The problem with humanity is that we tend to give each other the benefit of the doubt.
Yesterday, thousands of people got email invitations from familiar contacts to open a Google Doc. It was a phishing scam, one that Google has subsequently squelched. Most people were smart enough not to open it, but a tiny number of people fell for it. Why? Because they recognized the name at the top of the email and trusted them not to send them something malicious.
Trust has become dangerous.
That’s the takeaway from the next episode of National Geographic’s show about the cutting edge of science and technology. Breakthrough: Cyber Terror comes out next Tuesday night at 10 PM ET. The show explores how technology facilitates terrorism by following two different threads. One of those threads explores how terrorists recruit online. The other thread explores how vulnerable modern institutions are to attack. That’s the one that grabbed us.
“I can totally destroy your life in under the time that it takes to drink that latte at Starbucks,” Jayson Street says at the very beginning of the show. Street’s a white hat hacker, a former cop who now lives a real life version of the film Sneakers. Companies hire him to break into their stuff, prove their vulnerabilities and advise them about tightening up security after.
In this episode, he and two hacker friends have been recruited to attempt to penetrate Société Générale locations around Beirut. The show doesn’t make it completely clear what their charge is, but it seems as though they have simply need to prove that vulnerabilities can be found in the bank’s branches. The show lets viewers in on parts of the planning process, and very early on they start talking about the feasibility of getting behind where the tellers are sitting.
This seems striking. How can they be so confident that they can talk their way past the barriers marked “employees only” inside a bank branch?
The most disconcerting piece of technology they show off is the WiFi Pineapple, from Hak5, which we have reported on before. Hak5’s founder, Darren Kitchen, joins the hacking team for its exploit. His device is able to scan an area and register all of the wifi addresses that users’ mobile devices are searching for. It can then quickly and easily pretend to be any of those access points and executing man-in-the-middle attacks if they so desire.
The attacker could then serve up a fake login page for a legitimate URL. If the user falls for it and enters their legitimate credentials, the attacker will then have a working login and password. This could be the victim’s Facebook page or their web login to an employer’s backend.
But it turns out that Street’s most powerful hacking tool is his own self-confidence. He simply acts purposeful inside the branches and tells employees that he’s a contractor with the bank doing computer maintenance work, promising to make their network run faster. To prove he got in, he uses another piece of Hak5 technology, its USB Rubber Ducky. That device pretends to be a keyboard and a mouse, very quickly writing software onto a computer and executing it. In this case, it only makes and saves a file that says, “Hello, world.”
“If you want to talk about what all of this hacking is about, it’s about trust,” Kitchen says. “And trust, as we know, is so much easier to destroy—in an instant—than it is to build.”
Rather than spoil exactly what Street and Co. manage to do, we’ll stop there. It’s impressive. We don’t hear Street’s conversation with the bank exec at the end, but we see his client’s face. It’s fair to say he’s unsettled by how far the team got. The chief vulnerability that Street exploits is peoples’ good nature.
We have to do something about that.