Your view of the typical hacker is probably that they are a social misfit who spends all their waking hours (which are usually the hours of darkness) bent over their keyboards and typing impenetrable lines of program code into a remote system far far away, and eventually managing to find a loophole in the security that enables them to get in and wreak havoc in whatever way they choose. Ok, this scenario certainly exists, but the top tool in any real hacker’s tool chest is the fine art of Social Engineering: the delicate art of persuading the gullible to hand over sensitive information that enables them to gain access to wherever they want to get to.
Social engineering can come in the form of a phone call, an email, a website or even a ‘chance’ meeting in a bar. Let’s take a look at how this could happen, even to a seasoned old pro like myself.
It’s late on a Friday afternoon, a time that I’m not at my sharpest to be honest. Yes, it’s POETS Day, and the sun is so damn close to the yardarm that I can almost hear the bubbles of the tonic and the clink of the ice cubes, and smell the smell of that much deserved G&T.
As I’m about to power down for the weekend, the phone rings, a call from a number I don’t know. The friendly guy on the other end is called Andy; I don’t know him, but he tells me that he works for an old friend of mine called Eric. He explains that Eric is out of the country on holiday and not contactable, but that something has come up and that Andy urgently needs to get into Eric’s email. Andy is very pleasant and chatty and clearly knows his stuff on a technical level, and we sidetrack onto one of those techy chats about techy stuff that techies find fascinating and for some obscure reason sends all non-techies straight off to sleep.
As it happened I had helped Eric with his email system at some time in the past, and after a quick bit of digging back into my email I find a message with all the login details: username, password and the name of Eric’s much-loved first pet (a guinea pig called Piglet). I pass these on to Andy, who thanks me profusely and says he’ll make sure that Eric knows how I’ve helped out and saved the day. A good deed has been done and an old friend helped out, so I toddle to the bar for that long-awaited G&T.
Monday comes around, and I know that Eric will be back from his hols, so I give him a quick call to see how it went and for him to tell me what a good time he had and how relaxed he is.
But Eric is far from relaxed. He’s actually in a total state. It seems that someone has managed to empty his bank account over the weekend. How could that happen I ask? How did they manage to get into it? Then I feel a cold sweat break out, as Eric tells me that he had the login details in his email box, and that it seems someone had accessed his email last Friday evening…
Thankfully the story above is complete fiction, at least as far as I’m concerned. But be warned, and be aware: do you really know who you’re talking to, or who sent you that email?
I highly recommend checking out an excellent film called Disconnect, which deals with this whole murky area and besides being a gripping piece of entertainment, provides much food for thought.