Last month, Reuters reported how Edward Snowden obtained log-in data from 20 to 25 former co-workers in order to access parts of the classified material that he leaked later on.
The headline draws attention on the threat potential of social engineering, which TechRepublic called security’s weakest link. The online magazine quoted security researcher Aamir Lakhani saying that “[e]very time we include social engineering in our penetration tests we have a hundred percent success rate.”
Focusing on the human element behind the firewall, TechRepublic introduced two recent events that raised awareness of social engineering’s exploitative potential:
- the DEF CON 21 hacking conference that took place in Las Vegas in August
- a penetration test targeting an unnamed US government agency that was presented at the end of October at the RSA Conference in Amsterdam.
The DEF CON 21 Social Engineer Capture the Flag Report presents the results of the most prominent contest of the conference this year:
Participants were tasked to socially engineer employees of Fortune 500 or larger companies (e.g. Apple, Disney, or Exxon), and gather information from them, for example on the type of encryption or anti-virus software they use (in lieu of sensitive/compromising information). The contest was strictly legal, with its sole purpose of education about social cyber vulnerabilities.
While DEF CON 21 is adhering to a strict set of rules of engagement, Lakhani and his colleague Joseph Muniz executed a more sophisticated social engineering experiment.
With a Facebook and a LinkedIn profile of an attractive young woman, they persuaded a government official to provide their avatar with sensitive information. The researchers were able to gain administrative rights, passwords, the capability to install applications, and to retrieve documents with sensitive information on state-sponsored attacks and country leaders, as TechRepublic reported.
Social engineering is a case in point for the relevance of human agency vis-à-vis merely technological solutions – on both sides of the firewall. As the last attempt to address the issue on Capitol Hill did not make it past the committee stage, there is still no comprehensive legal framework addressing the phenomenon. As long as effective prosecution of malign social engineering is constrained mainly to the pretexting of banking records under the Gramm-Leach Bliley Act of 1999, and to telephone records under the Telephone Records and Privacy Protection Act of 2006, it is up to the (h)activism of DEF CON 21 and the RSA Conference to keep it on the agenda.
Leave a Reply