Sidewinder on hacking humans

Although security experts often focus on technology, many attempts to steal confidential data focus on hacking humans. Davey Winder investigates the seedy world of social engineering…  


What’s the biggest security problem facing the NHS today? Arguably, it’s the fact that its staff can be conned into giving out information by email, over the telephone and in person to people who ask for it in a credible fashion.

There are very good reasons why NHS staff may be particularly at risk from what are known in the trade as blaggers. They work in a high pressure environment, with many demands on their time and concentration.

Many services run 24 hours a day, which means fraudsters can take advantage of shift changes to approach different staff at different times. And, as healthcare workers, they are often naturally predisposed to help other people. “I’m not a very good liar and lying is a big part of the private eye’s toolkit.”

A blagger’s tale

Some decades ago I was a private investigator. It was a job I didn’t hold for long; not least because I’m not a very good liar and lying is a big part of the private eye’s toolkit.

Most of the cases I worked on involved finding people who had disappeared without paying a debt. To track them down, I would pretend to be, for example, a worker at one branch of a bank. I would telephone another branch to get information about an account holder.

Move this idea forward twenty years and into the online realm and you have something known as social engineering. This is a fancy term for decades-old “sweet-talking” tactics combined with cutting edge internet technology.

And it is a major threat to security. Phishing, identity theft and hacking all revolve around these skills in one way or another. So if you truly want to protect the sensitive, confidential and patient data held by your trust then you need to get into the head of the social engineer.

Blaggers go phishing

The Symantec Government Internet Security Threat Report provides an analysis of the attack trends faced by the government and critical infrastructure sectors. The latest report says that healthcare is the fourth most targeted sector; sitting just behind the financial services sector. “Some GPs were recently subjected to ‘spear phishing’ attacks [in which] the conmen targeted just a handful of recipients. No login data was supplied - a great achievement.”

Symantec also discovered that SMTP–based (email) attacks were the most common attack within the healthcare sector. It is very likely that many of these emails came from spammers attempting to compromise email servers in order to gain the social engineering advantage of trust.

In other words, they were looking for information that will allow them to gather more personal information, either for future misdemeanours on a grand scale (identity theft and fraud) or for worming their way into an individual’s confidence to rip them off in one way or another.

People need to be very vigilant. Some GPs, for example, were recently subjected to “spear phishing” attacks. Instead of spamming every GP with an email asking for the login details of their NHSmail accounts, the conmen targeted just a handful of recipients.

This prevented NHSmail’s hygiene measures from detecting the spam. Because such attacks are highly targeted, they can also be a lot more believable. But in the recent cases, no login data was supplied to the conmen - a great achievement.

Tricks of the trade

Social engineers will adopt and adapt proven scamming techniques. If you look like you should be there – if you look like a cleaner, or a maintenance man for instance – you can wander around many public buildings without hindrance.

The social engineer applies the same “lookalike” tactic to email. If you get regular email from a supplier called medco.com, would you spot an identical looking email from midco.com?

Social engineers actually wave red flags all the time; they get little things wrong or they ask inappropriate questions. Most users are smart enough to spot and ignore inappropriate queries about logins and passwords.

But for the record, anyone claiming to be having trouble with their login and asking if they could quickly use yours should be referred to the appropriate technical support channel. “Watch out for questions about other members of staff, and particularly for questions about people working in the IT department or senior management.”

The problem is that fraudsters can be more subtle, and ask about things we’re naturally happier to talk about. So watch out for questions about other members of staff, and particularly for questions about people working in the IT department or senior management. Names and other details can be very effectively used in attempts to gain the trust of others later on.

Even the IT team is vulnerable

The slickest conmen will go straight for the technical support pot of informational gold, armed with information garnered from a “pretexting operation”- as collecting data about a person for use later is known.

One ruse is to call a member of the technical support team, pretending to be someone high-up in the management chain, demanding a password reset. Often support staff – and especially those new to the job - will not want to risk upsetting “ the boss” and will comply without challenge.

All support staff have to understand that “the boss” will be less than best pleased to discover that a protocol has not been followed and a data breach has occurred as a result.

Your social engineering prevention toolkit

The only real protection is education. IT managers and users alike need to understand that the weakest link in the security chain can be our habit of accepting people at their word, regardless of policy and – quite frequently - common sense.

Meanwhile, everyone should follow some simple guidelines to combat the social engineering threat:

• Users should never reveal login information, ever. A user who receives a request for login data should refer it to the IT department (or follow their trust’s protocol).

• IT Managers must ensure that helpdesk staff follow protocol when dealing with requests for login help, and follow it to the letter.

• Users should never view, open or execute any email attachment unless it satisfies all three counts of:

o coming from a known and trusted source
o being expected
o having a purpose that is known and understood.

• To help with this, IT managers should create policies that identify and restrict the types of application which can access the network, to prevent link-clicking malware executions.

• Users should follow clear and agreed procedures when it comes to dealing with requests for patient information, no matter how polite or persuasive the person doing the asking.

• IT managers should institute an ongoing educational plan, with frequent reviews, to ensure all staff understand how fraudsters operate. Just as a one-off deep-clean won’t eradicate infections from wards forever, a one-off security drive won’t protect data for long. 

Related Articles

Find Davey’s other columns on the NHS Resource Centre by using the “sidewinder” tag. If you want to know more about the technical terms for security attacks of all kinds, then read Davey Winder's dictionary.

About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.