Worker, Hack Thyself

Social engineers hack the one part of IT that can’t be patched: humans. The best line of defense? Learn how to do it yourself.

I know it was for demonstration purposes only. But still, when John Nunes, an information security consultant, called my cell phone and rigged the caller ID to display my office phone number (even though I was staring at my office phone at the time and Nunes placed the call from 300 miles away), it was spooky.


Spooky because it doesn’t take a great leap to imagine an overworked, soon-to-be-outsourced IT grunt running a Fortune 500 company’s database in San Diego getting a call from “someone” at New York headquarters — hey, the caller ID checks out — asking him to shift some of the data to another server for a few hours. As it turns out, that server happens to belong to some Filipino teenager in desperate need of some fresh credit card numbers so he can score a new plasma screen TV. Or worse, it belongs to the company’s fiercest competitor.

There’s even a term for these kinds of human-computer shenanigans: social engineering. It’s a phrase that often gets bandied about as an afterthought when talking about the hacker world of viruses and worms and all the rest. But, Nunes warns, it’s the single area of hackerdom that individuals and companies have not paid nearly enough attention to.

A familiar cry among hackers these days goes something like this: There’s no patch for human stupidity.

Actually, there is one. “Education,” says Barry Kaufman, the chief technology officer of the Intense School, a hacker bootcamp for corporate IT staffs. “Technical controls have just about caught up with the hackers. It’s humans that are the weakest link in the chain.”

But for Kaufman, education doesn’t mean just having a security consultant lecture a roomful of corporate IT folks on the latest threats. Instead, the Intense School teaches its students how to hack for themselves so they can put their IT department’s feet to the fire.

“It’s hard to tell people, watch out for this particular scam or that one,” Kaufman says. “Every organization is different and there needs to be someone there who can put its controls to the test.”


One popular social hack, according to Nunes, goes like this: To retrieve a password over the phone from America Online, a subscriber must simply verify the last four digits of the credit card number on file. But, says Nunes, jam your tongue into your cheek and mumble like you’ve just had some form of oral surgery and see what happens. “You try giving them the numbers but they can’t understand you,” he says, doing his best post-root-canal imitation along the way. “You’re dealing with tech support people who are trying to get callers off in under a minute or two. So it doesn’t take long for them to get frustrated and just give you the password.”

The online service PayPal, it seems, has to parry a new social engineering thrust every few months. At any given time someone is spamming tracts of unsuspecting users, asking them to click on or or even to verify their credit card or account information. From there, it only takes a few careless readers, who happily supply their credit card numbers for verification, for some online jackal to start racking up big bucks.

But the stakes involved in social engineering are very often much higher than merely having one’s AOL identity hijacked or PayPal account stolen. Corporate espionage is perhaps the most insidious breeding ground of social engineering.

In one of many examples Nunes offers, he tells of a company that hired a private investigation firm to tell it all it could about one of its competitors that was bringing one of its core business functions online. Part of the new IT initiative involved hiring more people. So the investigative firm worked up the perfect resume and snagged an interview for one of its henchmen. That person was then able to get inside the company and talk in serious geek detail with no less than five layers of the company’s management about the new project.

“And at the end of the interview,” Nunes says, “this guy, let’s call him Bob, spots purchase orders from customers and a white board that details the company’s new network structure. Bob pretends like he gets a call, he pulls out his camera-equipped cell phone and starts snapping pictures of everything.” True story, Nunes adds for emphasis.

It’s hard to track numbers relating to social engineering because what gets counted at the end of the day is the hack itself, not how it started. However, in a celebrated case last September, Romanian authorities arrested Dan Marius Stefan for directing eBay users that had lost out on an auction to a site that purportedly offered better items at lower prices. The site turned out to be a spoof run by Stefan where users were tricked out of all manner of bank and credit card numbers, passwords and other critical account information. In the end, Stefan netted up to $500,000 in ill-gotten gains before the U.S. Secret Service helped nail him.


Kaufman says most of what he hears about social engineering these days is anecdotal. One critical measurement that has caught his eye, however, is the fact that he’s seen a remarkable increase in the number of his clients recently wanting to know how to prevent it.