Social engineering: The human story behind hacking
A masked hacker, part of the Anonymous group, hacks the French presidential Elysee Palace website on January 20, 2012 near the eastern city of Lyon.
Once upon a time, not too long ago, we called them con artists. They ran scams, they were on the take, they ripped you off but not by gunpoint or force but by winning your trust and confidence.
Well, the cons moved online. Only today, cyber-security experts don’t call them con artists, they call them social engineers because they break into computer systems not by hacking the technology, but by hacking humans, says Chris Hadnagy, the author of “Social Engineering: The Art of Human Hacking.”
“You look back at the original con-men and the principles are the same, but now it happens instantaneously, almost, because of the web,” Hadnagy says.
He says in the old days, con-men might have spent weeks -- or even months -- getting your phone number, finding out where you work, who your friends are and where you hang out.
These days, social engineers can get that information in days -- or hours -- by scouring the web. And unlike the old days, increasingly, social engineers are targeting businesses.
“When we hear these attacks, we always focus on the tech piece,” Hadnagy says. But he points out that hackervists ex-Anonymous member “Sparky Blaze” has said that during her time with the loose-knit band of hackers, all their attacks had a social engineering component. Anonymous has penetrated Sony, PayPal and Visa.
Hadnagy says it’s not just Anonymous, look at the Coca-Cola hack. In that one, social engineers got an executive to click on an email that was made to look like it was from Coke’s CEO.
“He opened it crashed and said, I guess it’s not a good file and ignored it,” Hadnagy said. “Well, that file was laden with software and it infiltrated Coca-Cola’s network.”
Nobody knows what the hackers took or how much damage was done. Some suspect corporate espionage, but Coca Cola’s been very mum on the matter. Hadnagy gets it. He says companies are in a pickle.
“See if I tell you that my company was infiltrated because there was this gaping hole in one of my pieces of software, and then I say we patched it, now you feel secure,” he says.
"But if I say, hey, one of our employees got duped and we got hacked... What’s the patch for human error?"
On Monday, we'll talk to a social engineer who'll explain how he used social engineering to penetrate companies that do top secret work for the government.