Chapter 16 Hackers’ Delight: The Social Side of Cybersecurity

When we think of hacking, we think of computer geniuses who know all the ins and outs of digital technology and, in particular, network systems and programming. It turns out that’s just a small part of the story. The real story is that hackers use social engineering to gain entry into network systems that digital hacking can’t access.

What is social engineering? Social engineering is simply the gradual and persistent gathering of information about a person with the end goal of taking on the person’s identity to gain access to the target network system or the person’s target account.

What does social engineering look like? It’s simply a hacker’s contact by telephone, email, website forms, texting, etc. with anyone who has relevant information including the target himself or herself. Hackers even use snailmail and in-person contact. Whatever works!

This chapter covers several methods that illustrate how hackers work and what defenses you can employ. Unfortunately, it’s just a sampling of this important topic, and complete coverage is beyond the scope of this book.

The lesson to be learned is that you must evaluate any request for information (either by communication or by filling in a form on a website) as to whether the entity requesting the information has a need to know. Does your dentist have a need to know your Social Security number? It’s likely the answer is no. For your purchase of a coffee maker on the web, does the vendor need to know your Social Security number? The answer is definitely no.

With that in mind, you don’t want anyone to have any of your sensitive information unless such information is mandated by state law, federal law, or other governmental regulations. But aside from laws and regulations, there is sometimes a good reason for you to disclose such sensitive information. Information, such as your social security number, birth date, credit card number, mother’s maiden name, or the city where you grew up can all be part of a line of security questions that when put together can comprise a possible security breach. It’s a judgment call on your part as to whether you will provide such information.

Phishing

One type of social engineering uses technology to get information. Some of the well-known email cons (phishing) have been around for a while. The aim of these cons is to get you to give up information or take action that eventually leads to a breach of your security and thereafter a loss.

The email shows it’s From: a trustworthy sender (name + email address). The sender (name) looks legit and the address looks legit. Never reply to an email to send sensitive or high-value information, such as social security number. What the email shows as the sender and who the sender really is may be different. Instead, if you believe the request is from a legitimate sender, get the sender’s email address from another source and paste it into a new email message to create a reply.
The email shows it’s From: a trustworthy sender (name + email address). The sender (name) looks legit but the email address doesn’t seem right. Don’t reply and don’t click (tap) on anything in this email. Contact the sender another way to find out if the email address is really theirs.
The email shows a trustworthy link in the body of the text. The link looks legitimate. Never click (tap) on the link to take an action that reveals your sensitive or high-value information. The URL behind the link may take you to a different website than the link indicates (e.g., a phony website). In other words, what the link shows and what it really is are different. Instead get the link (URL) independently of the email and paste it into your browser to go directly to the legitimate website.

Hackers invent new cons every day, and if you protect yourself against the above cons, there is no assurance that you won’t get caught in a future con that some genius hacker invents. And cons are not limited to email. You can get conned by phone, in person, on websites, and via other software.

Read about specific examples of phishing and its cousin whaling in Chapter 13.

Don’t Give Information Directly

How do you protect yourself against such cons? Just make up your mind not to provide any sensitive information or high-value information over the internet to anyone who asks for it. Never respond directly to a communication requesting such information.

For instance, should someone send you an email requesting that you submit your login and password to XYZ system by return email in order to keep your account open and up-to-date, don’t respond. Legitimate vendors, organizations, networks, and other online systems don’t operate that way. If they want you to provide information or change something in your account, they will direct you to the appropriate website (URL) to login and do so. Consequently, your standard practice for any such request should be not to reply but to independently visit the actual website, login, and determine if the request is legitimate.

Check the Addresses

Before you take any action on an email message, check the sender’s email address. The address that shows may not be the real address. You can check the real address different ways depending on your email program. Some programs alert you to the sender’s real address if the address displayed and the real address are not the same (phishing alert). Some put the real address next to the display address (i.e., show them both). Some show a balloon with the real address when you hover your mouse pointer over the display address. Some email programs may work in other ways. Figure out how your email program handles a sender’s display address and real address. Then check email addresses routinely when an email asks you to take some action. (Cross check the sender’s email signature at the bottom of the email message, too, if there is one.)

If the sender’s display email address and the real address are different, it’s a red flag waving in your face. If you don’t recognize the real address, don’t take any action.

The same is true for any link in the email message. What it displays and where the link actually goes may be different. Learn how you can find the real link address (real URL) using your email program. Then always check links before you click (tap) them.

Do a Cultural Check

Many hackers are surprisingly easy to trace on the internet. Consequently, hackers in the US need to be extraordinarily clever to avoid tracing and prosecution of their crimes by forensic IT professionals working for law enforcement agencies in the US. For that reason, it’s the hackers outside the US, particularly in countries unfriendly to the US, who cause a substantial portion of the trouble; they may be traceable, but so what? It’s very difficult to chase criminals in hostile foreign countries.

As a result, you need to be alert and give each email that asks you to take some action a cultural test. Does the language seem right? Does the grammar seem right? Does the format seem right? Does the request seem legitimate? Does the overall appeal feel right? Foreigners have a difficult time getting it right. But not always.

Do an Emotional Check

Often hacker emails make a subtle emotional appeal (fear, enticement, urgency, flattery) that may work around your normal defenses. Before taking action on any email, stop to cool down for a second and ask yourself, am I making a detached rational decision? Any time you take action in response to an email, it’s a good time to be paranoid.

Beware of Attached Files

Never open an unsolicited attachment to a sender’s email, particularly one with an .exe suffix. An .exe file can ravage your computer. But other files can too. Even an attached file forwarded by a friend can be a fatal attack. Unless you know an attached file to be OK, investigate further before you click (tap) or just ignore it.

Look Out for Counterfeit Websites

After the Equifax data breech (affecting 145 million people in the credit agency’s database), a hacker sent consumers to a fraudulent website created to look like the Equifax website to help victims of the data breech. Instead it was con. Ironic!

Anyone one with minimal internet knowledge can go to a legitimate website (e.g., PayPal), obtain webpages and website graphics, and use them to put up a convincing counterfeit website, all in a very short time. Of course, the counterfeit website will be at a different web address (different URL) than the real website.

A hacker who owns a counterfeit website and can make it into a trap for you. The hacker sends you a phishing email directing you to go to the counterfeit website to do something. When you do, the hacker cons you into doing something that will be detrimental to you, or just clicking (tapping) on the link will initiate some detrimental action.

Links Hyperlinks in text can be text (including displayed URLs), images, or buttons. Whatever displays, however, does not have to be the same as the underlying URL of the link.

How do you protect yourself against such an insidious attack? Again, as mentioned before, check all display URLs against their real URLs. Suppose, for example, that the link in a hacker’s email is to a counterfeit PayPal website that looks real and probably will convince you to do something you shouldn’t do. You don’t want to get that far. Check the displayed link against the real link (as you can learn how to do with your email program). If the URL isn’t PayPal’s URL, you will know you’re being hacked.

If you check PayPal’s URL, you will find that it’s paypal.com. If you find that the real URL underlying the link in the hacker’s email message to you is paymentcenter.ru rather than paypal.com, you’ll know you’re being hacked.

Sometimes, however, it’s not that simple. Suppose you see one of the following URLs:

paypaladmin.com

paypaltech.com

paypalsupport.com

You might believe that such a domain is owned by PayPal and is legitimate. Likely it’s not. Why? Because PayPal will probably not to use separate domain names for separate functions. Rather it would use subdomains:

admin.paypal.com

tech.paypal.com

support.paypal.com

In other words, look for the domain name to be exactly the same. (Subdomains followed by a period precede the domain name.) If it’s not the same domain name, investigate further, but don’t click (tap) on the link.

Be aware of the domain suffix. If the suffix is not .com, .org, or .net, it may be another country. If it’s another country, it may be a bad country. Look up suffixes in Wikipedia under URL suffix. A list of countries known to have a lot of hackers together with their suffixes follows:

.br Brazil
.cn China
.hu Hungary
.in India
.it Italy
.né Nigeria
.pl Poland
.ro Romania
.ru Russia
.tw Taiwan
.tr Turkey

If a real email address or a real URL is from one of the above countries, watch out! There are also others, and the US has its share of hackers too.

Inquiries

Not all social engineering is done with a combination of digital tricks and fraud. Some social engineering is done with straightforward inquiries either to the target person or to those who can provide information about the target person.

Never give out information to anyone unless they have a need to know. What does that mean? If you’re the US military and have a top secret clearance, that doesn’t mean that you can look at anything that is designated top secret. You must have a need to know. In other words, the top secret information has to be directly relevant to some official activity in which you participate.

Therefore, if you’re an Army intelligence officer whose job is to gather information on the Bulgaria military establishment, that does not mean that you have access to the top secret specifications of the M1 Abrams tank. That information is only accessible by those officers in the US Army Armored Divisions. However, you will have access to any top secret information available about Bulgarian military affairs and operations.

Here’s a common example. If you make arrangements for someone to pay you for work that you will do for them, they may insist that you provide a W-2 form that includes your taxpayer identification number. For individuals the taxpayer identification number is one’s Social Security number. In that case, you have no choice but to provide the requested information. Otherwise, you may not get paid.

When you reply to such legitimate requests, do not do so by return email. Always initiate a new email to the appropriate email address (from your address book or another authoritative source). Or go to the appropriate website, login, and provide such information at the website.

Impersonating You

If all the conning methods were the only thing you had to worry about, you might be able to keep yourself secure with proper practices. Hackers, however, use legitimate online research as well as ongoing cons to gain access to networks. A hacker sets out on a quest to acquire the most information about you as possible. He gets a little bit here, a little bit there, and a little bit for from a wide variety of sources. Pretty soon he has enough information about you to pose as you when attempting to access a network or account. If a hacker can effectively pose as you when trying to access a network, he can talk people into giving him access to the network or at least more information.

Here’s how that might work. You haven’t used a website for a long time, and you have misplaced your login and password. You can’t get into your own account on the website, but you have a sudden need to do so. You will end up communicating via phone, email, or message service with someone on the support desk. Their job is to authenticate you as the person who you say you are.

Therefore, they will ask you questions about your background that you have provided to them in the past or which they have otherwise acquired from a certain database (e.g., credit bureau). They may ask for your date of birth, your ZIP code, your address, the city that you lived in 2005, and other such questions that supposedly only you can answer. If you answer all their questions correctly, they will work with you to provide your login information and a new password. If not, they will say that they’re sorry but their guidelines prevent them from providing you with access.

A hacker impersonating you goes through the same process. You always want to make it as difficult as possible for some persistent hacker to acquire enough information about you so as to impersonate you (i.e., to pose as you). Therefore, make public as little information about yourself on the internet as practical. That’s difficult to do when you attempt to promote your business or your career online or you participate in social media. But be selective about what information you allow to be made public online.

Who’s the Target

You can take the attitude that nobody is interested in you because you don’t have much money or important affiliations that would be of interest to a hacker. That may be true, but hackers have been known to hack just for fun or to steal just a little bit. More importantly, a hacker may use you as a vehicle to gain access to a target network where they seek to take advantage of the network rather than you.

Access Once a hacker can get into a system via a user’s account, a hacker can use digital trickery to turn that account into an open door into the network system itself. Thus, social engineering focuses on getting access. If a hacker can get access to a system, he may be able to use technical hacking to navigate around the system and do whatever he wants to do for a larger payoff.

That said, criminal hackers go after the easy targets. The harder you make it for hackers to hack you, the less likely you will be hacked. You’ve likely heard stories about young non-criminal hackers who hack for the challenge. You are unlikely to get hacked by them. There just aren’t that many of them. But there are a huge number of criminal hackers worldwide who are looking for easy success, not time-consuming challenges. It’s everyone’s responsibility to protect their identities, give out as little information as possible, and to be aware that the internet can be a dangerous place if you don’t pay attention to security.

Your Exposure

If you’re a person like most of us, who doesn’t have secrets to protect, such as customer records, proprietary intellectual property, or confidential business information, you’re not off the hook. Hackers are after your money. Your financial accounts (bank, brokerage, credit, shopping, retirement, etc.) are at risk (see Chapter 18).

Home

Now it’s time to really wake up! Your Wi-Fi setup at home is a network. Each member of your family, including your children, can be targets of social engineering. Without secure practices by all family members, a hacker can access your Wi-Fi network. Thus, it’s essential that everybody at home understands the threat of social engineering and uses appropriate practices to avoid falling victim to it. As a parent, you can warn your tech-savvy children of the kind of information they shouldn’t give out over the phone or online.

Social Life

Ah, social media! What a great place to do some social engineering. Your safe practices on social media are beyond the scope of a book about email, but by now you can see that you need to be very careful in your activities on social media, such as Facebook, LinkedIn, and Twitter. A hacker can learn a lot about you and even interact with you. Indeed, if you’re active in social media, you need to brush up on the best security practices for social media websites.

Some social media sites encourage you to use their login information to log in to other websites. Yes, it’s convenient. But don’t do it. You’re setting yourself up to be hacked. And be sure you use a separate and secure password for all social media sites in which you are active. Finally, as much as practical, don’t make your personal information available publicly on social media public. Restrict it to friends and family.

It’s the Con

Social engineering is famous for its con artistry. Keep in mind that no amount of secure software, secure network service, or secure email service can protect you against social engineering. Sure, the right email program provides you some protection against phishing (and whaling), that is, until a hacker figures out a way around the email program’s protection. Alas, the best hackers are social engineers also known as con artists.

Business

Moreover, that’s not the whole story. You not only have to be responsible for yourself but also those in your organization. For instance, if you operate a small business and have a local network for your employees or partners, you have to make sure that everyone else is cognizant of social engineering and understands the practices necessary to thwart such a threat. If you are an employee, you have a responsibility to be aware of social engineering. If you see someone else in your organization using halfhearted social engineering defenses, it’s your responsibility to bring it to their attention. That might be difficult to do if your boss is the offender, but an organization depends on safe practices by everyone.

A con artist can talk his way into anything; that is, persuade people to do what he wants them to do (e.g., provide sensitive information). And it’s social engineering that more often opens the door to technical hacking. It’s not technical hacking that opens the door to success. Because social engineering is the paramount technique of hackers, you need to be forever vigilant.

For more on this topic read Social Engineering: The Art of Human Hacking by Christopher Hadnagy and The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick.

Remember, the more people on your network, the greater the risk; and that brings us to the next story.

Hillary’s Email

It’s worthwhile to take a look at Hillary Clinton’s private email server while she was Secretary of State. It could have been set up with an inexpensive or free email server program (such as BatPost or SurgeMail) and an old laptop connected to the internet. I don’t know how it was set up, but it could have been set up that way and would have worked just as effectively for one person as an ISP’s more powerful set-up works for a thousand people.

In an attempt to keep her private email segregated from her government email, Clinton set up her email server in her basement (probably set up by a BestBuy geek, not her). She inadvertently used her private email server for a number of State Department email messages. As we have found out since, many senators, representatives, and other government officials have done the same thing both before and after Clinton, but she was the first to have such a mistake politicized.

The question for us in this chapter is, was Clinton’s email hackproof?

It’s interesting to note that Clinton’s private email was never hacked that we know of. How is that possible when so many other major internet and email operations were hacked such as Sony, the Democrat National Committee, Yahoo, the Republican National Committee, Equifax, the Defense Department, and others? The answer is really quite simple: social engineering. Whoever set up Clinton’s private email server could have made it hackproof with off-the-shelf security software, such as Norton Security and standard email server security practices. And whoever set it up probably did so. Therefore, it is likely accurate to say that Clinton’s private email server was hackproof except for social engineering.

The next question you have to ask is, how could a hacker hack Clinton’s private server through social engineering? As far as we know, there was only one user: Clinton herself. In order to hack Hillary’s email server, a hacker would’ve had to use social engineering directly on Clinton, the sole user. In other words, a hacker would have had to con Clinton into revealing information about her private email account and private server in order to hack into it. Chances of somebody doing that seem remote. She wasn’t just an anonymous user on a large network; the network was hers.

In all likelihood, at the beginning of any attempt to con Clinton, she would have been suspicious and reported it to whoever was managing her home computers. To put it more bluntly, it’s more difficult to hack a network (via social engineering) with one user than it is to hack a network with one thousand users.

One user gives you one chance that social engineering will succeed. A thousand users give you a thousand chances that social engineering will succeed. Indeed, in the case of Clinton, the State Department network was actually hacked. But ironically Clinton’s private email server was never hacked. The reason we know this is because that if it had been hacked, the hacker would have come forth and taken part in the political brouhaha over her use of a private email server for government emails.

The lesson to be learned is not that Clinton was a diabolical politician (one opinion) or that she was an innocent computer user caught in a digital conundrum (another opinion). The lesson to be learned is that, oddly enough, she probably had a very secure email system because she was the only user, and it could have been run on an old laptop with an inexpensive or free email server program. Maybe it was.

Final Word

Should you be worried about social engineering? Yes. But just being aware of the threat and taking measures to protect yourself and your associates will go a long way toward substantially reducing the risk that you will be successfully hacked. Protective practices in regard to social engineering together with the technical secure email practices outlined in this book will provide you with the maximum protection you can get.