the sake of entertainment.
Cloud Security is no different than any other type of IT Security. You just need to make the choice that you're most comfortable with.
Assess the risk, think about what level of risk you're prepared to accept, and speak to experts you trust who not only understand Security, but are able to understand how your business works, and can offer you the deployment choice that works for you.
They will be able to guide you on the best way to secure your data, and help your own people protect your business.