Have you checked your Facebook yet today? Laughed at some memes? (My feed has been full of Hurricane Florence memes this week, and while some were funny, they only barely took off the edge of the waiting game we played.) Maybe you saw your friends interacting with an article or a quiz on your news feed? (Don’t you want to know what Disney Princess you are based on your favorite ice cream flavor? Or what time period you should have been born in based on your favorite movies?) Then you, dear friend, have potentially been exposed to Social Engineering. (Don’t worry, it’s not that contagious.)
Social Engineering was once a nebulous concept, but now it’s becoming more and more mainstream. I’ve mentioned it before, so let’s just do a brief recap of what it is and how it works! Social engineering, in very basic terms, is hacking people, not computers. Take a little bit of psychology, a little bit of people skills, a lot of research, shake that all together, and pour over ice. Any information that we put out there becomes a tool for others to use–your Facebook profile, your office webpage, any social media accounts that you (or your family, or your friends) may have.
Capture The Flag
At DEF CON (the hacking conference J.D. and I attended in August), Social Engineering has such a following that conference organizers have given the topic its own “Village,” or interactive talks and contests. The purpose of the Social Engineering Village is to discuss the latest trends in SE, showing security industry professionals the new potential threats to their organizations. The jewel in the crown of the SE Village is the annual “Capture the Flag” contest, which showcases these techniques.
The concept of the contest is simple–give contestants a list of “flags,” information that they need to extract from their targets (which could be anything from names, phone numbers, operating systems, etc.), put them in a phone booth, and see how much of the required information they can elicit over the phone in a given period of time. Points are awarded based on how many of the “flags” the contestant is able to get out of their phone conversations. The main purpose of the contest is not to make people feel foolish; instead, it allows us to understand and explain to organizations that inadvertently let their information slip how they can better protect against clever social engineers (who may not have altruistic motives). The concept to reinforce here is “Trust But Verify.” You want to trust the person who’s on the phone, but you also need to find a way to verify that they are who they claim to be.
While we had the opportunity to see some very skilled social engineers work their magic on several different companies during Capture the Flag, the Village also sponsored some stellar presentations. Not only were we able to get a good laugh out of the topics, but it forced us to see some everyday occurrences through new eyes.
Social Engineering, Kittens, And YOU
Hannah Silvers gave one of the most entertaining presentations of the whole conference when she told us all that her “stripper name” was Bubbles Sunset. Think about how many Facebook memes you see in your newsfeed in a day. Think about how many of them are silly, fun games–“the last three numbers of your phone number are the things you need to be happy” or your birth month and day will give you your “stripper name” or “Christmas elf name.” Seems pretty harmless, right? So many of your friends respond and share, and it’s so much fun to see everyone’s responses, especially when it turns out that all your cousin needs to be happy is just kittens, chocolate, and more kittens. (Not even Netflix. Just kittens.)
But who is on the other side of the meme? Where does it come from? Does it really matter? Maybe not, but think of how many memes are out there that we like and share and trade. And when you respond and share and trade, you inadvertently put your personal information out there for everyone to see. Now everyone who sees the meme knows that your birthday is in October between the 14th and the 21st, and that the last three digits of your phone number are 5-3-8. Another meme may ask for the first or middle three digits of your phone number and the name of the street you grew up on. Or your mother’s maiden name. Or the mascot of your high school. Does any of this sound phishy yet? Do any of these questions sound familiar–maybe security questions you need to answer to access your bank account online? This is information that can give the right social engineer access to your personal accounts! They don’t even have to break into your computer, because you willingly gave them exactly what they needed. And it was “fun.”
There are some things that you can do to protect yourself, though. For one, enjoy the meme for what it is–but don’t post your answers all over Facebook. You can still have the fun without giving everything away. Secondly, even if you’re just an average person, you may want to look into multi-factor authentication for your accounts. Basically, multi-factor authentication in its simplest form is something you have, and something you know. You may input a password (something you know–or don’t know, since we all forget passwords), and then validate your identity with something you have. In many cases, a push notification to your cell phone acts as the second factor. The best part about this–IT DOESN’T COST ANYTHING for consumers. There are many free programs out there that you can use to protect your personal accounts. For example, a combination of LastPass and Duo will not only remember your passwords for you, but also generate complex ones that are difficult to steal. Duo works as your second factor as an app on your phone, and you are far more protected than you were previously. (P.S., if your password is “12345” or “password,” you really should look into this sooner rather than later. A good hacker can crack those passwords in a matter of seconds via a Dictionary Attack.)