SCIENCE AND TECHNOLOGY -- February 1, 2013 at 12:31 PM ET
Keeping Your Company, Personal Info Safe from Social Engineering Hacks
Keep your computer safe from hackers. Before you click on a link in an email, ask yourself a few questions: do you recognize the domain name? Is your name spelled correctly in the email? What time was the email sent? Read the article for more tips. Archive photo
Security experts suspect that hackers' months-long attempt to infiltrate The New York Times' computer systems may have begun with a single click by an employee.
While it's not certain how hackers initially compromised The Times, the newspaper reported Wednesday that the hackers may have gained access using a spear-phishing attack, emailing booby-trapped links or attachments to targeted individuals. Investigators said once a falsified link is clicked, the hackers are in.
On the NewsHour Thursday night, The Times' Nicole Perlroth told Correspondent Ray Suarez that the timing of the attacks led some of her editors to fear that the hackers might do worse, such as take down the print or online publication systems.
Although that didn't happen, Perlroth said the hackers cracked the passwords to 53 email accounts.
"You don't have to do damage to do damage," Washington Post reporter Robert O'Harrow said.
For more than a year, O'Harrow investigated the assaults on a person's or organization's cyber security in his series "Zero Day: The Threat in Cyberspace."
"If you're just spying, that's a big deal," he said.
O'Harrow said spies could look to see what Hillary Clinton was quoted as saying in a story before it is published or they could peruse a project the investigative team was working on.
But it was that initial phishing deception that allowed the breach, revealing the weak link in cyberspace: users.
"People aren't trained. People don't understand the risks," computer security expert Kevin Mitnick said. "People don't know how to evaluate whether or not to open up an attachment or click on an email."
Once the nation's most notorious computer criminal, Mitnick is now a computer security consultant who has developed awareness training courses on how to prevent spear-phishing and other social-engineered attacks, in which employees are tricked into divulging information or doing seemingly benign tasks such as opening a compromised document.
Mitnick outlined several scenarios of social-engineered deception, ones he has tested a number of times. These are only a glimpse into the world of social engineering tactics.
The phishing attack
The Times may have been felled by a phishing attack, in which the victim opens a PDF file, Word document, photograph, link, etc., that's full of malicious code. This would give the attacker, in most cases, full control over that person's computer, Mitnick said.
"It's the easiest way in," he said. "When companies hire me to do security testing, we have a 100 percent success rate. There's not been one client in the last decade that I tested that I wasn't able to compromise."
Mitnick listed several red flags in phishing scams: Do you recognize the domain name? Is your name spelled correctly in the email? What time was the email sent? (3 a.m. emails are questionable.)
But O'Harrow mirrors the inevitability of an attack.
"Eventually, [hackers] are going to get you," he said. "You're going to slip and click on the wrong thing, go to the wrong website."
The reciprocity attack
An attacker could call a company, masquerading as a fellow employee. Mitnick said he has pretended to be a help desk or IT department, calling the direct extensions of several employees within a company, asking whether they have computer issues.
"If you call 10 people, you're going to get four people that have some sort of computer issue," he said.
And what does he do? He helps these unsuspecting employees by troubleshooting their Outlook or Excel issues. This is the first step of the reciprocity attack, when an attacker does a favor for someone. Then "Phillip," the IT employee, asks for one in return, directing the victim to a website "to see if the page is rendering OK on your browser."
"As soon as they click on the website, game over," Mitnick said.
To put it simply, Mitnick said people are gullible.
"I can come up with pretext on the fly on how to manipulate people into doing what I want them to do," he said.
The face-to-face attack
Unlike the two previous attacks, this social-engineering tactic requires face-to-face interaction—and extensive research.
Mitnick said attackers would research everything about a company, beginning with its logo to print fake business cards. For an evening hack, an attacker could find out which janitorial services a company uses to clean their offices. Then the attacker would learn the janitorial schedule and show up with his disguise and prop: a suit, tie and briefcase.
From there, it's a matter of knocking on the door, saying you left your keys in your office and flashing the fake business card to the janitor for confirmation. Mitnick also said to thank the janitor for opening the door.
Armed with a USB drive, the attacker now has access to the company's systems.
"The magic is setting up the pretext," Mitnick said. "If it's fair, legitimate, reasonable sounding and it makes sense, they perceive no risk to themselves and the company."