Mitnick In The News
Social Engineering - From the Trojan Horse to Firewalls
Nov 2, 2018 - Nexus , by Columbia University Student
Social Engineering is, without a doubt, the oldest computer hack. A loose term defining a range of hacks and scams, social engineering has persisted through countless centuries of human history. Simple in premise, difficult to defend against, and constantly evolving, social engineering represents one of the single greatest threats to information security in the history of technology.
It’s easy to forget that even the most secure firewall combined with the latest and greatest security software is still operated by a human being behind the keyboard. That extra-tight security is only as secure as the person operating the machine. This often presents the easiest method of entry into a secure system, as human beings are much easier to trick than machines.
The ever-changing security landscape doesn’t hinder social engineering hacks. It can even enable them, allowing for more complex and effective methods to gain information from secure systems by using the humans that run them. We’re going to take a look at a few of the more creative social engineering scams seen this year, but first, we need to take a look back in time to get a frame of reference for how this method of manipulation has evolved.
Social engineering is a broad term used to encompass several different types of manipulation, often in the context of confidence tricks. This can be expanded to include a pretty wide range of techniques to influence everything from political or social change to information security.
As it pertains to information security, social engineering is used to obtain access to what would otherwise be a secure system. A tightly locked e-mail server with usernames and passwords, for example, could be cracked with a simple phone call that ends with a password reset in the hacker’s favor.
Gaining the credentials to use the company web portal with a similar technique would be another. These attacks are easy to defend against in theory, but in practice, it’s in our nature to fudge the rules a bit when we’re sympathetic to someone’s plight. Who hasn’t forgotten their login credentials once or twice in the middle of a crucial project that needed to be finished by a deadline?
This kind of manipulation of human empathy is what makes social engineering so successful. The best defense is strictly informed and enforced best security practices to counter this kind of manipulation. The use of emotional manipulation to gain access to otherwise secure locations goes back centuries, and it takes a coordinated defense to ensure things stay properly secured.
The year is 800 B.C. A decade-long war has raged between two ancient nations. The conflict comes to an end when, playing on pride, the general of one army offers a gift to the opposing nation-state’s city: A large wooden horse. The horse is loaded with elite infantry who overwhelm the city’s troops in the dead of night and allow the invading forces to crush the city’s drunken defenses.
While the story of the Trojan Horse probably isn’t real, it’s one of the earliest literary examples of a successful social engineering hack. It’s so ubiquitous in computer security that we even named a virus after it: the Trojan Horse is used as a backdoor method of entry into an otherwise secure system. It highlights that even over two-thousand years ago, the idea of misdirection and manipulation to breach security had already been established.
Moving forward a couple thousand years and a few leaps forward in technology, a more modern-day definition of social engineering began to take place. Brought into the public’s eye by rogue black hat-turned-white hat hacker Kevin Mitnick, social engineering was coined as an information security term around the mid-60’s, when a much younger Mitnick began exploiting the technique to run circles around the FBI for decades.
In several books on the subject, Mitnick outlines...
To read the full article, and others written by Columbia University Students, please refer to the source.