It seems intuitively obvious that, without good security (encryption, access management, firewalls) private data is at risk. What is less obvious is that the reverse is also true; data leaks enable security breaches.
In spear-phishing, you are the phish
Consider the rising incident of what is called spear-phishing, about which the U.S. authorities have been warning for several years (link). This type of attack uses personal date to refine and target the better-known ‘regular’ phishing attacks. Normal phishing attacks need a large number of recipients, given that 1) spam filters catch most phishing emails and 2) relatively few people are naive enough to click on the links or open the attachments typically contained in such mails.
Spear-phishing, on the other hand, uses a combination of personal information and what is often termed social engineering to create an attack targeted at specific people in a company (link). Imagine, for example, that you work in accounts payable, sending payments to your company’s suppliers by bank transfer. Your boss is away on holiday, and you receive an urgent email from your boss’s boss, telling you that a certain big supplier has not been paid and is withholding shipments. Your boss’s boss tells you to pay immediately the supplier’s invoice, which is included as an attachment.
So you open the (genuine-looking) attachment and send a large payment to the bank details shown on the invoice. A short time later it turns out that, not only was the bank account bogus, but the company’s PCs are locked by ransomware, due to a malicious script that was launched when you opened the attachment.
You have been a victim of a spear-phishing attack. The attacker needed only a small amount of personal information to carry out this attack, such as:
- your name and work email
- your work function (finance)
- the name of your boss and of her boss
- the fact that your boss is on vacation
- the identity of a legitimate supplier
All of the above information might be obtained even without a data leak, via your own corporate web site or social media (imagine your boss posting pictures of herself on vacation). Any additional information the attacker has can be used to sharpen the attack. For example, your date of birth could be used to generate a happy-birthday email from someone you know, say, with an animated birthday-card as an attachment. The extra detail of knowing when to send the card can generate extra trust in the recipient and put them off guard.
Access to leaked data can also save the attacker the trouble of doing social-media research and enable him or her to send a large number of such emails within a company, in order to take advantage of the time-window afforded by the delay in detection and counter-measures.
The damages from the ransomware may be many times greater than the money lost in the bank transfer. Corporate giants Merck, Maersk, and FedEx recently lost around US$300 million each from ransomware attacks, not in ransom paid but in costs and lost sales (link) (link).
Social ‘engineering’: one reason such attacks work
There are several reasons why experienced users, who would never be fooled by a spam-type phishing attack, will fall for a spear-attack:
- most people who work with a computer on their desk receive a lot of email, many requiring a reply and/or the performance of a task
- the flood of emails means that one usually spends as little time as possible on each one
- emails from our superiors catch our notice and are handled first
All of these factors imply that, during a busy working day, we will not be on our guard for a phishing attack from within our own company.
A related factor is that we rush to fulfill an urgent message from a superior, the higher up the person, the more we rush. This behavior is an effect of modern communication. It was visible in Nazi Germany, where high-level officials sent orders using telephone and telegraph. As architect Albert Speer stated at Nuremberg about why subordinates carried out war crimes:
The telephone, the teleprinter, and the wireless made it possible for orders from the highest levels to be given direct to the lowest levels, where, on account of the absolute authority behind them, they were carried out uncritically. (quoted in Essential McLuhan, p.303)
Speer goes on to explain that earlier (pre-electronic age) dictatorships had to follow a traditional, paper-based chain of command, which would have meant that war-crimes orders would have been subject to bureaucratic delays, passive resistance, and so forth.
The same obedience-effect is known to spear-phishers and relied on to trick lower-level employees to perform the requested action without hesitating, say, to check the target bank account, to click that link. or to open that attachment. A similar tactic used to target individuals will have emails appearing to come from your bank, utility provider, or tax authority. In each case, merely the sight of the email’s sender raises your stress level a bit (akin to receiving a registered letter in the post), making you want to open that email and deal with whatever it is right away.
When we read about identity theft, it is usually just that: an attacker is impersonating his victim in order to steal or commit other crimes. Email spoofing is also a kind of identity theft, however; the only differences are that the identity is used only once and requires only the name (and possibly business function) of the person whose name is mis-used.
What can be done?
Although, as I have pointed out, email is one of the weakest points in the security landscape (link), we are all reachable via email by anyone else in the world with access to an email account. We are stuck with email as a risk factor for the foreseeable future.
We are also stuck with social media; indeed, many companies have their own social-media presence and encourage their employees to promote the company via personal accounts as well. We rush to plaster personal details all over the internet, while paradoxically expecting to maintain our privacy.
Of course, it is best practice to deploy email filtering, removing suspicious attachments and links, but attackers are also aware of these measures and able to work around them. We should assume that the cutting edge of phishers will stay ahead of the game.
Even the anti-phishing measures we adopt may themselves introduce new risks, such as losing important email. Email filtering is a probabilistic technique, which can produce not only false negatives (that is, a bad email bypasses the filter) but also false positives (a good, perhaps important, email is filtered out). (see, e.g., (link)).
One helpful measure might be to avoid making a person’s work email derivable from their name. Jane Smith at company XYZ, for example, should not have an email address like firstname.lastname@example.org, email@example.com, etc. Such addresses make it possible for an attacker to guess the target’s email simply by knowing his or her name.
Another measure that might help is to have corporate rules about who is one’s boss. After all, you’re more likely to second-guess or seek clarification from your immediate boss than from someone further up the chain. When you boss is offline, you should know who her designated replacement is.
Too much, too soon
As I have stated with regard to software development (link), I believe that the corporate world must revert, at least to an extent, to older, process-based practices, not only for development, but also for routine activities. The GDPR is an early indicator that organizations are henceforth expected to show a minimal level of quality control, at least in their handling of personal data.
We have rushed into internet technologies, eagerly jettisoning any measure that entails extra time or cost, or even inconvenience. We assume that we are saving time and money this way, embracing buzz-terms like agile, lean, just-in-time, right-sizing, and a host of others, without realizing that our savings come at the cost of added fragility (the relevant cliché here being ‘picking up pennies in front of a steamroller’).
Looking at the situation through an attacker’s eyes
If you (or your management) see security and privacy as mere added costs, all downside and no upside, remember that the attackers have a different perspective on it. For the attacker, your weak measures constitute a business opportunity, a living, and possibly the road to riches. Unlike you, who may have security or privacy tacked on to your existing workload, these people are full-time attackers, including some who are comparable to the best developers anywhere.
Consider, for example, that the recent attacks against Apache Struts began just three days after the patch was published (link). The hackers could go from first learning of the vulnerability to a viable attack in 3 days, indicating a level of programming prowess of a Silicon-valley startup. This is who you’re potentially up against.
Not only are attackers technically proficient, but they have the insight needed to exploit social media, cognitive biases, email overload, human failings (inertia, oversights, and misplaced trust) to break through where purely technical attacks would fail. The I.T. industry is innovating constantly, with each new addition to the landscape potentially offering new ways for hackers to strike it rich.