This fall has seen a rash of private data leaks so intimate, so invasive, that a sort of moral panic has erupted over personal computer security.
First, a boatload of female celebrities learned that their private, nude photos had been stolen. Then the perpetrators went after girls on Whisper. Now, as the calamity that is Gamergate spirals onward, it’s clear that a number of high-profile participants on both sides have been “doxed” — a fate that was also met, not long ago, by several Darren Wilsons who were not related to the police officer who shot teenager Michael Brown in Ferguson, Mo.
We commonly refer to these incidents as “hacks,” as if someone commandeered the victim’s computer and pulled things from it without her knowledge. And in some cases, that is indeed what happened. But frequently, and surprisingly, the opposite is also true: Users freely give up their information, or their friends’ information, to total strangers. They just don’t realize those strangers mean harm until it’s far too late.
In some respects, today’s most dangerous online scams are not terribly different from the Nigerian-prince e-mails of old. But modern “social engineering,” or “social hacking,” as practitioners call it, is far subtler and more sophisticated than Nigerian princes ever were. The definition is considerably broader, too: Social engineering describes any technique that tries to get around a security system — not by breaking or attacking the system itself, but by exploiting vulnerabilities in the people who use it. Those “vulnerabilities” can range from the obviousness of your passwords to the manipulability of your feelings.
That also means scammers aren’t just sending e-mails any more. They’re calling your house, pretending to be the credit card company, or calling your Internet provider, pretending to be you. They compiles reams of personal data based on information gleaned from public records, social media and Google search. Sometimes, they’ll use these files to guess at your passwords or security questions. And once they’ve cracked those, your world is their oyster: On anonymous forums like AnonIB, or in black-backgrounded pages on the Dark Web, social engineers trade everything from nude photos to Social Security numbers and credit card details.
Complained one user in Reddit’s social engineering thread: “Most ‘hackers’ these days are just glorified social engineers with programming skills.”
Last week’s blitz on Whisper is pretty indicative: So-called social engineers posed as modeling and escort agencies on the app, even going so far as to invent fake backstories and interview questions, to get women to send then nude photos. The trick — according to scammers coaching each other on AnonIB — was to “play the role” convincingly.
When I “hacked” into my brother’s iCloud account back in August, I was also using social-engineering techniques, drawing on the information I knew about my brother to guess the answers to his security questions and gain access to his account. Security experts have suggested similar techniques were used on actress Jennifer Lawrence and other victims of “Celebgate.”
Meanwhile, whenever hackers publicize other people’s personal information online (a generally malicious practice, called doxing), they’ve frequently obtained that information using SE techniques. Many victims will never realize they were targets. Which raises a really terrifying question: How can you protect yourself from something you can’t see?
Since we’re essentially talking about ways for people to trick each other, there’s no real end to the number, or variety, of SE techniques. Generally speaking, however, engineers who want access to your e-mail or iCloud account have three ways to go about the task: They can try to persuade you to give the passwords up directly (“active engineering”); they can try to guess or reset the passwords using other information about you (“passive engineering”); or they can pretend to be someone else entirely and get account access that way (“pretexting”).
Of these options, passive engineering is probably the easiest to pull off — it is, after all, just another strain of “Google stalking,” that favored technique among curious daters and other casual snoops. By gathering information from your social media accounts (as well as from public records, your employer’s Web site, your long-forgotten wedding page, and what have you), a social engineer can get a pretty good picture of what you like, where you live and what you’re generally about. That might be enough information to guess your password. If not, it’s definitely enough information to let the engineer escalate to some other type of attack.
This person now knows enough about you, for instance, to pose as someone from your college’s alumnae office, requesting a donation or updated contact details by phone. They probably know enough to send you a fairly convincing phishing e-mail from the bank or credit card company you use.
In its guidelines for employees, the U.S. Computer Emergency Readiness Team — a division of the Department of Homeland Security — advises they watch out for scammers posing as new employees, repairmen or researchers. I spoke to one self-proclaimed social engineer earlier this year who made a habit of calling the target’s Internet provider, pretending to be her — and then from there calling the target, pretending to be the provider.
In all these scenarios, engineers are often relying on more than just lies and Google to get them by. Many hardcore practitioners also study psychology and cognitive science for clues on how to get people to like you or trust you more easily. (A new social engineering forum on Reddit is, tellingly, full of links to free online psychology and game theory courses from schools like Stanford and Yale.)
This is a pretty skeevy art — it’s related to the cult of the “pick-up artist,” for starters — but it can work. People tend to respond in predictable ways to certain psychological triggers. If you went to a bar, for instance, and the bartender gave you a second drink for free, you’d probably give him a bigger tip in return. (That’s called reciprocation.) Meanwhile, if a uniformed police officer barged into said bar and told you he needed to take your seat, you’d probably give it up. (That’s called authority.)
It would probably be fair to call those things social norms or good manners, too: After all, we’re predisposed to be nice, to be trusting, to try to do the “right” or the “good” thing. That predisposition is, unfortunately, exactly what social engineers are talking about when they refer to “human vulnerability.”
Fortunately, social engineers have a vulnerability, too: They tend to grossly overestimate their manipulative powers. Sure, many SE scams play on emotion, and they certainly help some practitioners get what they want faster. But by and large, these hacks rely on two things only: the weakness of your passwords/privacy settings and your inclination to trust people — even people you don’t know.
That makes the fix easy: For starters, turn on two-step verification, strengthen your password, and rethink your security questions. (Your “mother’s maiden name” is not a safe choice.)
From there, consider reviewing your privacy settings and browsing habits not only on sites like Facebook, but anywhere else your name and picture appear on the Web. You might not have a ton of control over some of these things: I probably cannot, for instance, get my high school to take down some PDF that mentioned me in 2005. But I can delete my LiveJournal from that same year, which ultimately contains far more compromising information. And I can certainly remove my home address from my résumé, which I’m sure I’ve uploaded to the Internet somewhere.
Finally — and this is the big, sad, cynical one — don’t trust people on the Internet, or on the phone, unless you have incontrovertible proof that they are who they say. That’s actually pretty counterintuitive advice, given our general indifference toward privacy: Consider that we regularly tell strangers where we are, what we’re doing and even what we’re spending money on.
Just yesterday — without even thinking about it, really — I authorized the app my doctor’s office uses to share my medical history with third parties, as needed. There are arguably few things on earth more private than your medical history. But if someone called me today and said they were from the doctor’s office and asked me to share that same information, would I ever think to say no? Or ask to call back on their main office number?
Even worse, if someone called and told me they were doing a reference check for a friend applying to a job, or a background check on someone applying for security clearance — wouldn’t I tell that person every dribble of information on my friend that I could muster? Of course I would. In fact, I have. Fortunately, all the callers have been legit … thus far.
It’s regrettable, and exhausting, that we have to live with that sort of suspicion, and even constant vigilance will never be wholly foolproof. But it’s important to understand that when people speak of iClouds getting “hacked,” or people getting “doxed,” or photos being “stolen,” they’re often not referring to actual, technical brute-force break-ins. They’re referring, in many cases, to Internet cons who squirrel and sweet-talk their way into accounts.
The good news there, of course, is that social engineering is in some ways more preventable — and it’s certainly more understandable, to the technophobes among us.
The bad news? Once you know about engineering, you never stop looking for it.