94. Hacking, Social Engineering and RSA

[Article first published as Hacking, Social Engineering and RSA on Blogcritics.]

More than occasionally people will come to one of my tech friends or me with a computer problem.  No longer an uncommon occurrence with the ever-present digital influence in our lives, we’ve all grown accustomed to the fact that this will, in fact, never end. 

If what they say is true that knowledge is power, it’s kind of our duty as computer nerds – versions of “keyboard cowboys” if you’ll allow me to make a reference to Hackers, to help people when it comes to all things technical.  But we’ve all noticed a sharp shift in what people come to us for – when a few years ago it might have been basic OS reinstalls or simple virus cleans, today it’s a lot of security and protection of personal data.  And the reason for that is the evolution of the development of viruses and other pieces of malicious software. 

Back then viruses were designed for one of a few goals: humor and annoyance (i.e. Yankee Doodle and its ilk) or at worst, data destruction (remember Michelangelo?).  But once the internet age took hold, destruction of data wasn’t enough.  Now there are networks.  Now there are advanced communication methods.  Which means now there are means and opportunity.

Where there’s means and opportunity of course there’s theft.  Why just destroy data when systems are in place now to try and leverage that data for gain?  That’s the kind of thinking we need to deal with now.  And while most people may think that the biggest thing to fear on that front is a virus or worm that could steal information or holes in their security, they’re only half right.  What’s more dangerous is the blind spot they have which prevents them from seeing the human element – how those security holes are exploited and how those and trojans and malware are deployed to begin with.  And that human element is called social engineering.

In a nutshell, social engineering means bending someone to your will, whether they know it or not, into giving you their trust, and any information that comes along with that.  It’s a method for skimming information in which a human is the target, not necessarily a computer, and for that reason doesn’t even need a computer.  It can be done over the phone or even in person.  A common form of social engineering is phishing, where a user is baited into handing over information.  Have you ever gotten those emails that appear to be from Amazon or UPS linking a tracking number or purchase ID?  Yet, when you click on the link, it takes you somewhere that isn’t Amazon or UPS and starts asking for names, passwords and credit card numbers?  What the phisher is hoping is that they gain your trust by hoping to be someone you routinely do business with, then convince you to give them the information they want.  See?  A metaphorical bait and hook.  There’s a myriad of other types of social engineering that I may get into in later posts, but this just background for a specific story.

RSA, a highly respected security company who provides the popular SecurID two-factor authentication system was hacked back in March of this year, and that hack started a wave of attacks on companies that do contract work for the US Government like Lockheed Martin, L-3 and Northrop Grumman.  They’re in the news again, this time with some theories after investigating the incident with the FBI and Department of Homeland Security.  At RSA’s security conference in the UK on Tuesday, their president Tom Heiser stated, based on the complexity of the attack, that “we can only conclude it was a nation-state sponsored attack.”  They believe that the hackers’ goal was to directly exploit companies that did work for our government, and of course for security reasons have withheld other information.  Scary as hell right?

So how did all of this happen to a company of such reputation in the field of security?  It’s been reported (unconfirmed by RSA) that access was gained through a phishing email targeting employees in the HR department with an excel spreadsheet entitled “2011 Recruitment Plans” and a body text of nothing but “I forward this file to you for review.  Please open and view it.”  No signature, no name, no contact information and presumably unsolicited.  All it took was for someone to trust that the mail was legitimate, open the attachment, and unwittingly let the code execute.  Supposedly in this case it was an exploit in Adobe Flash that allowed the real attack to be executed, but simple phishing provided the entry point.

So what point am I trying to drive home here?  Hackers don’t need to rely on a toolkit of scripts and exploits to gain unauthorized access to networks.  Sophistication isn’t a prerequisite for to successfully find a point of intrusion – even primitive social engineering schemes like this one were enough to break into a company like RSA.  So next time you get an email that’s asking you for personal information, or someone’s asking questions that are getting a bit too personal, do yourself a favor and don’t answer them, whether it’s over the phone, via email or on the web.  Ask your service provider if what you received was really from them and legitimate, and consult one of your nerd friends.

And go buy some antivirus software, I know too many of you are running systems without.