The Gist: Trust and Error Defeat Security

A recent social engineering attack on PayPal and GoDaddy allowed an attacker to commandeer the victim’s email on GoDaddy and hold his Facebook account hostage in order to facilitate the transfer of the @N Twitter handle (reportedly worth about $50,000 USD) to the attacker. This incident illustrates how organizations fail to train their representatives to resist old and simple social engineering techniques. More broadly I use this as a case study with which to demonstrate how no matter what, we can never have absolute security when it comes to safeguarding our online presence; between social engineering attacks and zero-day exploits we can always expect there to be a weak link in a long chain of security.

Read on for full details.

A Social Engineering Case Study

There’s been a lot of buzz surrounding Naoki Hiroshima’s harrowing ordeal in which an attacker used social engineering techniques to commandeer Mr. Hiroshima’s GoDaddy email account; the goal of this attack was to obtain his @N Twitter account, a coveted single-letter Twitter handle allegedly worth no less than $50,000 USD. Once the attacker obtained the upper hand by seizing Mr. Hiroshima’s Facebook account and succeeded in having him hand over the Twitter account, he explained his methods.

Posing as a PayPal employee, the attacker had called PayPal and obtained the last four digits of Mr. Hiroshima’s credit card. With this in hand he was able to call GoDaddy and feign having lost the card he used to purchase a domain name; using these last four digits he was allowed to guess the first two until he got it right and finally reset the account’s security. That was all it took to get to the Facebook account which was enough encouragement for Mr. Hiroshima to hand over the Twitter account.

There are some other technical particulars involved but the point here is the way social engineering techniques can, without much trouble, bypass both traditional and advanced account security measures.

Old Tricks

Social engineering attacks aren’t remotely new. I’m not familiar with the earliest history, but to further the point take this wonderfully cheesy scene from the 1995 film Hackers in which Jonny Lee Miller’s character coaxes a security guard into providing information about a modem’s hardware which helps him break into their systems. In any event, this is not a new idea and there are numerous examples to be studied but, as the recent events involving Mr. Hiroshima illustrate, not necessarily learned from. Consider some other not-exactly-groundbreaking security mishaps:

• Apple’s Flashback Trojan incident caused by an unpatched Java version; Apple took three months since the exploit was originally published and fixed to release the patch to end-users
• Snapchat had 4.6 million user name and phone number combinations published owing to, fundamentally, a lack of rate limiting and bot abuse prevention in their API but also by failure to respond to an exploit disclosure by white hat security researchers
• Several D-Link routers were found to have a backdoor in their firmware that would allow an attacker to alter the device’s settings thereby allowing several attacks

The Problem of Trust

The examples of breaches I’ve outlined so far boil down to needing to place at least part of your security in the hands of a third party. It’s effectively impossible to eliminate the need to trust third parties while using any sort of online technology. In 1984 Ken Thompson described a theoretical hack based on a compromised compiler that would result in a nearly undetectable backdoor that couldn’t be avoided without unplugging your hardware and putting on a tin foil hat. Regarding more tangible events, among the recent NSA spying revelations was an allegation that the security company RSA may have created a backdoor for the NSA in one of their encryption algorithms; the details are fairly technical and mathematical but essentially a random number generator can be constructed in a poor way so as to make the numbers predictable — this would disrupt the strength of the encryption.

Whether due to negligence in the case of PayPal, GoDaddy, Apple, Snapchat, and probably D-Link or due to malicious intent in the case of the Ken Thompson hack or (allegedly) the RSA collusion, trusting a third party can be a necessary weak link in one’s personal security. Ultimately this boils down to relying on humans who, like all of us, are liable to make mistakes or be influenced into making unethical decisions. This will never change, and this will always be an attack vector for security breaches.

Forget Trust: Zero-Day Exploits

The impossibility of absolute security isn’t just down to negligence and manipulation; there’s a simple universal fact of software engineering: we can never expect any software to be completely secure and unexploitable. Ever. There’s an unending struggle between white hat and black hat hackers; white hats continuously try to penetrate their own systems so as to fix security holes while black hats attempts to beat them so they can profit or otherwise benefit from it. Sometimes the black hats get there first, and that’s what constitutes a zero-day attack: one that hadn’t been discovered previously and is actively being exploited.

In 2008 a security flaw in Microsoft Internet Explorer was discovered that would result in victims losing control of their computers and passwords; this was said to affect all versions of the browser dating back to 2001. A 2012 study by Symantec researchers suggested that black hat hackers have an average of ten months before details of an exploit are made public.

There are entire black markets devoted to selling exploits and more recently efforts by companies like Google, Microsoft, and Facebook to offer competitive bounties to white hat security researchers for finding and reporting exploits. The risk of this sort of attack can never be eliminated, and preventative measures focus on a combination of investment in security research by the software developers and by prompt updates by end-users; neither is a trivial expectation by any stretch.

Conclusion: Abandon all Hope?

No, not quite. While it’s important to be aware of this unfortunate truth, it shouldn’t stop an individual from doing the best they reasonably can to secure themselves. This can involve improving the security of your online accounts and keeping your systems up to date. Dialing your security down to 0 just because you can never ramp it up to 100 isn’t wise — Sony learned that the hard way. Beyond this we can try to find reasonably easy ways to safeguard our personal data; I hope to cover some notable methods in the coming days.