Lately I’ve been thinking about how successful exploitation and compromise of sensitive information has evolved over the years.
Sure social engineering has been around a long time, Kevin Mitnick was a master of it. But a lot of the damage done and information stolen didn’t even require social engineering. Even just a few years ago, amateur hackers and skiddies (script kiddies) could gain access to thousands, hundreds of thousands, and even millions of valid credit card information belonging to very real people. SQL injection and XSS vulnerabilities were (and some still are) commonplace among many international governments and companies. Teenagers could sit at home, read a simple tutorial on SQL injection, gain access to an unbelievable amount of sensitive information, deface websites, sell this information underground, and cause businesses plenty of headaches. Only after years of news headlines, great sites for education on vulnerabilities, best practices, and even many discussions on whether companies should be held liable for massive security breaches have companies begun to really take security seriously.
That’s not to say security breaches do not happen, and sensitive information isn’t stolen, but it has become substantially harder for your average teenager to wreck havoc, and people feel more safe providing credit card information to large companies.
At the same time, we are more connected than ever before. Sites like Facebook, Twitter, Google+, LinkedIn, allow us to stay in touch with friends, family, colleagues, and see what they are up to. When I see an unfamiliar name, or am introduced to someone new, I can almost always find information about them. Often times their pictures, their friends, their writing style, is all available to me, a total stranger. Social engineering has never been easier. How simple would it be for a hacker to gain valuable information simply by leveraging publicly available personal information and using that to exploit other gullible humans? As developers have constantly worked to improve and tighten website security, we in turn have become the weakest link. Why would a thief pick a lock when they could just go through the window?
But how do I know it’s really them? We’ve all seen the odd status someone posts that was actually posted by their friend: “I’m smelly”, “_____ is the best!”, etc. We only know it’s not them because it’s so silly and peculiar. For the most part, if a friend messaged me or posted a status, I just assume it’s them and don’t challenge it. There isn’t a need to pay attention to details like how they type, their personality, whether or not they would say something like this, we trust it’s them. There is no other information we get that confirms who they are. Is it really your friend emailing you? Is it really your friend asking for that favor? Even if they type just like your friend, they could be someone else. Of course, it would be unrealistic and tiring for us to question the true identity every person that communicates with us online, but it’s completely possible. If you have access to anything/system of value, it’s even more likely that you could be a target.
Then maybe we should refuse to use social media and emails? Maybe we should throw away the last 30+ years of enhanced communication channels and only meet face to face? Of course not. We’ve come so far, and it’s amazing to be able to reconnect with a classmate 10, 20, even 50 years ago, to send messages across Earth and get a response within seconds, to share information, pictures, and thoughts so efficiently. So what is the solution? I don’t know, and I don’t think it can ever be solved; but as our systems become more and more secure, we should certainly become more aware of ourselves as humans, our empathy, our kindness, our bold trust, and susceptibility to social engineering.