“If you like a hole, whatever the hole, bruteforce it at all costs”
(Anonymous)
It is evident that Internet, and digital age, are modifying on an unprecedented scale the natural condition of interpersonal ties, and their unfolding. Ironically, it has been confirmed that people build a deeper trust when they meet in digital channels, even before they meet in person. These digital platforms generate trust in a somewhat mysterious and excessive way (which should be constantly tested). However, from my very personal point of view, trust is not negotiated; nor should it be blind. It resembles a gigantic skyscraper of cards that takes centuries to arm itself and crumbles at the first false move. The analogy is especially valid in the vortex of the digital environment.
As human beings, at some point in our lives we will have to face disappointment or betrayal, (words usually linked to sentimental relationships). In many cases, depending on the level of apparent "harm", suffering them, can be devastating to the person's own identity, totally changing who we are, our plans for the future, or "twisting" the way in which we face future idylls. And of course, destroying forever the vision we had about security, and maybe even intimacy.
In IT security, one of the assets to exploit when making an attack is precisely the user's trust, allowing the black hat to penetrate into the network. This is related in the same way to the false sense of confidence that we all assume, when installing an antivirus, implementing a firewall, passing a security audit, or having a Master in IT Security, because the golden rule in this "business" is to know that almost nothing can be done against someone (or something) experienced enough, who has decided to "reach us" at all costs.
Precisely the purpose of these lines is to break down, how easy it would be for a "hacker" to completely destroy a person's life, exploiting and betraying our unconsciousness and the vulgar natural instinct of trust, which we create around us. I refer the reader to the following scenario for his reflection, in 3 general steps, removed from a REAL case, (no matter how macabre or imaginary it may seem).
1. Recognition of the prey
We will call our victim Fernando.
Fernando is a senior executive in a private company, whose name I cannot remember, which despite the reluctance of his boss, has managed to make a penetration test to their corporate defenses, by hiring a "gray hat" (poor Fernando!, he does not know he hired a gray hat). Fernando is really concerned about the safety of his company, (and his own), and is one of the few executives that considers security a paramount need for the future of the organization.
His company has the typical protections of any other: a firewall of X brand, antivirus, two-factor authentication and everything we always see, is sold to a company by manufacturers. So, Fernando already has the gray hat, AKA auditor of IT Security & pentester, ready for action, but unfortunately, as the great Kevin Mitnick points out in his book The Art of Deception, Fernando does not know anything about the " human element "that will eventually be the cause of his destruction.
For practical purposes, we will focus on Fernando and how relatively simple it would be to ruin his life; leaving some vicissitudes to the imagination of the reader.
But let's see ... who the hell is Fernando?
The astute gray hat, before signing the contract, which endorsed him as official auditor for Fernando's company, was already working on gathering information about him. He arrived very punctually at the offices of the company, attending the meetings that would set the terms and conditions of the commitment, also taking advantage making regular and "innocent" talks with the secretary and the local employees.
The gray hat becomes very soon part of the environment; everyone sees him very frequently, reinforcing their notion of trust in him and better yet, seeing him as a great authority in cybersecurity matters. He builds relationships without others hardly noticing; this will serve considerably to break the perimeter of the defenses, inserting himself from the inside if necessary.
The gray hat finally signs the contract starting the game. Once outside, he calls the secretary, (remember, he already has her confidence), and asks that, as part of the work, he must use her computer for some "tests". Of course she agrees, first partly thanks to the new "friendship / familiarity" that has emerged, and most importantly: she has seen her direct boss, Fernando, go out to eat with the gray hat, making clear, a very formal relationship in development, that she cannot dare to question in any way. Refusing the request of the gray hat could bring disagreements which are better to avoid.
But let's go back to what we have about Fernando. The gray hat has done a quick canvassing on the Internet, only using Google and some simple information collection utilities, nothing really complex. He discovers that Fernando is happily married to "Josefa" and has a small child "Fernando Jr." of 13 year old. He knows perfectly which schools Fernando attended in his youth, and all his social media (Facebook, Twitter, Snapchat ...). The information above with each of the members of his family, of course.
Although the gray hat has not yet perpetrated any kind of direct onslaught, there are already serious prospects of starting the assault, and preparing the terrain on several flanks is of vital importance. All this strategy will be possible to understand clearly, in the movements made by the gray hat later.
2. Connecting with the target
At this point, the gray hat begins to ask:
"What do I want to do to Fernando? Do we blackmail him with exposing all his personal secrets? Do we destroy his entire identity of years, his entire profile, make him completely invisible, as if he was a living corpse? Do we steal his information through a ransomware and ask for “rescue”? Do we make his life impossible for a long time, making very difficult to use devices or pay bills and debts? Do we enter his online banking and make an anonymous donation to the nuns of the church in his community? Maybe I will enter his company stealing corporate secrets that can be sell on the black market. Or why not ... we can do everything."
The attack requires a considerable level of concealment, and deep access to each of Fernando's resources; overalls, he should not notice any attempt of intrusion or he will begin to suspect about the gray hat, since he knows that he has been hired to circumvent the perimeter of the company. But the Facebook’s profile and all its social networks, are CRUCIAL to deploy the attack. In general, our social networks say much more about us than we would admit, and they tend to be the Achilles' heel of almost any individual.
The gray hat could start extending an invitation, by some "cracking juggling" in some attack profile. Although we will stop here; because there is a small detail that can result in a problem; currently most people regardless of age, puts a bit in "interdict" to those who usually add on Facebook, if you know or not is irrelevant; possibly Fernando, being a “connoisseur” of IT Security, will deny him the fake profile invitation, no matter how real it may seem, preferring to keep his current social circle intact and not uselessly expand it, with people he has not seen for a long time or who he does not know.
But the gray hat finds another pattern: Fernando is a very active professional in Linkedin and today, that social network has a great reputation; it is certainly assumed almost immediately, that a person with a career and work experience is someone reliable, is not that so? Of course Fernando has added his friends from the University, the career, in the years he studied, like almost all people with a Linkedin account. The gray hat verifies there are some of those friends / former colleagues who do not have such a social network and are the perfect target to usurp their identities by creating a false profile. The gray hat connects this false profile(s), with other fake accounts, to create the illusion that it is an existing person and (we highlight) "reliable". The gray hat fills the profile with information that matches the guild of Fernando sending the calculated hook, by means of an invitation request + message:
"Fernando!! Many years have passed since the university and the inhumane classes of Differential Equations. I am currently working in a software company, I would love to have you among my contacts and maybe one day we will chat or eat. Greetings!"
Fernando knows in advance that relationships on Linkedin tend to be more formal and tries to remember the sender with a "maybe I saw you in my monstrous class of Equations many years ago" or a "maybe we talked someday on campus", but this does not matter because his brain tells him this network is for professionals and it may be useful to add the new comer; if there were future consultations or employment relationships. The world is small. There is a good chance that Fernando will add the gray hat into his contacts, however we will assume that he is too fussy and denies him the invitation.
What follows is to go against the other two remaining assets, very important for Fernando, and that he does not know can also be wielded against him: his wife and son; Josefa and Fernando Jr. Remember (very romantic), that our beloved ones are the daily source of our inspiration and strength. Unfortunately they are also our greatest weakness.
For the Machiavellian effects of this scenario, we will point out that Josefa does not bite the hook either, and the gray hat goes totally against her small son, Fernando Jr.
Honestly, connecting on Facebook with a millennial is a task that even a "newbie" could achieve, (very dangerous for a little boy to have open path without restrictions to social networks) so we will omit the whole process (similar in good part to the hook that was sent to Fernando), having the gray hat finally, access to Fernando Jr. and by extension to his parents.
But it is to notice, clarify (and emphasize) that our weaker flanks, are not always the most visible, another one may take advantage of them to the fullest, without us even realizing.
3. Executing the offensive
In the interaction of the gray hat with Fernando Jr., he knows that almost never is at home until the night, because he practices Waterpolo and has a laptop, a tablet and various IoT devices at home. Once the confidence of the child has been gained, through diverse talks, brandishing the perfect "Social Engineering" skill, the gray hat is ready to send the pump that will give him everything he wants.
He sends Fernando Jr. an attachment infected with a Trojan that will surely open. It must be exciting enough to immediately be caught by it, otherwise the attention of a millenial child may be lost quickly and cause failures or delays in the operation. The gray hat sends him a link of his interest, linked with his sports hobby with an almost infallible result: watch the European Waterpolo Final Four, that is only televised in very few countries, and if you want to watch it in HD, you must pay a sports channel, which frankly he could pay without any problem, but may require merits or "boring" efforts. It is also possible the child has a credit card in his possession, but we will play with the impatience, characteristic of his generation, wanting to have everything within one click (or less). When Fernando Jr. opens the link, voilà! He downloads an undetectable Trojan to the home antivirus, and gives remote access to the gray hat, with total persistence.
(As an additional point, the reader may question that omitting the evasion of the antivirus, is a convenient Deus ex machina. However, it is enough just to sniff a little in your favorite search engine, and review the variety of AV evasion techniques to verify that should not be detailed in the story).
Then, the aggressor uses the machine of Fernando Jr. as pivot to infect and reach the rest of the home devices, identifying in a very simple way, the machine of the main target: the computer of Fernando father, the executive.
Additionally he can transfer from here, many "hacking utilities" in stealth mode or break the router to communicate directly with his malicious servers. At this point Fernando is already fully engaged; the gray hat owns the computer through his child's, and launches multiple attacks in background to break his information, capture passwords, disable any antivirus, or create exceptions in the rules of the firewall / AV to let the malware pass without fear of an alert, from the few defenses that still have left. Even if Fernando has extra measures, such as two factor authentication, non-repudiation services, identification of devices that connect to an account, it is highly probable they can be "bypassed", because we are using the same computer that Fernando uses, and there will be no clear suspicion.
The attacker already knows all the accesses Fernando uses; also the VPN he has with his company and that now the gray hat can explode usurping him, to severely damage the corporation. If the main objective of the attacker was to destroy Fernando, at this stage of the intrusion there would be no way to stop him. He would do it without a doubt.
4. Harvesting the planting
If the curious reader remembers, when the gray hat ate with Fernando at company meetings, he asked the secretary for access to her machine to run some "tests". The gray hat has kept that relationship "hot" by skillfully monitoring it for two main reasons:
To appear he is working; because even though the secretary respects the gray hat as "IT guru", it is inevitable that she informs Fernando about the execution of "tests" performed by him. Fernando finds out this, but he is already aware: he knows in advance that the job of the gray hat is to make an intrusion to the company, so he takes it as part of the assignment. The gray hat does not risk anything; it correlates the behavior of Fernando with the secretary, to verify there are no surprises, and if they do not suspect of something "strange". It can also give him time to erase his fingerprints, leaving no evidence of any attempt to interfere.
It secretly monitors the "agreed" attacks (sorry tests) that have been running on that computer to the rest of the network. Through this initial attack, it has been possible to infect multiple computers through the file sharing of the secretary. We know that she does not have sysadmin privileges, but she can send emails to anyone within the company, since she is in the same domain, and they will be "reliable" automatically.
Assuming that Fernando's machine has not yet been infected, the gray hat sends an email from the secretary's account with a malicious attachment. It is quite possible that it will not pull the "spam filter" alerts, because we are inside the perimeter, so when he opens it, "trusting" that it comes from the secretary with an important message, Fernando will be infected. In this way, as he is an executive of the company, the gray hat will have higher accesses than any, and an escalation of privileges will be done, which will allow as well, after the elevation to executive level and lateral movements to the Department of Systems, full control of the network as sysadmin.
5. Carrying the booty
The gray hat is Fernando's owner, literally from head to toe. He also owns his company, his wife and his son. It is the price of living in a society ultra dependent on technology.
As a "sudden" transformation, in the style of the "strange case of Dr. Jekyll and Mr. Hyde", Fernando parades with the flag of the newbie with luck, because the gray hat definitely decides to act as a correct white hat, fully informing him of all the malicious activities done against him, to take control of the pilot in his life. In the end, everything was part of the contract: to include Fernando in the attempt of penetration. Fernando appreciates the work done and realizes how serious his vulnerabilities are.
Now, imagine the gray hat is actually a malevolent black hat, and there is no contract to prevent the attack. If he had not been there, simply to test the defenses and show Fernando his weaknesses. This happens to people all the time; it does not matter they are high-ranking executives or not, all the time we are in their sights. Black hats do not have rules. They will never have doubts, no limits, and a single day is enough to destroy someone's life entirely. They will exploit everything within their resources to reach their goal, and more, if they have been hired by an entity; they will use all the unimaginable assets, family, and friends. They will play with your mind, your feelings and emotions. What do you think would have happened if the gray hat wanted to plant a whole site of child pornography on Fernando's laptop and then gave notice to the authorities? What an average person can do (because despite being a senior executive, for the purposes of the case, Fernando is still an average person) against these types of threats?
How do we stop a shadow?
As it is impossible to go back to the Stone Age, and holding my line on the low odds of resistance, when we have been chosen as a target of a trained black hat, at least I will put some bullets that can serve to mitigate a good part of the risks existing there in the jungle:
Education / Training
While I agree, in that people should not be experts in IT Security, because that's what professionals are for, it is important to let them know that, given the increasing use of the Internet in our lives, it is vital to consider these topics for our well-being.
Having procedures to safeguard our privacy and try not to be so dependent on technology, would enter the levels of survival that we are willing to accept daily.
Protect information
Encrypt your data. Possibly there are well-versed hackers that can break some encryption algorithms, but it would be too much to know somebody, who has broken an RSA 2048. In that case probably only the Pentagon or NATO could face him.
Sttay alert and informed
Stay with at least 3 feeds on security. It will give you enough information to know, which are the latest trends in the aspects of intrusion; and useful advice to stay away from the orbit of black hats. Although at the end, people choose how much they want to protect themselves, then it is up to you if you really read the information, or if you really take them into account.
It is noteworthy these cyber-issues are increasingly concerning the entire society, especially when it is rare that in the news does not appear something related to massive espionage by governments to their citizens, new Zero-days or security breaches in companies, cybercrime , etc.
So every time we are all more aware of the risks, and therefore more users will be demanded to be mindful significantly and even more the IT Security professionals.
Do not build the foundations of your trust with weak cards.
"Well done, android. The Enrichment Center once again reminds you that android hell is a real place where you will be sent at the first sign of defiance."
(GLaDOS)