Social Engineering: Evil Behavioral Science

Pythia Cyber was founded on the principle that there is a huge behavioral component to cybersecurity that goes largely unaddressed in the marketplace. This claim is not obvious to many people, especially people new to cybersecurity. Oddly, the evil twin of this idea is all too familiar to people, even people new to cybersecurity: social engineering.

This is one of two posts on this topic: this post is by our IT infrastructure practice leader; the next one will be by our behavioral science practice leader. Our perspectives are different enough to create some value by showing both the "what" perspective (this post) and the "how" perspective (the next post).

It was once common practice to cite the "dictionary definition" of a term as a starting point for discussing that term in greater detail or greater depth. Now we have progressed to using an AI generated summary, so let's do that. Social engineering attacks are defined by the Google AI this way:

Social engineering attacks are cyberattacks that exploit human interaction and emotions to manipulate victims into revealing sensitive information or compromising security, often through deceptive tactics like impersonation or creating a sense of urgency.

As is so often the case, this summary is fine as far as it goes, but it does not go very far. We will explore a couple of examples to flesh out an understanding of what these attacks are for and why we care about them so much. As a general topic, let's consider getting around passwords.

Many people assume that evil doers resort to brute force to generate possible passwords: the computer generates a possible password, tries it, and if that possible password does not work, generates the next one. If guessing an eight character password, you might start with "AAAAAAAA," then "AAAAAAAa" and so on. This is called "cracking" and is a terrible way to get around passwords, especially passwords chosen by users and not experts. What evil doers do instead is try to guess your password, because so many of us are so predictable that the search space is smaller than one would like. Too many of us use some combination of these:

• birth dates of spouses or children
• names of spouses or children or pets
• an exclamation point in the middle, between two words
• simple substitution: 3 for E, 5 for S, etc
• sports team names and the year of a great victory

Given this tendency, targeted guessing is a vastly superior option to cracking. But this assumes that evil doers can get some of this personal data for you. Luckily they have social media: yes, reacting to meme can be quite harmful, alas. Someone posts meme of a 1968 Dodge Charger and asks "who remembers riding in one of these bad boys?" and now they have an idea of your age if you click "like." Harvesting clues like this seems like an impossible task, but it is not. Your social media footprint is leaking personal information unless you are careful.

Of course, gently harvesting clues over a long period of time is nothing compared to breaching data and accessing your profile in any number of supposedly unimportant systems. Think of how many of the typical password components are exposed every time someone manages such a breach (we have a blog post which explores breaches here).

Cracking and guessing are not the only ways to get around passwords. Once evil doers have enough of your personal data, they can impersonate you, at least over the phone. They can leverage Customer Service's goal of helping people to hurt people instead. Evil doers who fail to get around your password directly can, instead, call the Customer Service (or Tech Support) of whatever system they are trying to penetrate and can give your personal information in place of having to present a photo ID in person. What are the questions that the poor, innocent dupe on the other end of the phone is going to ask? They are going to ask the caller about information from your profile. Which the evil doers have. Once the forces of evil have convinced Customer Service that they are you, they can set your password to whatever they like. Voila! Password gotten around.

This tactic is why the "I Forgot My Password" link is potentially dangerous: evil doers can fool the password reset software as easily as they can fool a person unless two factor authentication is involved.

DISCLAIMER: This post may seem like How To for Prospective Evil Doers, but it is not because this post is deliberately out of date: two fact authentication should thwart these kind of attacks. You use two factor authentication for all your system interactions, right? Right?

A quick rant on behalf of cyberdefenders everywhere: there is very little we can do in our realm to prevent social engineering. We can only watch in horror as users leave the metaphoric door unlocked, or leave a key under the doormat. We work so hard on these doors. Please don't hand evil doers the keys.