And sure enough: when I sat down with Ollie Whitehouse he told me I’d been the “victim” of spear-phishing, or targeted phishing (albeit luckily only by NCC’s benign team of ethical hackers).
Unless you were of a very paranoid nature, it’s likely that you’d fall for this. So you’d only have to target four people in an organisation to gain access to it.It doesn’t take as much technical mumbo-jumbo as you might think, either. The team researched me using only information publically available on the internet. They learned about my interests by seeing what I post on Twitter. Getting my email address was no harder than simply asking Facebook for it – if you ask to reset the password of any account, the social network will give you a redacted version of that user’s email address, from which, shall we say, it is not exactly rocket science to guess the rest. [infographic id="393"] The team record information I’ve happily shared in tweets, not realising its usefulness to potential attackers: a screenshot shows what programmes I have pinned on my computer taskbar, metadata reveals what mobile operator I use and a photo shows I have a Mac. They know everything about me, and it hasn’t taken any particularly advanced hacking to find this out: I’m left-handed, I listen to music on Spotify and – crucially, in this case, that I’m a Google Docs user likely to trust emails coming from this particular friend. “People think it’s all voodoo and magic, but it’s not that technically complicated. It’s more about hackers getting to know you,” said Whitehouse. Read more: How much are your stolen credit card details worth? Spear-phishing is becoming more common. A recent report from non-profit organisation Get Safe Online found that one in five hacking victims believed they were specifically targeted. Usually, of course, the target is a company rather than an individual reporter. But the principle remains the same: exploiting human weaknesses to gain access to private or company data. Companies are increasingly turning to ethical hackers to do essentially the same as what I’ve just put myself through with NCC: hacking their own systems to uncover weaknesses – before someone else with more nefarious purposes does. IBM found in its 2014 Cyber Security Intelligence Index that 95 per cent of incidents come from human error. Despite knowing the risks, it’s certainly true that many of us are surprisingly cavalier about online safety, using the same passwords across several sites and insisting on using unbreakable passwords like “123456” or “password”. But Whitehouse argued our systems are the ones to blame, not the humans using them:
Did you make a mistake at all, or did technology let you down? Arguably, we’re designing systems that aren’t setting us up for success.