How one hack got to engineers with security clearances
The LinkedIn homepage from 2010.
Con men are still around. Online, they're called social engineers. And there's a saying among social engineers: It's way easier to trick someone into letting you into a computer system than trying to hack into it.
"In any security system, the human element is always the weakest," says Jordan Harbinger, a good-guy social engineer.
"Being a human hacker is so much more interesting to me. Because our brains have so many loopholes and Easter eggs and all kinds of things that normally exist in technical systems."
Harbinger's day job is as a dating coach teaching human dynamics. And that connected him with social engineers.
Harbinger told me about an experiment he did recently. He set out to see if he could use social engineering to penetrate companies that did "top-secret" work with the government. He used the same steps a con-man would, only online.
First step: gathering information. To find the companies, he looked for people with security clearances. Harbinger says they're smart enough not to disclose info like that on Facebook and Twitter.
"But they're all on LinkedIn," he says, "because that's where all these guys go to find jobs or network."
Once on LinkedIn, Harbinger found a group for people with security clearances. He created a fake profile, said he was an engineer. And the group's moderators let him in.
Now, he had names of companies and employees. "I made a profile as a recruiter. Thinking if these people are looking for jobs. Let's give them fake jobs!"
He sent about 100 LinkedIn messages with fake job opportunities. Harbinger said he kept his profile intentionally vague. He didn't name employers. He didn't link to a fake website or set up a fake company email.
And he didn't need it, because LinkedIn helped him exploit a glitch in the human psyche.
People assumed that because he was in the Top-Secret Group, he was one of them. And there was another factor.
"Isolation was really the key because if somebody is looking to leave their current company, they can't talk to their supervisors - so you don't know who to ask about what can I talk about? What can't I talk about?
It's the classic con game. If fewer people are involved, fewer people can poke holes in the con.
But on LinkedIn, instead of suspicion, Harbinger got bits of information about classified projects from engineers trying to impress him. He says some of the men -- and most of them were men -- were cagey about naming their employer, or where they lived, but they gave out personal emails. Harbinger ran those through a free forensics search engine and figured out they had profiles on Yelp and other social media sites.
"I used that to find out what kind of things he liked to do, coffee shops where he did work. So if I were a hacker, I would know what wireless networks this guy is working on because I know what he looks like and I know he works at this Starbucks on this corner, and I would just wait around there and then I could start snooping around on his network traffic.
And so it was putting together little pieces of innocuous information to put together the puzzle together from that."
Having found his targets, Harbinger set up a "cover." He went on Facebook and created a profile of a female college student. She's attractive but, Harbinger says, he made sure she was "attainable." And she's about to graduate with an engineering degree.
Using that profile, Harbinger approached his targets saying, "Hey, I got an offer from your company. But I'm trying to figure if I want to work there. Do you like your project?"
"Guys love to come to the rescue, so I played that vulnerability. Damsel in distress. I'm looking for a job, I don't know what to do, can you help me?"
Again, the oldest trick in the book.
"A lot of guys were like, I'm not supposed to tell you this, but I'm working on this. It is so cool, it's got billions of dollars in funding."
Harbinger says he stopped short of pushing for classified information. But he found out about testing facilities, budgets and timelines.
"Right now you're going, I don't know if I'd fall for that. This would never work on me."
And, he says, a lot of employers have the same attitude. So while they'll put resources for cyber security software or other technical defenses, many companies still don't train employees.
Harbinger says, if you're the kind of company that still thinks your people are too smart, then you're the kind of company hackers are going to go look for.