Thanks to my good friends at Team Cymru, I have been keeping up-to-date on current developments on cyber security while I have been away.
Two items, in particular, caught my eye.
The first was that India is now developing its own army of software professionals to hack computer systems of hostile nations.
The second was about the vulnerability of major companies to “spoofing” – plausible sounding cold callers seeking information over the telephone AND being provided with enough material to assist hackers to penetrate information systems. Apparently, at the recent DefCon conference in Las Vegas there was a “social engineering” contest challenging hackers to call workers at 10 companies including Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers. According to an article in The Age, one employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.
The article continued:
‘”You often have to crack through firewalls and burn the perimeter in order to get into the internal organisation,” said Mati Aharoni of Offensive Security, a company that tests company computer defences.
“It is much easier to use social engineering techniques to get to the same place.”
Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.
The contest, which continued Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.
“We didn’t want anyone fired or feeling bad at the end of the day,” Aharoni said. “We wanted to show that social engineering is a legitimate attack vector.”
A saying that long ago made it onto t-shirts at the annual DefCon event is “There is no patch for human stupidity.”
“Companies don’t think their people will fall for something as simple as someone calling and just asking a few questions,” Hadnagy said.
“It doesn’t require a very technical level of attacker,” Aharoni added. “It requires someone with an ability to schmooze well.”
One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.
The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.
“As humans, we naturally want to help other people,” Hadgagy said. “I’m not advocating not helping people. Just think about what you say before you say it.”
I suspect most organisations and businesses in the UK would be vulnerable to this sort of approach …..