HN Theater @HNTheaterMonth

Social hacking is alive and well. During my studies in computer engineering we had lectures on cybersecurity and the person used the following example

https://www.youtube.com/watch?v=lc7scxvKQOo

Human error is still one of the most popular hacking techniques. By getting an e-mail address you can check haveibeenpwnd to see if there were any leaks related to that e-mail address and there's already a lot that you have on a person that you don't actually know. Recently there was an increase in phishing schemes where hackers obtained the passwords of really old leaks (from myspace, armorgames etc. etc.) and sent letters to people with legit passwords trying to extort money. This was a hugely successful campaign. I'm not saying don't mention your name in public but for sure use a password manager and a VPN if you're on public wi-fi a lot. And don't shout your cred card number while buying coffee.

Cellphone accounts can be readily compromised via social engineering (aka tricking the CSR into changing things).

Here's a pretty hilarious and effective example where a crying baby background was used: https://www.youtube.com/watch?v=lc7scxvKQOo

>Only if you define easier as 'badly designed process'.

I'd be interested to know what a good process is.

>That is unfortunate, but why do you believe this will always be the case?

I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.

Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:

https://www.youtube.com/watch?v=SstZAIxl8wk

https://www.youtube.com/watch?v=lc7scxvKQOo

It just takes a single slip up and you lose. Whereas attackers can just keep trying.

>Maybe this can be an opt-in for the more 'security-minded' minority.

Yeah I agree it's a good idea. In fact that's what I've done on my primary google account

https://landing.google.com/advancedprotection/

But that implementation isn't perfect, it requires giving up some features and buying U2F keys. Preferably you could opt into exactly the protection you want, so you could get the recovery security without having to buy security keys for example.

I agree there could be better implementations, but they would cost more. I think it's a three way tradeoff between cost, easy recover, and security. When I hear someone advocating for easier recovery without advocating for higher cost, then I immediately think there will be a lowering of security.

⬐ ksk

>I'd be interested to know what a good process is.

IMHO, A good process would have several tiers, each being more manual, less automated, and more time consuming. The basic tier would be security questions, alternate email, SMS, 2FA, etc. The next tier could be establishing identity and would mean communicating with a real person. You can send a signed affidavit along with a government issued ID and the person would verify it. Then they would have to establish that the account itself belongs a specific person, and that that person is you. This can be done in various ways - billing address, CC info (if applicable to that service), etc, etc. A more real answer would be dependent on the actual service and what information the service captures at signup, etc.

>I don't believe most (if any) online accounts that I have provide enough profit to the service owner to hire and train employees with enough expertise, time, and resources to properly determine a valid recovery attempt from a fake one.

Well, then that is a different argument and I'd agree that it takes time and money to get a good process in place.

But if you think about it your logic can be applied to anything right?? I don't believe most (if any) software companies have enough profit motive to test their software for security bugs or hire people who have expertise in security.

>Social engineering employees just seems so easy from what I've seen. It's so reliable it can be done on stage:

Yeah, that is an example of a bad process.

⬐ Buge

The cost of hiring security engineers and testing for security bugs is constant with regard to number of users. Whether you have 1000 users or 1 billion users, your service has the same security if you spend the same amount on testing an engineers.

But the cost of human intervention in recovery increases linearly with the number of users.

I agree with your ideas for automation. But human intervention has problems.

One solution for human intervention is to charge a non-refundable fee for recovery. This has the advantage of discouraging attackers from trying to recover. The problem is I think this would cause bad PR for the companies. Now instead of blog posts saying "Google locked me out of my account" there would be blog posts saying "Google is charging me $20 to access my own account" or "Google is holding my account hostage for cash".

⬐ saycheese

Here's the related news article: https://news.ycombinator.com/item?id=13193166

That sounds like a very tedious thing to go through to login to your email.

Just use a strong password ( https://xkcd.com/936/ )

The funny thing with having email as a username is, how sometimes people can use social engineering to gain control of your account, non of that fancy "hoaxer" stuff are needed when your service providers put untrained people in charge of your accounts. Hacking human stupidity is a more effective way in to get in to a secure system.

( as an example, this was on reddit just yesterday https://www.youtube.com/watch?v=lc7scxvKQOo )

⬐ Twisell

Nope I mean I kinda never login to my mail through unknown browser. My smartphone is just good enough when I can't access my computer, so there is only three places where my long e-mail password is stored. Keychain on my computer, keychain on my smartphone and backed up encrypted keychain in my cloud account. So it's highly unlikely that my e-mails get compromised.

Also worth mentioning my e-mails are not hosted on gmail or any big cloud player. I actually pay for my imap, when you don't pay you probably in some way are the product...

Paranoid? Maybe

Safe? More than others

⬐ 20tibbygt06

This is part of a longer video: Real Future: What Happens When You Dare Expert Hackers To Hack You (Episode 8)

https://www.youtube.com/watch?v=bjYhmX_OUQQ

⬐ vonklaus

"I stole your onepassword keychain". Wow. Actually was pretty smart, he signed up for squarespace because the mark had a squarespace blog and used emails to get him to give up passwords then downloaded a ton of maliscious software onto his computer.

Pictures of the webcam every 2 minutes were creepy as hell.

⬐ wallace_f

In that video Dan Tentler talks about how he hacked the journalist by prompting fake system messages to input his password.

I've always wondered when using Ubuntu, how paranoid should one be regarding the prompts to auto install updates? Anyways, if you've been owned to that extent already, your adversary could always use a key logger, instead, so I guess it's maybe not worth worrying about.

⬐ zizzles

Another aspect of social engineering that is seldom discussed: Women will have a higher success rate at any sort of information-extraction, in fact, I would say that it is a "social engineer" method in itself. The crying baby sound-effect? Simply icing on the cake.

If a male with a naturally brooding voice contacted a service provider to extract a password, his chances of success are lower because he is less trustworthy by nature, which increases the odds of the operator on the other end raising suspicion.

⬐ 27182818284

I've seen a lot better ones than this at HOPE. I honestly don't think I would have bought her story -- and I have history of working the phones for stuff. It comes across as too contrived. She would have fooled me better by just sounding bored.

⬐ NullCharacter

Other guy in the video was Chris Hadnagy who literally wrote the book on social engineering.

Cool dude, too. Great class if you ever get the chance to take it at Black Hat.

⬐ syphilis2

So this is what I need to do to get quick tech support help over the phone. Social engineering as a tool for legitimate purposes.

⬐ louprado

While I am not an artist, I always had a distaste for the phrase "scam artist". It didn't seem appropriate to elevate someone who commits fraud to the level of "artist".

But my hope was the phrase would shift out of the professions entirely. And certainly not into my own profession.

⬐ wallace_f

It does seem to be a euphemism, one used to paint scammers in a better light. Remember, 10 years ago we were calling social engineering hackers scammers and con men.

⬐ khedoros

"Engineered" and "artistic" seem apt descriptions of parts of the scam: the skillful, creative, and well though out parts. Just like "criminal" and "scammer" address the other side of the same activities.

⬐ louprado

Engineering is applied math and science. Hard science mind you.

⬐ khedoros

That's one sense of the word. There are others. I was thinking of "the action of working artfully to bring something about".

⬐ nickpsecurity

She did great on that social engineering attack. The crying baby on YouTube was a nice touch. The overall segment illustrates many aspects of psychological manipulation that can be used to successfully con a support person. A believable scenario, something people might sympathize with, a sense of urgency, further but brief engagement with questions/answers, and gratitude for their participation.

This stuff was always tricky to train people to defend against. I need to update my links to good presentations on this subject for attack and especially defensive training for employees. So, what do you people have to go in that collection?

Note: OP video led to autoplay of No Tech Hacking by Johnny Long. I recall someone recommending me read the book by same name. So, nice accidental reminder.

https://www.youtube.com/watch?v=N4kfsxF8Tio

Note 2: Bejtlich's comment on NTH on Amazon reminded me that we should probably always list Mitnick's Art of Deception and Abignale's Art of the Steal in these threads for useful examples they had. They each extracted much mileage out of social engineering.

⬐ darkhorn

Ugh, so this is why banks ask you to type your cart number and call support password before they connect you to a real person. And then he asks you your some private informations, then fills them on the program, only after this he can give you a support.

⬐ nickpsecurity

Usually. It's also why some institutions will lock you out entirely without a visit for a photo ID check. Pre-designated people in some high-security settings with optional tokens or biometrics.

Now, some measures you run into will exist because a non-security expert formulated them to cover their ass after reading something online or in a bookstore. Or by security people who also have to comply with a policy or regulation of varying degrees of sanity. So, it's not always a real attack or risk inspiring specific measures but often is for verification during support.

⬐ justinlardinois

> A believable scenario, something people might sympathize with, a sense of urgency, further but brief engagement with questions/answers, and gratitude for their participation.

Yep, pretty much nailed it right there. I think the fact that she acted surprised/confused at some of the security policies, rather than getting aggressive, helped sell her as a real customer that just needed some help.

I mean, not that real customers aren't assholes sometimes. It's just less likely that customer support will want to help them.