Trust and Verification: Social engineering

I recently read an article discussing a nation-state attack against security researchers. This attack leverages trust assumptions among security researchers, and is particularly dangerous due to the nature of who it targets.

This article is intended to serve as a reminder to people who already understand the basics of exploiting trust relationships.

Related articles:

I decided I would take this opportunity to discuss trust, and the associated traps that even cautious, security-literate people can fall into. This attack took the form of an attacker posing as a security researcher. The attacker would pose as a security researcher, using a very realistic fake profile, and convince a legitimate researcher (the target) to collaborate on research. The attacker would convince the target to use a collaboration tool that would install a backdoor on the target's machine.

This attack targeted well-educated, security-literate victims; these are the kinds of people you'd expect to be less vulnerable to such attacks. Many years ago when I was taking a computer security class, the instructor asserted that anyone can be social engineered successfully. As a teenager I didn't believe them, but over time it has become increasingly apparent that this is the case.

Social engineering typically exploits trust. If I trust my company's IT team, I might be willing to give them my password so they can resolve issues. This, however, is a mistake; since an attacker could pose as a member of my company's IT team using a spoofed phone number and enough knowledge to convince me they're an employee.

The solution involves two parts:

Social engineering attacks are generally considered to exploit the human behind the keyboard, but it might be more accurately stated that they exploit trust. If I fail to adequately validate who someone is, or whether they're trustworthy, I open myself to social engineering attacks.

I need to ask why I trust them. Is is because of a flashy website and a convincing social media account? Or is it because a friend vouched for them? If a friend vouched for them, do I trust my friend to make that judgment for their self? If I decide I do trust someone, to what extent do I trust them? Am I really comfortable letting them run arbitrary code on my machine?

These are all questions that need to be answered before trusting anyone. Trust is a largely unsolved problem with humans, and everyone determines trust differently. Trust needs to be evaluated on a case-by-case basis, and even the most well-educated, paranoid security professionals can get it wrong. However, it's always important to exercise an appropriate amount of diligence and consideration.

Don't just trust, verify.

All original non-code/non-software content is committed to the public domain, except where otherwise explicitly stated. Code/software is licensed under the BSD 3-clause license, except where otherwise explicitly stated. Content not originally created by Serpent Security may be subject to separate licensing terms.