An explanation of the differences between hack and social engineering; and learn why social engineering is extremely important to many hacks!
Episode #11-01 released on August 9, 2020
I am from the province of Quebec, in Canada. In the last year there were millions of bank customers personal data compromised, but not by a hack. You see, when data is stolen from any organization, we immediately believe hack. Several years ago, a great deal of actresses, public personalities, etc. had their iCloud accounts compromised, again, that was not the result of a hack.
What do these two events have in common?
The data leaks were the result of social engineering in the form of spearfishing. Hacking requires information you may not have access to, it requires a certain amount of intelligence, and we mean information about the target not intellect. It, also, requires skills, knowledge about the systems used by the target, etc. This makes social engineering a near requirement in many cases. When hacking an organization of any kind, you need to know what they are using, which software, hardware, etc. You need to know about the infrastructures, security systems, etc. You need to know a lot more than most television shows and movies will admit. Much of this is long, slow, and boring to watch, too. Social engineering is, also, a slow process, but unlike hacking, it does not need most of the technical skills. Especially if you can somehow convince the target to give you the information you want without having to hack a thing.
In the case of the iCloud breach, each of the victims unknowingly gave access to their iCloud accounts. In the case of the bank in Quebec, the employee was paid to give the information away. Neither are hacks.
While a hacker may need information about the target, how the information is used may differ. If a hacker used intelligence acquired to compromise the systems themselves, that is by definition a hack. Intelligence gathering may by social engineering, or by exploiting known vulnerabilities.
What does this mean for you?
Update all your applications and operating systems as soon as updates are available. Never reveal any personal information to anyone, especially if they are unable to confirm who they are and who they actually work for. Be attentive, if you get messages for two factor authentication codes, note you are compromised, it is time to change your passwords. Also, note that two factor authentication via text messaging is subject to the SS7's vulnerabilities and can be intercepted by malicious groups.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net