This week my studies took a bit of a left turn into Social Engineering. Whereas everything else so far was technical in nature, using and abusing hardware and software issues and their vulnerabilities, the most recent classes covered the most defective element of any security system – the meatbag in front of the monitor. PEBKAC indeed!
In terms of systems, I got started with Maltego CE. The interface is very user-unfriendly, but with the right walkthrough and plugins, it’s the tool I never knew I wanted! By doing plugin-based searches on all sorts of media on nodes such as persons, websites, servers, and so on, it becomes possible to draw intricate networks of connections between nodes – like a conspiracy theorist’s corkboard, only for cyber-stalking. Fun stuff!
Next up on the technical side was spoofing to bundle malicious code with a legitimate file and obscure the executable extension, as well as spoofing emails and accessing email servers to send spoof emails without getting immediately flagged as spam.
The downside of this part of the course is that it feels like it’s stretching the concept of “ethical hacking” to the limits of what can be considered “ethical”. If I spoof a VM, or a real device with the owner’s permission, for the sake of attempting a man-in-the-middle attack, I’m not hurting the device’s feelings. To even test out a social engineering attack I have to try to fool someone. I have no problems with pushing the limits of what I can find out about an entity online through publicly accessible information, as the entity in question can use that data for good (e.g. improving their personal privacy by restricting apps’ access to their data), but getting someone to “click here” feels too close to Nigerian royalty.
Even so, the shock value of a successful engineering attack can have positive effects in the sense of raising awareness. A BBC journalist agreed to let a cyber-security firm try to phish him, and they succeeded.
Did you click that link? Considering the subject of this post, did you even check if it was legit? This time it was – but what if it hadn’t been?