Anti-security

Hacker Tools Include Cake and Balloons

Who hacked the Democratic National Committee in 2016?

I dunno, says Donald Trump. China? Russia?

“It also could be somebody sitting on their bed that weighs 400 pounds, OK?” he said during one of the U.S. Presidential debates in 2016.

By invoking the “400 pound man” theory, Trump tapped into a longstanding and smugly superior trope: that despite all their technical skills, at the end of the day, computer hackers are obese, antisocial loners hanging out in basements or bedrooms, whiling away the hours, alone in the glow of their computer screens. Besides fat shaming, and besides bullshitting about Russia’s involvement in the DNC hack, Trump’s invocation of bedrooms also implicitly ignores the social skills of hackers: their abilities to talk to others, relate to them, get to know them, and persuade them to do things – like give away passwords or give access to sensitive information. Hackers and security professionals have a name for this: social engineering.

A movie that features social engineering is Sneakers, which stars Robert Redford as Martin Bishop, leader of a company of “sneakers” who get paid to break into banks and other secure corporate locations. After they successfully break in, Bishop’s company reveals how they managed to defeat security and makes recommendations for improving it. While Bishop’s team does use technical tools, they often rely on persuasion, authority, costumes, and charm – the tools of the social engineers – to get where they want to go.

The Sneakers clip attached to this article—of the so-called “Cake Scene”— encapsulates social engineering in action. Bishop’s team needs to get sensitive information from the Coolidge Institute. Sure, they could break into the Institute’s network, find a target computer, and break its encryption. But that could take some time. Instead, they do something simpler: one member dresses in delivery uniform and hauls a stack of Drain-O boxes; another hits a car horn at the right time; and Bishop grabs some balloons and a cake box. With those “no-tech” tools, they get access in seconds. Bishop merely has to sell a simple story to the front desk security: my wife was supposed to bring a cake to our office party on the second floor.

Here, Bishop masterfully exploits the social setting, creating a pretext for his subsequent actions, amping up the anxiety of the security guard by getting his colleague to berate the guard for not letting him make his delivery, and then demanding: “Push the goddamn buzzer, will ya?”

What’s a security guard to do? Well, he can help: he can help all his colleagues upstairs who are waiting for the cake. He can help a fellow human being. All he has to do is break security norms. But he can spend the rest of the day with the satisfying knowledge that he helped a fellow human being in need.

Hacker social skills – persuasion, collegiality, vulnerability, helpfulness, or authority – are potent tools. Verizon’s annual Data Breach Report consistently focuses on social engineering precisely because it’s been so effective for decades. Proto-hackers, the phone phreaks, depended on it in 70s and 80s. Suzy “Thunder” Headley and Kevin Mitnick perfected it in the 80s and 90s. Today, cybersecurity professionals can take courses in social engineering, as part of a broader suite of penetration testing techniques.

So we might join Trump and think of a (400 pound) hacker, alone in a bedroom, hunched over multiple screens, but we do so at our peril, ignoring the hacker holding the cake.

 

Back to Anti-security