Wealth, revenge, and power are as irresistible to today’s criminals as much as they were the criminals of an era before computers. Only the tools have changed over time. The act of social engineering is a confidence trick, similar to what a confidence artist might employ. The goal, in the context of computer security, is to leverage a person’s assumptions, biases, or lack of knowledge about a system in order to obtain information about, or access to, that system. This can be accomplished electronically, over the phone, or even in person. While no means the solitary method of infecting a computer, trojans are aptly named as they bypass a system’s security by tricking the owner into believing the payload is benevolent, beneficial, or required. Fake antivirus is an example of this behavior: a malicious website runs a fake virus scan2 and reports the computer as infected. The Trojan poses as a legitimate antivirus program for purchase and installation. A more nefarious version of this scheme is ransomware. In this scenario, for example, a website (either previously compromised or surreptitiously redirected to) displays a warning that the user has been caught breaking the law, and must pay a fine.
Another common avenue of attack is a phishing email. It is seen frequently on a personal and corporate level. At home, the email may masquerade as an official document from say, Paypal. At the business, phishing emails may take the form of a request from the local IT department. There are two important aspects to making deceit successful: imitation of the legitimate source (often achieved by pasting corporate logos within the email), and masking URLs (so it appears legitimate, but actually redirects to a fake website5 to collect credentials). Viruses and other forms of malware bypass human interaction altogether, taking advantage of software bugs, or holes in security, relying on people who neglect to update their systems. This type of attack can be completely silent, never drawing attention to the fact the system is infected, as to keep the victim from removing the malware. When this happens, it is an indication that the malware is communicating with other infected computers to coordinate an action, such as attacking a server to bring down a website.
In the Microsoft Tech Support Scam, the criminal poses as a Microsoft technician and contacts people over the phone. The victim is shown a relatively accessible Windows feature, the Event Log (which logs computer activity), and told that completely innocuous messages are in fact proof of infection. Naturally, a small fee is required to clean the computer or renew a fictitious warranty. That fee is usually kept in line with legitimate software costs, as a way to further legitimize the scam. Grammatically poor English (such as “You have 100 hacking files on your computer, you are very high risk”) may have been a tip-off in the past, but in the global economy, we have become accustomed to language barriers in the tech support field. In email variants, such as The Nigerian Scam, the person is promised enormous returns on a small investment. The details differ and continually evolve, but the basic premise remains the same: the victim is led to believe he or she has inherited money from a long-lost relative, or a wealthy foreigner needs help moving funds out of the country. The scam is so named due to the laughable (and thus memorable) English grammar of the scam emails, however, this hides the much more sinister motive of filtering out all but only the most gullible of individuals, ensuring success.
INCOMPETENCE AND INDIFFERENCE
Proper security is a difficult and expensive process to implement. Some website developers will mean well but forget a crucial step, others may be underpaid, or simply not have time for completeness. A popular phrase “security by obscurity” is given to situations where weaknesses and poor practices are simply hidden, or not easily encountered. This will never stop a malicious hacker—they will leverage every bug, every cut corner, and every oversight to gain access. The Secure Socket Layer (SSL) protocol is the basis for security on the web. It provides a secure communication channel between the server, and the person visiting the website. When visiting a website, the “HTTPS” in front of a URL denotes HTTP8 running over SSL. “…HTTPS gives us assurance of identity (we know who we’re connecting to), it ensures data integrity (we know the content hasn’t been modified) and finally, it gives us privacy (the data is encrypted and can’t be read by others).”
When transmitted over HTTPS, packets of information can only be read by both sides—if a third party obtained a copy of the data, they would be unable to decrypt its contents. In order for HTTPS to be effective, the entire page must be encrypted. If elements of the page are loaded over plain HTTP, the entire page is rendered vulnerable. Modern browsers are able to detect this and warn users appropriately. Cookies are a standard method of storing a visitor’s authentication status but can be compromised if handled inappropriately. For example, cookies holding personal data should never be accessed outside of HTTPS. When a website employs SSL, the server gives the browser a digital certificate (which is a public key) so they can communicate securely. These certificates are validated by a Certificate Authority; all browsers keep a list of CA’s for this express purpose. If a website does not submit its certificate to a CA, or there is a mismatch, the person opening the website is presented with the certificate so she may manually accept or decline it.10 If criminals successfully submit a fake certificate to a CA, their malicious website can masquerade as a legitimate website.
BREACHES AND NON-DISCLOSURES
In the last five years, between 2009 and 2013, counting only high-profile cases, there has been a little over 240 million stolen passwords lifted from servers with weak or no security. Approximately 55% of those were stored completely unencrypted—when the accounts were compromised the passwords were immediately available to the attackers. For those that were encrypted, password cracking is quickly becoming non-trivial. Once usernames and passwords are paired, criminals can test the credentials on other websites, such as bank accounts. It’s an effective tactic because people tend to reuse the same password on about four different websites, on average. This is to say nothing about the personal and identifiable data (social security numbers, addresses, phone numbers, etc.) being stolen along with the credentials. This scenario is an immediate threat to a person’s well-being and livelihood. Should personal information become compromised, it’s important to know immediately so appropriate action can be taken, for example, credit monitoring, updating passwords, and alerting banks. But companies may not be inclined to acknowledge the theft: bad PR, loss of customers, payments to customers for damages, and time and money to fix the original security issue, are deterrents to publicizing the theft. Thankfully, states now have laws that force the disclosure of personal data to be compromised.