The term “social engineering” was first coined by the American hacker Kevin David Mitnick, who succeeded in breaking into several telecommunication networks, stealing data from them.
Social engineering relies primarily on human curiosity, greed, arrogance and ignorance. These human “flaws” allow valuable information to be extracted by astute people who know how to manipulate them. Generally, it is a classic cybercrime tactic.
For this reason, there is a tendency to remove the human factor from cybersecurity, as far as this is possible, and to replace it with artificial intelligence software.
Social engineering as a weapon in the 21st century
Hacking, information leakage, and even the use of “trolls” are already being used as a weapon, most notably the Russian attack on the 2016 US election, in an attempt to influence it.
According to Bill Gardner of Marshall University, these tactics have been called “the geek’s weapons” by some researchers. Using hackers and Russian malware to break into (Hillary Clinton’s) Democratic National Committee emails, they advanced information to WikiLeaks to publish online in an attempt to sway public opinion in favor of the Kremlin’s preferred candidate, i.e. Donald Trump’s.
The question of whether public opinion was swayed in favor of Trump remains controversial to this day. The only thing that is certain is that it happened and will continue to happen, in the context of what is called either hybrid or non-linear war.
In general, social engineering attacks have the purpose of undermining a business, or even a government entity (eg attacking infrastructure, influencing public opinion, etc.) that will cause damage, mainly through the interception of valuable and critical data, or even its destruction, leading to damage that is difficult to repair. Even influencing public opinion can cause doubts about the institutions of a state.
The cycle of successful use of social engineering follows a pattern. Researching vulnerable targets, “fishing”, handling them, and exiting once the target has been achieved.
Social engineering in national security sector
As mentioned above, the human factor and its “flaws” play a big role in the success of such a business. It is not uncommon for those in critical positions, for example in the Armed Forces, to unwittingly reveal critical information, mainly due to ignorance of risk. An (imaginary) scenario is that an officer, in the context of an otherwise innocent conversation, reveals that his service uses Windows XP, with free antivirus software. The malicious interlocutor will obtain the critical information of a serious security gap, which can be easily exploited.
Methods of interception of information through social engineering, which also concern national security, include:
1. Spear phishing
The problem is certainly not that simple. A hostile social engineering enterprise will even go so far as to research people’s activity on social networks, identify patterns, information such as locations, and even “personal” data, which they will use as leverage, either invisibly or even extortionate, to extract information. There are not a few times that we have written that the officers of the Armed Forces should be particularly careful what they share publicly, but also “personally” with acquaintances or strangers on social networks.
Even transfers for example, or “check-ins” to various locations, that an executive will do, may reveal details of exercises, or even placements in critical positions. For example, the “innocent” information that “so-and-so feels happy in such-and-such location” can reveal critical secrets. Extracting information from individuals is called spear phishing.
2. Using a “bait”
For example, a malware-infected USB stick, which the victim will insert into his computer.
3. Phishing
i.e. emails with links that refer to websites with the purpose of intercepting passwords and other information. Similar emails may contain “innocent” files, such as a simple excel file, infected with data eavesdropping or computer misuse software.
4. Vishing
that is, the interception of information through spoken conversation, for example over the telephone. For example, an innocent “wrong” phone call to someone in a critical position, who will answer what their name is, in which area they live, maybe even where they work exactly.
5. Scareware
The attacker will blackmail the victim into revealing sensitive information, claiming to have infected their computer. Another dangerous method is for the abuser to have access to sensitive data, such as photos and videos of intimate moments, knowledge about a person’s sexual habits or preferences, etc. to “cooperate” with the blackmailer.
6. Honey trap
that is, recruiting a good person, who will trap someone who may be married, blackmailing them for information in order not to reveal it.
7. Whaling
is the targeting of high-ranking officials, with the aforementioned methods.
Examples of successful social engineering operations
The best-known example is the use of the Stuxnet malware, which severely damaged Iran’s nuclear program in 2009-10 and was allegedly developed jointly by Israel and the United States. The nuclear program’s computer network was not connected to the internet for obvious reasons. It is alleged that during the operation, unknown individuals approached an Iranian scientist working on the program and managed to infect his laptop. Then, when the scientist returned to work, he connected his computer to the network as usual, causing great damage to the centrifuges of the facilities.
A lesser-known example occurred in 2013, when Syrian hackers belonging to the Assad regime managed to install malware and gain access to the agency’s official Twitter account through a fake email sent to dozens of Associated Press employees. They were able to post a tweet that said two explosions had allegedly occurred at the White House and then-President Barack Obama had been injured. As a result, within five minutes, the Dow Jones fell 150 points.
It becomes clear from the above, that social engineering is a valuable tool of hybrid warfare, with tangible examples of success.
Dealing with this type of threats
Dealing with such threats starts with:
1. the thorough information of the staff.
2. Frequent checks for malware and use of up-to-date antivirus and antimalware programs should be taken for granted.
3. Likewise, passwords should have at least 16 characters (letters, numbers, symbols) and be changed at regular intervals.
4. Computer networks should be regularly checked by experts for security holes and malware.
5. Connecting computers with critical data to the internet should be avoided. There are not a few cases where executives use office computers to connect to social networks.
6. Definitely use a two-factor authentication method. For example, strong password and connection confirmation via SMS, or similar.
7. Under no circumstances should discussions concerning sensitive official information be held with acquaintances and friends.
8. The rule is that “a secret that two people know is not a secret”.
9. Finally, great attention to the data we share on the internet and especially on social networks.
Safeguarding private secrets begins with personal discipline in matters of behavior in the virtual and digital world, especially in the information we share, and culminates in strict safeguards for information that is circulated at the highest levels of management.
