Cyber-security has been in the news a lot, following the major attacks in recent months. Most people assume that the technology is the problem – we don’t know how to protect our own technology and systems against increasingly sophisticated technology from adversaries. At this writing, it has just been reported that N. Korea has stolen war plans from both the US and S. Korea. Some countries such as China and Russia employ huge “armies” of hackers against US and European governments and infrastructure, and now N. Korea is becoming more aggressive. But technology and technological systems alone are not the main problems. Cyber experts suggest that people are the main problem – with people problems accounting for more than 50% (some say 70%) of the attacks. So, what do we mean by people problems? These can be everything from people being careless with their computers and thumb drives, writing passwords on scraps of paper and chucking them into wastebaskets, or forgetting to lock doors to computer rooms. But the main category is that of social engineering.
Social engineering is the psychological manipulation of individuals – generally in order to conduct nefarious acts such as hacking, crime, terrorism. It’s not new. What is new is the impact that social media has had on its efficacy and spread.
I came across it when I was working on a computer security project for a government Lab more than 20 years ago. The computer security expert (we didn’t call it cyber-security back then) with whom I was working had about a dozen former hackers working with him (I’d call them poachers turned gamekeepers.) I was amazed at how much information they were able to obtain.
More recently, I have got to know a person who is working on identifying the early stages of terrorist recruitment. She has been able to identify both recruiters and their targets, and has been able to describe ISIS’ methods in some detail. It has seemed to me that these are the identical approaches that hackers adopt. Social media has enhanced their methods enormously – and it will increase exponentially as WeChat becomes popular in the West. WeChat was developed by the Chinese government – to provide a “one-stop-shop” for all online activity, including banking. It is known that all the data that passes through WeChat is collected by the Chinese, so they are going to have details of everyone who uses their platform.
So… How are targets identified and used by hacker recruiters?
The recruiters look for individuals who tend to be loners, who have some psychological problems, or individuals who are angry, resentful or revengeful at co-workers, management, employers… Or who want excitement, financial rewards and don’t mind illegal activities.
Recruiters are not in a hurry. They may take months to “turn” a person.
They look for people who express some of these concerns/desires on social media. People who are griping about their boss or the company. People who feel they have been passed over for promotion. They contact them. Sympathize with them. Encourage them. Tell them that they are not alone – there are others who have had similar experiences – introduce them to each other. All the time, the recruiters are able to build up a picture of the organization. In online chats, or over beers, they gradually ask more and more questions about the organization – everything from apparently simple things such as door locks and codes, to more direct passwords…etc. And they persist until they have the information they require. I watched a white hat hacker get information about a CEO’s bank account by a very interesting trail of phone calls to banks that included inquiring about a manager’s sick child. (The CEO had volunteered to be a guinea pig!) I was dumbfounded by the speed with which the hacker got the necessary information and used it.
Since China, especially, has hundreds of thousands of hackers, I assume they probably have hundreds, if not thousands of people who speak good English, and can be taught to do social engineering. And it may be that they also recruit Americans, Brits, and other Europeans for this purpose. I’m certain that Russia has a similar approach.
So, what can we do about it? “Insider threats” has become a hot topic, but here we are not just thinking about insiders making intentional threats, rather those that have become caught up in it because of some period of anger or depression, for instance.
It is possible to detect deception in written and oral text. Perhaps a written questionnaire plus interview to be completed quarterly might be one approach. And, since it’s possible to scrape social media for keywords, including mention of a company (in negative terms) might offer insights, but “spying” on employees in that way can be dangerous. Also, from our values-based model, described HERE, we may be able to identify people who have a propensity to be open to recruitment by hackers, and that may narrow down the target segment.
I don’t have the answers, but if any readers out there have some ideas, I would love to hear from you!
Hi Chris! If you do remember the guy’s name, please let me know. Did he mean we were unconsciously adept at it, or consciously practicing it? My bank that tracked the caller down said the that the guy that tried manipulating me was calling from China. He spoke excellent English with only a slight accent.
I remember a master manipulator talking on TV a few years back. He defected from the Soviet Union to the USA. He talked about how to topple countries with social engineering. The most disturbing thing I remember him saying was that the USA was really good at its own social engineering, so much that no enemy of the USA could do a better job. It really bugs me that I can’t recall the guy’s name.