Trust and Verification: Social engineering
I recently read an article discussing a nation-state attack against security researchers. This attack leverages trust assumptions among security researchers, and is particularly dangerous due to the nature of who it targets.
This article is intended to serve as a reminder to people who already understand the basics of exploiting trust relationships.
- Google TAG: New campaign targeting security researchers
- Ars Technica: North Korea hackers use social media to target security researchers
- ZDNet: Google: North Korean hackers have targeted security researchers via social media
I decided I would take this opportunity to discuss trust, and the associated traps that even cautious, security-literate people can fall into. This attack took the form of an attacker posing as a security researcher. The attacker would pose as a security researcher, using a very realistic fake profile, and convince a legitimate researcher (the target) to collaborate on research. The attacker would convince the target to use a collaboration tool that would install a backdoor on the target's machine.
This attack targeted well-educated, security-literate victims; these are the kinds of people you'd expect to be less vulnerable to such attacks. Many years ago when I was taking a computer security class, the instructor asserted that anyone can be social engineered successfully. As a teenager I didn't believe them, but over time it has become increasingly apparent that this is the case.
Social engineering typically exploits trust. If I trust my company's IT team, I might be willing to give them my password so they can resolve issues. This, however, is a mistake; since an attacker could pose as a member of my company's IT team using a spoofed phone number and enough knowledge to convince me they're an employee.
The solution involves two parts:
- Minimize trust
- When giving someone access to a system or information, you should give them the lowest possible level of trust. This is called the principal of least privilege. This is important because it reduces the scope of what someone can do in the case of a breach of trust.
- One thing not to do would be installing software provided by someone you don't entirely trust. However, in the case of the attacks mentioned above, the attacker was able to obtain this trust by tricking the victims. This brings me to point 2.
- Always verify trust
- In the case of the attack mentioned above, the victims were convinced by a legitimate-looking profile created by the attacker. The attacker even created a blog with information about real security research in order to convince the victims that they're security researchers.
- To counter such attacks, a web of trust is often necessary. A web of trust is when you use someone you trust to vouch for someone you may not trust.
- Do not assume that just because someone seems to be legitimate, they're not going to attack you. According to some estimates, 1 in 5 hackers are actually law enforcement. It stands to reason that nation-state adversaries would pose as security researchers, or even hire legitimate researchers, to exploit trust within the community.
Social engineering attacks are generally considered to exploit the human behind the keyboard, but it might be more accurately stated that they exploit trust. If I fail to adequately validate who someone is, or whether they're trustworthy, I open myself to social engineering attacks.
I need to ask why I trust them. Is is because of a flashy website and a convincing social media account? Or is it because a friend vouched for them? If a friend vouched for them, do I trust my friend to make that judgment for their self? If I decide I do trust someone, to what extent do I trust them? Am I really comfortable letting them run arbitrary code on my machine?
These are all questions that need to be answered before trusting anyone. Trust is a largely unsolved problem with humans, and everyone determines trust differently. Trust needs to be evaluated on a case-by-case basis, and even the most well-educated, paranoid security professionals can get it wrong. However, it's always important to exercise an appropriate amount of diligence and consideration.
Don't just trust, verify.