Social Engineering Hacking Systems, Nations, and Societies[pdf]

 Introduction to Social Engineering Use by Bad Guys

Social engineering is an amazingly efficient process of attack with quite 80% of cyber attacks, and over 70% of those from nation-states, being initiated and executed by exploiting humans rather than a computer or network security flaws. Thus to make secure cyber systems. 

it's not only necessary to guard the computers and networks that make up these systems but also to point out and train their human users about security procedures also.

Attacks on humans are called social engineering because they manipulate or engineer users into performing desired actions or divulging sensitive information. the foremost general social engineering attacks simply plan to get unsuspecting Internet users to click on malicious links.

More focused attacks decide to elicit sensitive information, like passwords or private information from organizations or steal things useful from particular individuals by earning unwarranted trust.

These attacks generally ask people to perform the specified behavior that the attacker wants to induce from the victim. to undertake to do this, they have the victim’s trust, which is usually earned through interaction or co-opted via a copied or stolen identity.

 counting on the extent of sophistication, these attacks will follow individuals, organizations, or wide swathes of the population.

 Scammers often use familiar company names or pretend to be someone known to the victim. 2018 real-world example exploited the name of Netflix when an email designed to steal personal information was sent to an unknown number of recipients. 

the e-mail claimed the user’s account was on hold because Netflix was having some trouble with their current billing

Social Engineering 

information and invited the user to click on a link to update their payment method.

1. One reason social engineering attacks work is that it's difficult for users to verify each and each communication they receive. 

Moreover, verification requires A level of technical expertise that the majority users lack.
To compound the obstacle, the amount of users that have access to
privileged information is usually large, creating a commensurately large
attack surface.

2. The act of convincing individuals to divulge sensitive information and using it for malicious endeavors is ages old. Social engineering attacks have occurred on the web since it came into existence.

But before the expansion of the web , criminals used the phone , the mail , or advertising to pose as a trusted agent to accumulate information. 

most of the people agree that the term phishing originated in the mid-1990s when it had been wont to describe the acquisition of Internet service provider (ISP) account information.

However, the term has evolved to encompass a spread of attacks that focus on personal or corporate information possessed by individuals, including by telephone, email, social media, face to face observation, gaming platforms, theft of postal delivery letters or packages, and, an age-old favorite, dumpster

Understanding the Breadth of Social Engineering as a Weapon 

Regardless of the social network, users continue to be fooled online by persons claiming to be somebody else.

 Unlike the physical world, individuals can misrepresent everything about themselves when they communicate online, ranging not only from their names and business affiliations (something that is fairly easy to do in person as well), but also extending to their gender, age, and location (identifiers that are far more difficult to fake in person).

 Years ago investigators called these types of people confidence or con men. Perhaps as a result of the high-tech times, con artists are now referred to as being engaged in social engineering. 

It should come as no surprise to learn that the Federal Bureau of Investigation (FBI) is investigating classic investment fraud schemes, such as Ponzi schemes, that are now being carried out in virtual worlds. Other con artists are able to carry identity theft scandals by misidentifying 

A New Level of Social Engineering for the 21st Century

Russia has deployed hybrid forms of data and cyber warfare in ways that, until now, have been unknown to most Americans.

By weaponizing stolen information and propagating  disinformation, Russian intelligence services have worked to discredit the United States both at home and abroad, disrupt its foreign policy, and sow divisions internally.

 The most recent glaring example, of course, was Russia’s intervention in the 2016 US presidential election, which the intelligence community confirmed was aimed at aiding the election of President Trump and undermining Americans’ confidence in the electoral system.

Russian intervention in foreign elections to advance its interests is not a new phenomenon, and it is not confined to the United States. The governments of Germany and France have sounded alarm bells that Russia is currently conducting similar operations on their territory in advance of national elections in 2019, targeting candidates thought to be unfriendly to Russian interests.

Russia also spends significant resources on a vast network of pro-panda outlets, including Russia Today (RT) in the United States, to disseminate disinformation that weakens democratic consensus and strengthens the political fringe. 

RT reportedly spends $400 million on its Washington bureau alone; and it has more YouTube subscribers than any other broadcaster, including the BBC. Russia supervises dozens of other news sources in tandem with RT, seeding lustful stories through one website that are picked up and expanded through others.

 Deep in the shadows, Russia employs hundreds of E English-literate young people to operate a vast network of fake online identities to write blog posts and comments.

Russia’s ability to wage information warfare has been greatly aided by its heavy investments in cyberspace, where the US remains ill-equipped to counter or deter its aggressive probing.

 Russia’s activity in this domain reflects an updated national security strategy that emphasizes asymmetric tactics to exploit vulnerabilities in adversaries while weakening their ability and resolve to counter Russian policy. In recent public reports, the US intelligence community identified Russia as one of the most sophisticated nation-state actors in cyberspace.

Russia’s interference is covert as well as overt, where active measures are diverse, larger-scale, and more technologically sophisticated. They constantly adapt and morph in accordance with improving technology also circumstances.

 By striking at Europe and the United States at the same time, the interference appears to be geared toward undermining the effectiveness and cohesion of the Western alliance as such and the legitimacy of the West as a normative force upholding a global order based on universal rules rather than might alone.

In 2007, the Facebook Platform was expanded with more applications that enabled a user’s calendar to be able to show your friends’ birthdays, maps to show where the user’s friends live, and address book to show their pictures

. To do this, Facebook enabled people to log in to apps and share who their friends were and some information about them. Then, in 2013, a Cambridge University researcher named Aleksandr Kogan created a personality quiz app. It was established by around 300,000 people who agreed to give some of their Facebook data as well as some information from their mates whose privacy settings provided it.

 Given the way the platform worked at that time meant Kogan was able to access some information about tens of millions of friends. In 2014, to prevent abusive apps, Facebook announced that they were changing the entire platform to dramatically limit the Facebook information apps could access. Several importantly, apps similar to Kogan’s could no longer ask for data about a person’s friends unless their friends had also approved this app.

 Facebook also required developers to get approval from Facebook before they could request any data beyond a user’s public profile, friend list, and email address. These activities would prevent any app like Kogan’s from being capable to reach as much Facebook data today.

In 2015, Facebook learned from journalists at The Guardian that Kogan had shared data from his app with Cambridge Analytica even though it is against Facebook policies for developers to share data without people’s consent.

 Facebook immediately banned Kogan’s app and demanded that Kogan and other entities he gave the data to, including Cambridge Analytica, formally certify that they had deleted all improperly acquired data.

 Later Facebook learned from The Guardian, The New York Times, and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. Facebook immediately banned them from using any Facebook services.

The Facebook security team had been aware of traditional Russian cyber threats like hacking and malware for years. Managing up to Election Day in November 2016, Facebook detected and dealt with several intimidations with ties to Russia. This included activity by a group called APT28 that the US government had publicly linked to Russian military intelligence services.

 But while the primary focus was on traditional threats, Facebook also saw some new behavior in the summer of 2016 when APT28-related accounts, under the banner of DC Leaks, produced fake personas that were used to seed stolen data to journalists. Facebook shut these accounts down for violating policies.

 After the election, Facebook continued to investigate and learn more about these new threats and found that bad actors had used coordinated networks of fake accounts to interfere in the selection: Advertising or attacking specific competitors and causes, creating distrust in political institutions, or simply growing confusion. Some of these bad actors also used Facebook ad tools as phishing tools to draw people deeper into the myriad of misinformation and disinformation. 

Facebook also learned about a disinformation campaign run by the Internet Research Agency (IRA) a Russian agency that has repeatedly acted deceptively and tried to manipulate people in the United States, Europe, and Russia. Facebook found about 470 accounts and pages linked to the IRA, which generated around 80,000 Facebook posts over about a two-year period.

 The best estimate is that approximately 126 million people may have been served content from a Facebook page associated with the IRA at some point during that period. On Instagram, where data on reach is not as complete, about 120,000 pieces of content were found, and the estimate is that an additional 20 million people were likely served it.

 Over the same period, the IRA also spent approximately $100,000 on more than 3,000 ads on Facebook and Instagram, which were seen by an estimated 11 million people in the United States. Facebook closed down those IRA accounts in August 2017.

In a white paper draft released by the US Senator Mark R. Warner in 2018, he contended that, in the course of the US Congress investigating Russia’s interference in the 2016 election, the extent to which many Internet technologies were exploited and their providers repeatedly caught wrong-footed has been unmistakable.

 More than illuminating the capacity of these technologies to be exploited by bad actors, the revelations of 2018 have revealed the dark underbelly of an entire ecosystem.

 The pace with which these products have grown and come to dominate nearly every perspective of our social, governmental, and economic lives has in many ways covered the shortcomings of their creators in anticipating the harmful effects of their use. The Government has failed to adapt and has been incapable or unwilling to adequately address the impacts of these trends on privacy, competition, and public discourse.

Warner further contended that the size and reach of these platforms demand that we ensure proper oversight, transparency, and effective management of technologies that in large measure undergird our social lives, our economy, and our politics. Many opportunities exist to work with these organizations, other stakeholders,

 and policymakers to make sure that we are raising appropriate safeguards to ensure that this ecosystem no more continued exists as “the Wild West”— unmanaged and not accountable to users or broader society—but instead operates to the broader advantage of society, competition, and broad-based innovation.

This is just the beginning of discovery as to how social media tools have been and are being used in social engineering campaigns. It is also just the beginning of what will be a long-term effort to regulate social media providers and require them to protect the public from social engineers using these tools to manipulate behavior and impact the outcome of elections and the functioning of social institutions.

to read full pdf please download the pdf book here