Well folks, there it is. The Mother of All Breaches, with a staggering 26 billion electronic records leaked. That’s about 3 or 4 records for every living person, if you were to simply divide the number of records with the estimated world population.
So big is the breach, in fact, that at least one writer reached for a whole new bag of superlatives, going stellar by describing it as ‘supermassive’. Read all about it here.
This tells us a couple of things, or perhaps more accurately, reminds us of them. Nothing is truly secure unless locked in a safe and buried 6 feet under (rendering it useless, of course). Nobody’s details, records, emails, credentials, or anything else, could be said to be truly secure.
Now, what do we make of that? Do we simply throw up our hands in despair and walk away?
Might feel like a reasonable course of action, given how much time, effort, technology, and money is invested in securing information.
But the reality is we can’t.
The game is, and has always been, taking reasonable steps, taking precautionary measures, making yourself the least appealing target out of the endless opportunities available to the bad actors.
Back in South Africa, for example, where the domestic security situation is quite different to what we enjoy in New Zealand, the approach is simple: make your house more secure than anyone else on the street, and burglary is less likely. Hilariously (perhaps, to some), we used to say it’s like being chased by a lion. You don’t have to outrun the lion, you have to outrun your mates (sharp-eyed readers will note I’ve used this analogy before).
A little bloody-minded, perhaps, but the idea of low-hanging fruit – targeting the easy pickings – makes sense for everyone. Businesses start out like that. Anyone with a fruit tree knows it. And you can bet your bottom dollar most hackers are on board too.
As I always say, with anything one should always look to intent. Sure, there are some hackers who see a gnarly challenge as just that, an opportunity to impress the community, perhaps shame someone high profile, and generally earn kudos.
But most of them are just after money. They’re thieves with iPads, rogues with keyboards. Easy money is the best money. If it’s a game of whack-a-mole, so be it – but we’ll make sure it isn’t you that gets whacked.
Social engineering and the pig butcher
While the leaked records are one for the history books, hacks of this nature aren’t all that unusual and despite the sheer size and quantity of it, probably won’t have that much of an impact on you personally or your business. Low hanging fruit combines with the comfort of anonymity in such a massive data set: what are the chances a hacker will happen upon YOUR data, and then – assuming you’re the safest house on the street – get through YOUR defences? Statistically speaking, probably not quite the colossus after all.
A more pressing issue is social engineering. This risk bothers technologists because there’s little we can do to prevent victims from willingly handing over perfectly good credentials, or even large sums of perfectly good money, to those who aren’t quite who they say they are.
If you haven’t yet heard the term ‘pig butchering’, settle in for a yarn.
Remember the widely circulated meme that ‘if the service is free, you’re the product’? Usually accompanied by a pic of a porcine, there’s a parallel in pig butchering: the victim is, like the product, the livestock. In pig butchering, the social engineer fattens up the porker before the inevitable slaughter.
There’s a great podcast worth listening to over at DarkNet Diaries, which goes into some detail into how pig butchering butters up the victim over an extended period of time – through flattery, promises of love and affection, and just general genial interaction. Internet friends aren’t, it turns out, all made equal.
I’ve had direct experience of a pig butcher just recently. A request came via social media, with an attractive young lady (apparently) showing some interest. While instantly recognising it was a scam, stringing the miscreant along proved interesting. It was more than a month after initial contact that the first requests for money were made.
But the pig butcher doesn’t want nickels and dimes; they’re after the big payoff. There wasn’t a direct request for cash – instead, an investment opportunity!
These tend to start with a relatively small amount of, say, $10 000. Now that’s not chump change, but it isn’t quite the house either. The $10k is ‘invested’, soon generating staggering returns. Those returns may even be ‘drawable’; it’s all part of the charade fattening up the pig.
Seeing the results, the mark takes a logical – in their mind – step forward, depositing the whole enchilada. $200, 000, $400,000, more. It has happened, and it will happen again.
Like any social engineering scam, the pig butcher’s biggest enemy is a mark with eyes in the back of their heads – and also those who waste their time (although in my case it did make for an awkward conversation with the wife when I explained what was going on).
There’s no technology capable of stopping these attacks: even if Facebook eliminates every scammer, they’ll use the phone. Or an email. Or a text.
There’s a bottom line here. Listen to podcasts like DarkNet Diaries, stay abreast of the methods and techniques used by scammers and above all, if it seems to good to be true, it is.