We should all know the basics of security -- using strong passwords and two-factor authentication to keep your information protected. However, many recent security and privacy breaches have had less to do with bad passwords and more to do with social engineering. Let's look at what that is, how it can happen without you knowing, and how you can protect yourself.
How Social Engineering Works
Social engineering is a technique to get around security systems by exploiting vulnerabilities in the humans using the system. For example, instead of breaking in or cracking a password, you convince a tech support agent to reset the password and give it to you.
We've shown you some examples of this before. When we talked about how to convince someone you work in their building, that's technically social engineering (although it was for a mostly good cause.) Getting into parties and clubs without an invitation? Same deal.
Social engineering works around or outside existing systems to obtain a desired result. While it can be used for innocent fun, it can also be used to steal identities, violate people's privacy, and cause serious harm. Just ask Mat Honan, who had his identity stolen a few years ago thanks to a little clever social engineering of support reps at Apple and Amazon.
Now, we're seeing it again with the recent leak of celebrity photos, obtained by social engineering, not brute force cracking or sloppy security. In this case, the intruders likely used known information to defeat security prompts, reset passwords, and obtain access to otherwise secured information. The most interesting (and scariest) part is that this kind of social engineering is relatively easy given a little research into your target.
Most people think that social engineering involves engineering the target, and convincing them to give up useful information. That's one way to do it, but it's not the only way. In fact, the most successful methods involve never letting your target know until it's too late. There are far more effective ways to access ersonal data than trying to brute force your Google account.
Why You Should Pay Attention
You may ave already read our many guides to effective password security. You know to enable two-factor authentication wherever possible (including Linkedin). You know you should be using a password manager, know how to audit your passwords, and realise password managers are still your best option even if they appear to be a single point of failure.
Password security and two-factor authentication are important protective steps -- but many hackers aren't interested in just passwords anymore. Remember the 1+ billion passwords a Russian gang picked up last month? Most of those identities are being used for spam, if they're being used at all. That's because identities -- account usernames and passwords -- are only as good as the information they store or have access to, and most malicious hackers are looking for targets with valuable information they can use, exploit or sell.
Selecting a high-value target and using more advanced methods to get their data is a better use of an intruder's time. Given how well it works and how easy it is, that makes us all targets. The illusion that the average person "doesn't have anything valuable" quickly diminishes as it gets easier and easier to use automated tools and social engineering to get access to your data.
How To Protect Yourself
If we haven't established yet how easy it is to use social engineering to obtain information, this piece at The Washington Post explains how easy it is to hack someone's iCloud security questions -- which is probably how some (but not all) of the aforementioned celebrity photos were obtained. Similarly, David Pogue posted his take at Yahoo, where he also debunked some common reactions to the whole affair. So, aside from teaching people not to be horrible jerks who violate each other's privacy and expose personal, private information to the world, what can we do to protect ourselves against social engineering attacks?
- Obviously, never give out confidential information. We went into this in detail in our previous guide to social engineering attacks. While that post focused on protecting yourself from being engineered, it applies here too. A malicious hacker is less likely these days to pose as a friend of yours on Facebook (although honestly, you really shouldn't friend anyone who sends you a request) or call you pretending to be from your bank, but that doesn't mean you can toss around information they could intercept and use to call your bank pretending to be you.
- Safeguard even inconsequential information about yourself. Security questions in particular are usually easy to defeat because they're systemically flawed. Users will want to pick questions that are easy to remember answers to, but that usually means they pick the questions easiest for an intruder to decipher, like "Where were you born?" or "What city did you go to high school in?" If you have to use security questions, be very careful with the information they request, and use the most obscure, nuanced questions available. You can always make a secure note in your password manager or an encrypted text file with the answers if you're afraid you'll forget them.
- Lie to security questions, and remember your lies. You could just outright lie, and say you were born in Darwin when you were actually born in Sydney, but you'll have to remember that lie. Alternatively, you could make up your own questions and use those answers instead, so when you're asked "What's your best friend's first name," put down your pet's name instead. Again, it's tougher on your memory, but it's much more secure, and unlikely to be defeated by an intruder.
- View every password reset email with scepticism. Even the ones that say things like "If you didn't request this, you don't need to do anything." I've found people hammering old accounts I used to have with password reset requests not because they think my account is theirs, but in the hopes they will get a different kind of prompt eventually so they can hijack the account. They know I'm notified every time they try to reset the password, but they're betting on me not doing anything. Contact support for the service in question and let them know. The best services can freeze reset requests for your account, or will send you over to their abuse or security team who can investigate the source of the attack.
- Watch your accounts and account activity. This is in the same vein as keeping an eye out for password requests, but there's nothing wrong with checking your Google Dashboard to see what's connected to your account and where you're logged in (you can even get monthly reminders to check your activity.) Do the same with all of your sensitive accounts -- every cloud storage service, social network, and email provider has some dashboard where you can see where you're logged in and what apps or tools are connected.
- Diversify passwords, critical services and security questions. This one should be common knowledge, but it's clearly not: Don't use the same password everywhere, and don't use the same security questions everywhere they're offered. Sadly, most banks and cloud service accounts recycle the same set of common security questions over and over, and it can be tempting to have five services with "What's your mother's maiden name" as the security question. Don't do it -- beyond the fact that your mother's maiden name is incredibly easy to find out using public information, it's just as bad as using the same password everywhere. Similarly, diversify your cloud storage services, email services and other critical webapps and web services. Don't let one hack, if it ever happens to you, shut down your entire online life. You want to be able to isolate a hack quickly and have tools to react to it if it does.
For more tips, we've covered many of these suggestions (and some more) in our previous guides to protecting yourself against social engineering, as well as how to protect yourself from fraud and identity theft online and offline.
Social engineering and this kind of "soft" hacking isn't particularly new, but it's rising in frequency among even untrained and unsophisticated hackers. A little attention to detail and vigilance goes a long way.