While working for Hillary Clinton in 2016, campaign chairman, John Podesta, received a strange email asking for his Gmail credentials. It looked suspicious, so he sent it to the campaign’s IT staff. The staffer knew that it was a bad link, so he responded that it was illegitimate. And, thanks to a spelling error, told Podesta the opposite – it was legitimate.
The best of intentions can be undone that easily. Both Podesta and the IT staffer followed procedures, but a very human error led to the campaign’s email being hacked, allegedly by the Russian government.
At the 2018 Cyber Security Chicago meeting, convicted felon turned IT security expert, Kevin Mitnick, talked about how hackers attack – and how to fight back. Mitnick served time in prison for hacking and now runs a security consulting business. Breaking into systems usually starts with an email or a phone call, he said – and usually involves heavy-duty social engineering.
He defined social engineering as “a form of hacking that relies on influence, deception and manipulation to convince another to comply with a request to compromise a system.” The advantages to the hacker are many: it’s much easier than developing a technical exploit, it doesn’t leave logs, it’s free or low cost, and it works on every operating system and platform. More importantly, there is very little risk of the attacker being caught and prosecuted. In fact, he claims that social engineering is 95 percent to 100 percent effective – and it only requires one person in an organization to fall for it.
He walked the audience through the process of setting up and executing a social engineering hack. It usually starts by gathering information. A company’s website may give information about the organization chart, and LinkedIn can identify the people who handle information technology. Potential vulnerabilities can be identified through a website’s metadata, which may reveal information about a company’s operating systems and software platforms.
Mitnick said that sales and marketing people are often great entry points because part of the role is to respond to outside requests for information. For example, someone could send a spearphishing email asking for information before sending out a request for proposal. The email may include a fillable form or a GoToMeeting request (and exploit attached) and the sender may follow up with a phone call. That would be enticing, and very similar to a perfectly legitimate inquiry.
Mitnick warned the audience about the use of external email networks. For example, there’s nothing to stop anyone from setting up a Wi-Fi network called “attwifi”, and then using a keyword logger to copy everything after a victim connects. And, because laptops and phones have built-in microphones, they can be turned into listening devices. His advice: don’t do any system updates or make any transactions on Wi-Fi outside of your home or office.
To reduce risks, Mitnick recommends training users. His firm runs challenges of existing systems to see how long it takes to penetrate security (known as a “pen testing”). He also recommends running all software updates and installing necessary patches (from a connection known to be safe, of course). Only system administrators should have local administrator rights. As much as possible, decisions should be automated; the less involvement that employees have in performing upgrades or authenticating credentials, the less likely they are to make unfortunate mistakes. These practices can be used at organizations of any size.
The Cyber Security Chicago conference was geared to administrators of large systems, but there good news for startups that deal with sensitive information or that work with major enterprise customers: several vendors offer cloud-based email and file-protection services. BAE Systems, a major supplier to aerospace companies and government agencies, for example, can offer email protection services for about $100 a month per user. This is overkill for most businesses, but if your company needs high-level security, it is accessible.
For the rest of us, watching how we use Wi-Fi, keeping our software up-to-date, and staying skeptical will go a long way toward keeping our information safe.